DynaCut: A Framework for Dynamic Code Customization

Mahurkar, Abhijit

03 September 2021

Software systems are becoming increasingly bloated to accommodate a wide array of features, platforms and users. This results not only in wastage of memory but also in an increase in their attack surface. Existing works broadly use binary-rewriting techniques to remove unused code, but this results in a binary that is highly customized for a given usage context. If the usage scenario of the binary changes, the binary has to be regenerated. We present DYNACUT– a framework for Dynamic and Adaptive Code Customization. DYNACUT provides the user with the capability to customize the application to changing usage scenarios at runtime without the need for the source code. DYNACUT achieves this customization by leveraging two techniques: 1) identifying the code to be removed by using execution traces of the application and 2) by rewriting the process dynamically. The first technique uses traces of the wanted features and the unwanted features of the application and generates their diffs to identify the features to be removed. The second technique modifies the process image to add traps and fault-handling code to remove vulnerable but unused code. DYNACUT can also disable temporally unused code – code that is used only during the initialization phase of the application. To demonstrate its effectiveness, we built a prototype of DYNACUT and evaluated it on 9 real-world applications including NGINX, Lighttpd and 7 applications of the SPEC Intspeed benchmark suite. DYNACUT removes upto 56% of executed basic blocks and upto 10% of the application code when used to remove initialization code. The total overhead is in the range of 1.63 seconds for Lighttpd, 4.83 seconds for NGINX and about 39 seconds for perlbench in the SPEC suite. / Master of Science / Software systems are becoming increasingly bloated to accommodate a wide array of users, features and platforms. This results in the software not only occupying extra space on com- puting platforms but also in an increase in the ways that the applications can be exploited by hackers. Current works broadly use a variety of techniques to identify and remove this type of vulnerable and unused code. But, these approaches result in a software that has to be modified with the changing usage scenarios of the application. We present DYNACUT, a dynamic code customization tool that can customize the application at its runtime with a minimal overhead. We use the execution traces of the application to customize the ap- plication according to user specifications. DYNACUT can identify code that is only used in the initial stages of the application execution (initialization code) and remove them. DYNA- CUT can also disable features of the application. To demonstrate its effectiveness, we built a prototype of DYNACUT and evaluated it on 9 real-world applications including NGINX, Lighttpd and 7 applications of the SPEC Intspeed benchmark suite. DYNACUT removes upto 56% of executed basic blocks and upto 10% of the application code when used to remove initialization code. The total overhead is in the range of 1.63 seconds for Lighttpd, 4.83 seconds for NGINX and about 39 seconds for perlbench in the SPEC suite.

Software Debloating

Attack-Surface reduction

Return-Oriented-Programming

Process Snapshot

Dynamic Customization

Checkpoint Restore in Userspace

thesis.pdf

Jianliang Wu (15926933)

30 May 2023

<p>Bluetooth is the de facto standard for short-range wireless communications. Besides Bluetooth Classic (BC), Bluetooth also consists of Bluetooth Low Energy (BLE) and Bluetooth Mesh (Mesh), two relatively new protocols, paving the way for its domination in the era of IoT and 5G. Meanwhile, attacks against Bluetooth, such as BlueBorne, BleedingBit, KNOB, BIAS, and BThack, have been booming in the past few years, impacting the security and privacy of billions of devices. These attacks exploit both design issues in the Bluetooth specification and vulnerabilities of its implementations, allowing for privilege escalation, remote code execution, breaking cryptography, spoofing, device tracking, etc.</p> <p><br></p> <p>To secure Bluetooth, researchers have proposed different approaches for both Bluetooth specification (e.g., formal analysis) and implementation (e.g., fuzzing). However, existing analyses of the Bluetooth specification and implementations are either done manually, or the automatic approaches only cover a small part of the targets. As a consequence, current research is far from complete in securing Bluetooth.</p> <p><br></p> <p>Therefore, in this dissertation, we propose the following research to provide missing pieces in prior research toward completing Bluetooth security research in terms of both Bluetooth specification and implementations. (i) For Bluetooth security at the specification level, we start from one protocol in Bluetooth, BLE, and focus on the previously unexplored reconnection procedure of two paired BLE devices. We conduct a formal analysis of this procedure defined in the BLE specification to provide security guarantees and identify new vulnerabilities that allow spoofing attacks. (ii) Besides BLE, we then formally verify other security-critical protocols in all Bluetooth protocols (BC, BLE, and Mesh). We provide a comprehensive formal analysis by covering the aspects that prior research fails to include (i.e., all possible combinations of protocols and protocol configurations) and considering a more realistic attacker model (i.e., semi-compromised device). With this model, we are able to rediscover five known vulnerabilities and reveal two new issues that affect BC/BLE dual-stack devices and Mesh devices, respectively. (iii) In addition to the formal analysis of specification security, we propose and build a comprehensive formal model to analyze Bluetooth privacy (i.e., device untraceability) at the specification level. In this model, we convert device untraceability into a reachability problem so that it can be verified using existing tools without introducing false results. We discover four new issues allowed in the specification that can lead to eight device tracking attacks. We also evaluate these attacks on 13 Bluetooth implementations and find that all of them are affected by at least two issues. (iv) At the implementation level, we improve Bluetooth security by debloating (i.e., removing code) Bluetooth stack implementations, which differs from prior automatic approaches, such as fuzzing. We keep only the code of needed functionality by a user and minimize their Bluetooth attack surface by removing unneeded Bluetooth features in both the host stack code and the firmware. Through debloating, we can remove 20 known CVEs and prevent a wide range of attacks again Bluetooth. With the research presented in this thesis, we improve Bluetooth security and privacy at both the specification and implementation levels.</p>

System and network security

Mobile computing

Bluetooth low-energy

Security & privacy factors

Bluetooth Classic

Bluetooth Mesh

Man-in-the-middle (MITM) attacks

Device tracking

Formal Analysis

Program Analysis

Debloating

Spoofing attacks

Reflection attacks