Abstract
Software complexity has increased over the years. One common way to tackle this complexity during development is to encapsulate features into a shared library. This allows developers to reuse already implemented features instead of reimplementing them over and over again. However, not all features provided by a shared library are actually used by an application. As a result, an application using shared libraries loads unused code into memory, which an attacker can use to perform code-reuse and similar types of attacks. The same holds for applications written in a scripting language such as PHP or Ruby: The interpreter typically offers much more functionality than is actually required by the application and hence provides a larger overall attack surface.
In this paper, we tackle this problem and propose a first step towards automated application-specific software stacks. We present a compiler extension capable of removing unneeded code from shared libraries and—with the help of domain knowledge—also capable of removing unused functionalities from an interpreter’s code base during the compilation process. Our evaluation against a diverse set of real-world applications, among others Nginx, Lighttpd, and the PHP interpreter, removes on average 71.3% of the code in musl-libc, a popular libc implementation. The evaluation on web applications show that a tailored PHP interpreter can mitigate entire vulnerability classes, as is the case for OpenConf. We demonstrate the applicability of our debloating approach by creating an application-specific software stack for a Wordpress web application: we tailor the libc library to the Nginx web server and PHP interpreter, whereas the PHP interpreter is tailored to the Wordpress web application. In this real-world scenario, the code of the libc is decreased by 65.1% in total, thereby reducing the available code for code-reuse attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Docker - Build, Ship, and Run Any App, Anywhere. https://www.docker.com/
Buildroot - Making Embedded Linux Easy (2018). https://buildroot.org
Directory::read (2018). http://php.net/manual/en/directory.read.php
Google Cloud: App Engine - Build Scalable Web & Mobile Backends in Any Language (2018). https://cloud.google.com/appengine/
musl libc (2018). https://www.musl-libc.org
Parse: A PHP Security Scanner (2018). https://github.com/psecio/parse
PHP Security Analysis - RIPS (2018). https://www.ripstech.com/
Registering and using PHP functions (2018). http://www.phpinternalsbook.com/php7/extensions_design/php_functions.html
RIPS Sensitive Sinks (2018). https://github.com/ripsscanner/rips/blob/master/config/sinks.php
uClibc (2018). https://www.uclibc.org
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Conference on Computer and Communications Security (CCS) (2011)
Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)
Chen, Y., Sun, S., Lan, T., Venkataramani, G.: TOSS: tailoring online server systems through binary feature customization. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2018)
Christner, B.: Docker Official Images are Moving to Alpine Linux (2016). https://www.brianchristner.io/docker-is-moving-to-alpine-linux/
Crane, S., Larsen, P., Brunthaler, S., Franz, M.: Booby trapping software. In: ACM New Security Paradigms Workshop (NSPW) (2013)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. In: ACM Transactions on Programming Languages and Systems (TOPLAS) (1991)
Dahse, J.: OpenConf 5.30 - Multi-Step Remote Command Execution (2016). https://blog.ripstech.com/2016/openconf-multi-step-remote-command-execution/
Davidsson, N., Pawlowski, A., Holz, T.: Towards automated application-specific software stacks. Technical report, arXiv:1907.01933 (2019)
Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (1994)
Golunski, D.: Pwning PHP mail() function For Fun And RCE - New Exploitation Techniques and Vectors - Release 1.0 (2017). https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
Habalov, R.: How we broke PHP, hacked Pornhub and earned \$20,000 (2016). https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/
Heo, K., Lee, W., Pashakhanloo, P., Naik, M.: Effective program debloating via reinforcement learning. In: ACM Conference on Computer and Communications Security (CCS) (2018)
Jiang, Y., Wu, D., Liu, P.: JRed: program customization and bloatware mitigation based on static analysis. In: Computer Software and Applications Conference (COMPSAC) (2016)
Kroes, T., et al.: BinRec: attack surface reduction through dynamic binary recovery. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2018)
Kurmus, A., et al.: Attack surface metrics and automated compile-time OS kernel tailoring. In: Symposium on Network and Distributed System Security (NDSS) (2013)
Landsborough, J., Harding, S., Fugate, S.: Removing the kitchen sink from software. In: Conference on Genetic and Evolutionary Computation (GECCO) (2015)
Muench, M., Pagani, F., Shoshitaishvili, Y., Kruegel, C., Vigna, G., Balzarotti, D.: Taming transactions: towards hardware-assisted control flow integrity using transactional memory. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 24–48. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_2
Park, T., Lettner, J., Na, Y., Volckaert, S., Franz, M.: Bytecode corruption attacks are real-and how to defend against them. In: Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2018)
Pawlowski, A., et al.: MARX: uncovering class hierarchies in C++ programs. In: Symposium on Network and Distributed System Security (NDSS) (2017)
Quach, A., Erinfolami, R., Demicco, D., Prakash, A.: A multi-OS cross-layer study of bloating in user programs, kernel and managed execution environments. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2017)
Quach, A., Prakash, A., Yan, L.K.: Debloating software through piece-wise compilation and loading. In: USENIX Security Symposium (2018)
Salwan, J.: ROPgadget (2018). https://github.com/JonathanSalwan/ROPgadget
Sasada, K.: YARV: yet another RubyVM: innovating the ruby interpreter. In: Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA) (2005)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS) (2007)
Sharif, H., Abubakar, M., Gehani, A., Zaffar, F.: TRIMMER: application specialization for code debloating. In: International Conference on Automated Software Engineering (ASE) (2018)
Staicu, C.A., Pradel, M., Livshits, B.: Synode: understanding and automatically preventing injection attacks on node.js. In: Symposium on Network and Distributed System Security (NDSS) (2018)
Trail of Bits: McSema (2018). https://github.com/trailofbits/mcsema
Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) (2011)
Acknowledgements
This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. In addition, this work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (ERC Starting Grant No. 640110 (BASTION)).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Davidsson, N., Pawlowski, A., Holz, T. (2019). Towards Automated Application-Specific Software Stacks. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)