Skip to main content
SpringerLink
Log in

Towards Automated Application-Specific Software Stacks

  • Conference paper
  • First Online:
Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11736))

Included in the following conference series:

Abstract

Software complexity has increased over the years. One common way to tackle this complexity during development is to encapsulate features into a shared library. This allows developers to reuse already implemented features instead of reimplementing them over and over again. However, not all features provided by a shared library are actually used by an application. As a result, an application using shared libraries loads unused code into memory, which an attacker can use to perform code-reuse and similar types of attacks. The same holds for applications written in a scripting language such as PHP or Ruby: The interpreter typically offers much more functionality than is actually required by the application and hence provides a larger overall attack surface.

In this paper, we tackle this problem and propose a first step towards automated application-specific software stacks. We present a compiler extension capable of removing unneeded code from shared libraries and—with the help of domain knowledge—also capable of removing unused functionalities from an interpreter’s code base during the compilation process. Our evaluation against a diverse set of real-world applications, among others Nginx, Lighttpd, and the PHP interpreter, removes on average 71.3% of the code in musl-libc, a popular libc implementation. The evaluation on web applications show that a tailored PHP interpreter can mitigate entire vulnerability classes, as is the case for OpenConf. We demonstrate the applicability of our debloating approach by creating an application-specific software stack for a Wordpress web application: we tailor the libc library to the Nginx web server and PHP interpreter, whereas the PHP interpreter is tailored to the Wordpress web application. In this real-world scenario, the code of the libc is decreased by 65.1% in total, thereby reducing the available code for code-reuse attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Docker - Build, Ship, and Run Any App, Anywhere. https://www.docker.com/

  2. Buildroot - Making Embedded Linux Easy (2018). https://buildroot.org

  3. Directory::read (2018). http://php.net/manual/en/directory.read.php

  4. Google Cloud: App Engine - Build Scalable Web & Mobile Backends in Any Language (2018). https://cloud.google.com/appengine/

  5. musl libc (2018). https://www.musl-libc.org

  6. Parse: A PHP Security Scanner (2018). https://github.com/psecio/parse

  7. PHP Security Analysis - RIPS (2018). https://www.ripstech.com/

  8. Registering and using PHP functions (2018). http://www.phpinternalsbook.com/php7/extensions_design/php_functions.html

  9. RIPS Sensitive Sinks (2018). https://github.com/ripsscanner/rips/blob/master/config/sinks.php

  10. uClibc (2018). https://www.uclibc.org

  11. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)

    Google Scholar 

  12. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Conference on Computer and Communications Security (CCS) (2011)

    Google Scholar 

  13. Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)

    Google Scholar 

  14. Chen, Y., Sun, S., Lan, T., Venkataramani, G.: TOSS: tailoring online server systems through binary feature customization. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2018)

    Google Scholar 

  15. Christner, B.: Docker Official Images are Moving to Alpine Linux (2016). https://www.brianchristner.io/docker-is-moving-to-alpine-linux/

  16. Crane, S., Larsen, P., Brunthaler, S., Franz, M.: Booby trapping software. In: ACM New Security Paradigms Workshop (NSPW) (2013)

    Google Scholar 

  17. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. In: ACM Transactions on Programming Languages and Systems (TOPLAS) (1991)

    Google Scholar 

  18. Dahse, J.: OpenConf 5.30 - Multi-Step Remote Command Execution (2016). https://blog.ripstech.com/2016/openconf-multi-step-remote-command-execution/

  19. Davidsson, N., Pawlowski, A., Holz, T.: Towards automated application-specific software stacks. Technical report, arXiv:1907.01933 (2019)

  20. Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (1994)

    Google Scholar 

  21. Golunski, D.: Pwning PHP mail() function For Fun And RCE - New Exploitation Techniques and Vectors - Release 1.0 (2017). https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html

  22. Habalov, R.: How we broke PHP, hacked Pornhub and earned \$20,000 (2016). https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

  23. Heo, K., Lee, W., Pashakhanloo, P., Naik, M.: Effective program debloating via reinforcement learning. In: ACM Conference on Computer and Communications Security (CCS) (2018)

    Google Scholar 

  24. Jiang, Y., Wu, D., Liu, P.: JRed: program customization and bloatware mitigation based on static analysis. In: Computer Software and Applications Conference (COMPSAC) (2016)

    Google Scholar 

  25. Kroes, T., et al.: BinRec: attack surface reduction through dynamic binary recovery. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2018)

    Google Scholar 

  26. Kurmus, A., et al.: Attack surface metrics and automated compile-time OS kernel tailoring. In: Symposium on Network and Distributed System Security (NDSS) (2013)

    Google Scholar 

  27. Landsborough, J., Harding, S., Fugate, S.: Removing the kitchen sink from software. In: Conference on Genetic and Evolutionary Computation (GECCO) (2015)

    Google Scholar 

  28. Muench, M., Pagani, F., Shoshitaishvili, Y., Kruegel, C., Vigna, G., Balzarotti, D.: Taming transactions: towards hardware-assisted control flow integrity using transactional memory. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 24–48. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_2

    Chapter  Google Scholar 

  29. Park, T., Lettner, J., Na, Y., Volckaert, S., Franz, M.: Bytecode corruption attacks are real-and how to defend against them. In: Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2018)

    Google Scholar 

  30. Pawlowski, A., et al.: MARX: uncovering class hierarchies in C++ programs. In: Symposium on Network and Distributed System Security (NDSS) (2017)

    Google Scholar 

  31. Quach, A., Erinfolami, R., Demicco, D., Prakash, A.: A multi-OS cross-layer study of bloating in user programs, kernel and managed execution environments. In: Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2017)

    Google Scholar 

  32. Quach, A., Prakash, A., Yan, L.K.: Debloating software through piece-wise compilation and loading. In: USENIX Security Symposium (2018)

    Google Scholar 

  33. Salwan, J.: ROPgadget (2018). https://github.com/JonathanSalwan/ROPgadget

  34. Sasada, K.: YARV: yet another RubyVM: innovating the ruby interpreter. In: Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA) (2005)

    Google Scholar 

  35. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS) (2007)

    Google Scholar 

  36. Sharif, H., Abubakar, M., Gehani, A., Zaffar, F.: TRIMMER: application specialization for code debloating. In: International Conference on Automated Software Engineering (ASE) (2018)

    Google Scholar 

  37. Staicu, C.A., Pradel, M., Livshits, B.: Synode: understanding and automatically preventing injection attacks on node.js. In: Symposium on Network and Distributed System Security (NDSS) (2018)

    Google Scholar 

  38. Trail of Bits: McSema (2018). https://github.com/trailofbits/mcsema

  39. Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., Ning, P.: On the expressiveness of return-into-libc attacks. In: International Symposium on Research in Attacks, Intrusions, and Defenses (RAID) (2011)

    Google Scholar 

Download references

Acknowledgements

This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. In addition, this work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (ERC Starting Grant No. 640110 (BASTION)).

Author information

Authors and Affiliations

  1. Google, Zürich, Switzerland

    Nicolai Davidsson

  2. Horst Görtz Institute (HGI), Ruhr-Universität Bochum, Bochum, Germany

    Andre Pawlowski & Thorsten Holz

Authors
  1. Nicolai Davidsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andre Pawlowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andre Pawlowski .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Davidsson, N., Pawlowski, A., Holz, T. (2019). Towards Automated Application-Specific Software Stacks. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29962-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29961-3

  • Online ISBN: 978-3-030-29962-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation