Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response

Considerable delays often exist between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since program configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities. To minimize patch delay vulnerabilities and address the limitations of configuration workarounds, we propose Security Workarounds for Rapid Response (SWRRs), which are designed to neutralize security vulnerabilities in a timely, secure, and unobtrusive manner. Similar to configuration workarounds, SWRRs neutralize vulnerabilities by preventing vulnerable code from being executed at the cost of some lost functionality. However, the key difference is that SWRRs use existing error-handling code within programs, which enables them to be mechanically inserted with minimal knowledge of the program and minimal developer effort. This allows SWRRs to achieve high coverage while still being fast and easy to deploy. We have designed and implemented Talos, a system that mechanically instruments SWRRs into a given program, and evaluate it on five popular Linux server programs. We run exploits against 11 real-world software vulnerabilities and show that SWRRs neutralize the vulnerabilities in all cases. Quantitative measurements on 320 SWRRs indicate that SWRRs instrumented by Talos can neutralize 75.1% of all potential vulnerabilities and incur a loss of functionality similar to configuration workarounds in 71.3% of those cases. Our overall conclusion is that automatically generated SWRRs can safely mitigate 2.1x more vulnerabilities, while only incurring a loss of functionality comparable to that of traditional configuration workarounds.Comment: Published in Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland 2016

BinPro: A Tool for Binary Backdoor Accountability in Code Audits

Highly security sensitive organizations often perform source code audits on software they use. However, after the audit is performed, they must still perform a binary code audit to ensure the binary provided to them matches the source code that was audited. BinPro seeks to reduce the manual effort required to perform the binary audit by accounting for the binary versions of functions in a given source code. To do this, BinPro combines static analysis, graph matching and machine learning. Over a corpus of 10 applications, BinPro is able to match 74% of binary functions with their source code counterparts, and thus determine that they are free of malicious backdoors if their source code version is. When evaluated on applications that backdoors inserted into their binaries, BinPro detects that they do not match any function in the source code.M.A.S

LMP: light-weighted memory protection with hardware assistance

Despite a long history and numerous proposed defenses, memory corruption attacks are still viable. A secure and low-overhead defense against return-oriented programming (ROP) continues to elude the security community. Currently proposed solutions still must choose between either not fully protecting critical data and relying instead on information hiding, or using incomplete, coarse-grain checking that can be circumvented by a suitably skilled attacker. In this paper, we present a light-weighted memory protection approach (LMP) that uses Intel’s MPX hardware extensions to provide complete, fast ROP protection without having to rely in information hiding. We demonstrate a prototype that defeats ROP attacks while incurring an average runtime overhead of 3.9%.We would like to thank Professor Ding Yuan, Mariana D’Angelo, Michelle Wong, Beom Heyn Kim, Afshar Ganjali, Sukwon Oh, Diego Bravo Velasquez and Peter Sun for their valuable feedback. We also thank the anonymous reviewers for their comments and help in improving the quality of this paper. The research in this paper was supported by an NSERC Discovery Grant