Aravind Prakash

Matthew Cole, Aravind Prakash

With the rapid increase in software exploits, the last few decades have seen several hardware-level features to enhance security (e.g., Intel MPX, ARM TrustZone, Intel SGX, Intel CET). Due to security, performance and/or usability issues these features have attracted steady criticism. One such feature is the Intel Memory Protection Extensions (MPX), an instruction set architecture extension promising spatial memory safety at a lower performance cost due to hardware-accelerated bounds checking. However, recent investigations into MPX have found that is neither as performant, accurate, nor precise as cutting-edge software-based spatial memory safety. As a direct consequence, compiler and operating system support for MPX is dying, and Intel has begun to manufacture desktop CPUs without MPX. Nonetheless, given how ubiquitous MPX is, it provides an excellent yet under-utilized hardware resource that can be aptly salvaged for security purposes. In this paper, we propose Simplex, a library framework that re-purposes MPX registers as general purpose registers. Using Simplex, we demonstrate how MPX registers can be used to store sensitive information (e.g., encryption keys) directly on the hardware. We evaluate Simplex for performance and find that its overhead is small enough to permit its deployment in all but the most performance-intensive code. We refactored the string.h buffer manipulation functions and found a geometric mean 0.9% performance overhead. We also modified the deepsjeng and lbm SPEC CPU2017 benchmarks to use Simplex and found a 1% and 0.98% performance overhead respectively. Finally, we investigate the behavior of the MPX context with regards to multi-process and multi-thread programs.

Rukayat Ayomide Erinfolami, Aravind Prakash

Complexities that arise from implementation of object-oriented concepts in C++ such as virtual dispatch and dynamic type casting have attracted the attention of attackers and defenders alike. Binary-level defenses are dependent on full and precise recovery of class inheritance tree of a given program. While current solutions focus on recovering single and multiple inheritances from the binary, they are oblivious to virtual inheritance. Conventional wisdom among binary-level defenses is that virtual inheritance is uncommon and/or support for single and multiple inheritances provides implicit support for virtual inheritance. In this paper, we show neither to be true. Specifically, (1) we present an efficient technique to detect virtual inheritance in C++ binaries and show through a study that virtual inheritance can be found in non-negligible number (more than 10\% on Linux and 12.5\% on Windows) of real-world C++ programs including Mysql and libstdc++. (2) we show that failure to handle virtual inheritance introduces both false positives and false negatives in the hierarchy tree. These false positves and negatives either introduce attack surface when the hierarchy recovered is used to enforce CFI policies, or make the hierarchy difficult to understand when it is needed for program understanding (e.g., during decompilation). (3) We present a solution to recover virtual inheritance from COTS binaries. We recover a maximum of 95\% and 95.5\% (GCC -O0) and a minimum of 77.5\% and 73.8\% (Clang -O2) of virtual and intermediate bases respectively in the virtual inheritance tree.

Rukayat Ayomide Erinfolami, Aravind Prakash

Recovering class inheritance from C++ binaries has several security benefits including problems such as decompilation and program hardening. Thanks to the optimization guidelines prescribed by the C++ standard, commercial C++ binaries tend to be optimized. While state-of-the-art class inheritance inference solutions are effective in dealing with unoptimized code, their efficacy is impeded by optimization. Particularly, constructor inlining--or worse exclusion--due to optimization render class inheritance recovery challenging. Further, while modern solutions such as MARX can successfully group classes within an inheritance sub-tree, they fail to establish directionality of inheritance, which is crucial for security-related applications (e.g. decompilation). We implemented a prototype of DeClassifier using Binary Analysis Platform (BAP) and evaluated DeClassifier against 16 binaries compiled using gcc under multiple optimization settings. We show that (1) DeClassifier can recover 94.5% and 71.4% true positive directed edges in the class hierarchy tree under O0 and O2 optimizations respectively, (2) a combination of ctor+dtor analysis provides much better inference than ctor only analysis.

Anh Quach, Aravind Prakash, Lok Kwong Yan

Programs are bloated. Our study shows that only 5% of libc is used on average across the Ubuntu Desktop environment (2016 programs); the heaviest user, vlc media player, only needed 18%. In this paper: (1) We present a debloating framework built on a compiler toolchain that can successfully debloat programs (shared/static libraries and executables). Our solution can successfully compile and load most libraries on Ubuntu Desktop 16.04. (2) We demonstrate the elimination of over 79% of code from coreutils and 86% of code from SPEC CPU 2006 benchmark programs without affecting functionality. We show that even complex programs such as Firefox and curl can be debloated without a need to recompile. (3) We demonstrate the security impact of debloating by eliminating over 71% of reusable code gadgets from the coreutils suite and show that unused code that contains real-world vulnerabilities can also be successfully eliminated without adverse effects on the program. (4) We incur a low load time overhead.