BinRec:Atack surface reduction through dynamic binary recovery

Compile-time specialization and feature pruning through static binary rewriting have been proposed repeatedly as techniques for reducing the attack surface of large programs, and for minimizing the trusted computing base. We propose a new approach to attack surface reduction: dynamic binary lifting and recompilation. We present BinRec, a binary recompilation framework that lifts binaries to a compiler-level intermediate representation (IR) to allow complex transformations on the captured code. After transformation, BinRec lowers the IR back to a "recovered" binary, which is semantically equivalent to the input binary, but has its unnecessary features removed. Unlike existing approaches, which are mostly based on static analysis and rewriting, our framework analyzes and lifts binaries dynamically. The crucial advantage is that we can not only observe the full program including all of its dependencies, but we can also determine which program features the end-user actually uses. We evaluate the correctness and performance of Bin-Rec, and show that our approach enables aggressive pruning of unwanted features in COTS binaries

Linux kernel compaction through cold code swapping

There is a growing trend to use general-purpose operating systems like Linux in embedded systems. Previous research focused on using compaction and specialization techniques to adapt a general-purpose OS to the memory-constrained environment, presented by most, embedded systems. However, there is still room for improvement: it has been shown that even after application of the aforementioned techniques more than 50% of the kernel code remains unexecuted under normal system operation. We introduce a new technique that reduces the Linux kernel code memory footprint, through on-demand code loading of infrequently executed code, for systems that support virtual memory. In this paper, we describe our general approach, and we study code placement algorithms to minimize the performance impact of the code loading. A code, size reduction of 68% is achieved, with a 2.2% execution speedup of the system-mode execution time, for a case study based on the MediaBench II benchmark suite

Securing Virtualized System via Active Protection

Virtualization is the predominant enabling technology of current cloud infrastructure

An Application-Oriented Linux Kernel Customization for Embedded Systems

[[abstract]]How to reconfigure a general purpose operating system (GPOS) into an embedded operating system has attracted attention for application-specific domains. Linux is currently one of the popular candidates for GPOSs. Although Linux has tools for kernel reconfiguration by letting users add or remove desired function modules, the best schemes of reconfiguring Linux according to a specific embedded system are not practical. Even after this configuration, the target Linux might still be a GPOS. In this article, we will propose an approach to customizing an application-specific Linux operation system. This approach derives from a “call graph” based on reengineering. By analyzing a graph-structure representation of the target system, its hardware and software specifications are determined. Thus, we can find the rules for removing the redundant code in Linux. Moreover, we employ the call graph approach to verify the system integrity at the source-code level. In order to demonstrate the proposed idea, an experimental system will also be reported in this article. The results show that our approach can significantly remove about 17 percent of the Linux kernel’s footprint with respect to unreachable code

An Application-Oriented Linux Kernel Customization for Embedded Systems

[[incitationindex]]SCI[[incitationindex]]E