Software Cruising

Overview

This project introduces a novel concurrent software monitoring technology, called Software Cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. Customized lock-free non-blocking data structures and algorithms are designed to reduce the communication or synchronization overhead between the monitor threads and the application code. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems.

We have developed three prototypical cruising systems: Cruiser, a lock-free concurrent heap buffer overflow monitor in user space; Kruiser, a semi-synchronized non-blocking operating system kernel cruiser; and iCruiser, a monitoring tool for checking data structure integrity under attacks. Our experimental results showed that software cruising can be deployed in practice with modest overhead. In user space, heap buffer overflow cruising incurs only about 5% performance overhead on average for the SPEC CPU2006 benchmark, and the Apache throughput slowdown is only 3% maximum and negligible on average. In kernel space, it is negligible for SPEC, and 3.8% for Apache. Both technologies can be deployed in large scale for cloud data centers and server farms in an automated manner. For data structure integrity checking, new techniques such as secure canary are designed to increase the system security.

We have also developed TaintPipe, a tool that decouples taint analysis using the software cruising technology. Taint analysis has a wide variety of compelling applications in security tasks, from software attack detection to data lifetime analysis, but the high overhead associated with dynamic taint analysis has been severely restricted its application scope. By adopting the idea of software cruising, we parallelize the taint analysis using a pipeline style, which has resulted significant performance improvement (about 2.4 times speedup on execution time) over the existing technology.

The Uroboros tool (Reassembleable Disassembling, Usenix Security 2015) we developed for reverse engineering binary executables (e.g., for applying software cruising to binary code directly, or other security retrofitting on binary code) advocates a new direction on reverse engineering and binary code retrofitting.

The project has resulted in significant publications in top tier venues including PLDI, NDSS, USENIX Security, ASE, and DSN. We have published more than 30 research papers on this project. In particular, the Cruiser result is published in PLDI, kruiser is published in NDSS, Uroboros and TaintPipe are published in USENIX Security, and StraightTaint in ASE.

We have also open source released the Cruiser and Uroboros prototypes to facilitate further research and dissemination. The source code is available at Cruiser Open Source Release and Uroboros Open Source Release.

People

Invited Talks

  • "Pipelined Symbolic Taint Analysis." Colloquium Talk at Department of Computer Science, University of Texas at Dallas, April 3, 2015.
  • "Lock-free Concurrent Security Monitoring," Dinghao Wu. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, December 12, 2013.
  • "Lock-free Concurrent Security Monitoring," Dinghao Wu. Department of Computer Science and Engineering, Lehigh University, April 23, 2013.
  • "Concurrent Security Monitoring Using Semi-synchronized and Lock-free Algorithms," Dinghao Wu. Peking University, Beijing, China, May 18--19, 2011.

Publications

  1. Cruiser: Concurrent Buffer Overflow Monitoring Using Lock-free Data Structures, by Qiang Zeng, Dinghao Wu, and Peng Liu. In Proceedings of the 2011 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2011), San Jose, CA, USA, June 4–8, 2011. (Acceptance ratio: 55/236 = 23%)

  2. Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring, by Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, and Changzhen Hu. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012), San Diego, California, February 5–8, 2012. (Acceptance ratio: 46/258 = 17.8%)

  3. Behavior Decomposition: Aspect-level Browser Extension Clustering and Its Security Implications, by Bin Zhao and Peng Liu. In Proceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2013). St. Lucia, 2013.

  4. A Framework for Evaluating Mobile App Repackaging Detection Algorithms, by Heqing Huang, Sencun Zhu, Peng Liu, and Dinghao Wu. In Proceedings of the 6th International Conference on Trust & Trustworthy Computing (TRUST 2013), London, UK, June 17-19, 2013.

  5. DeltaPath: Precise and Scalable Calling Context Encoding, by Qiang Zeng, Junghwan Rhee, Hui Zhang, Nipun Arora, Guofei Jiang, and Peng Liu. In Proceedings of Symposium on Code Generation and Optimization (CGO'14), Orlando, Florida, 2014.

  6. X. Sun, J. Dai, A. Singhal, and P. Liu (2014). Inferring the Stealthy Bridges between Enterprise Network Islands in Cloud Using Cross-Layer Bayesian Networks. The 10th International Conference on Security and Privacy in Communication Networks (SecureComm 2014). Beijing, China.

  7. Lingchen Zhang, Sachin Shetty, Peng Liu, and Jiwu Jing (2014). RootkitDet: Practical End-to-End Defense against Kernel Rootkits in a Cloud Environment. The 19th European Symposium on Research in Computer Security (ESORICS 2014). Wroclaw, Poland.

  8. R. Wu, P. Chen, P. Liu, and B. Mao (2014). System Call Redirection: A Practical Approach to Meeting Real-world VMI Needs. The 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2014). Atlanta, Georgia.

  9. Software Cruising: A New Technology for Building Concurrent Software Monitor, by Dinghao Wu, Peng Liu, Qiang Zeng, and Donghai Tian. In Sushil Jajodia, Krishna Kant, Pierangela Samarati, Anoop Singhal, Vipin Swarup, and Cliff Wang (Eds.), Secure Cloud Computing, Advances in Information Security Series, pages 303-324. Springer, 2014.

  10. Teaching Information Security with Virtual Laboratories, by Dinghao Wu, John Fulmer, and Shannon Johnson. In Innovative Practices in Teaching Information Sciences and Technology: Experience Reports and Reflections, John M. Carroll (Ed.), pages 179-192. Springer, 2014.

  11. D. Tian, X. Xiong, C. Hu, and P. Liu (2014). Defeating Buffer Overflow Attacks via Virtualization. Elsevier Journal on Computers & Electrical Engineering.

  12. Uncovering the Dilemmas on Antivirus Software Design in Modern Mobile Platforms, by Heqing Huang, Kai Chen, Peng Liu, Sencun Zhu, and Dinghao Wu. In Proceedings of the International Workshop on System Level Security of Smartphones (SLSS 2014), Beijing, China, September 23, 2014.

  13. PiE: Programming in Eliza, by Xiao Liu and Dinghao Wu. In Proceedings of the 29th IEEE/ACM International Conference on Automated Software Engineering (ASE 2014), pages 695-700. New Ideas Papers. Vasteras, Sweden, September 15-19, 2014. (Acceptance rate: 82/337 = 24.3%)

  14. Program Characterization Using Runtime Values and Its Application to Software Plagiarism Detection, by Yoon-Chan Jhi, Xiaoqi Jia, Xinran Wang, Sencun Zhu, Peng Liu, and Dinghao Wu. IEEE Transactions on Software Engineering. 2015.
  15. LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code, by Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015), Denver, Colorado, USA, October 12-16, 2015. (Acceptance rate: 128/646 = 19.8%) Open source software release.
  16. Reassembleable Disassembling, by Shuai Wang, Pei Wang, and Dinghao Wu. In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015. (Acceptance rate: 67/426 = 15.7%)
    Uroboros Open Source Release.
  17. TaintPipe: Pipelined Symbolic Taint Analysis, by Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu. In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015. (Acceptance rate: 67/426 = 15.7%)
  18. Replacement Attacks: Automatically Impeding Behavior-based Malware Specifications, by Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, and Bing Mao. In Proceedings of the 13th International Conference on Applied Cryptography and Network Security (ACNS 2015), New York, June 2-5, 2015.
  19. Risk Assessment of Buffer "Heartbleed" Over-read Vulnerabilities, by Jun Wang, Mingyi Zhao, Qiang Zeng, Dinghao Wu, and Peng Liu. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2015), Rio de Janeiro, Brazil, June 22-25, 2015. (Acceptance rate: 50/227 = 22.0%)
  20. Memoized Semantics-Based Binary Diffing with Application to Malware Lineage Inference, by Jiang Ming, Dongpeng Xu, and Dinghao Wu. In Proceedings of the 30th IFIP SEC 2015 International Information Security and Privacy Conference (IFIP SEC 2015), Hamburg, Germany, May 26-28, 2015.
  21. Towards Discovering and Understanding the Unexpected Hazards in Tailoring Antivirus Software for Android, by Heqing Huang, Kai Chen, Chuangang Ren, Peng Liu, Sencun Zhu and Dinghao Wu. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015), Singapore, April 14-17, 2015. (Acceptance rate: 48/269 = 17.8%)
  22. StraightTaint: Decoupled Offline Symbolic Taint Analysis, by Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016), Singapore, September 3-7, 2016. (Acceptance rate: 19.1%)
  23. BinCFP: Efficient Multi-threaded Binary Code Control Flow Profiling, by Jiang Ming and Dinghao Wu. In Proceedings of the 16th IEEE International Working Conference on Source Code Analysis and Manipulation, Engineering Track, (SCAM 2016), Raleigh, NC, USA, October 2-3, 2016.

  24. Generalized Dynamic Opaque Predicates: A New Control Flow Obfuscation Method, by Dongpeng Xu, Jiang Ming, and Dinghao Wu. In Proceedings of the 19th Information Security Conference (ISC '16), Honolulu, Hawaii, USA, September 7-9, 2016.
  25. iCruiser: Protecting Kernel Link-Based Data Structures with Secure Canary, by Li Wang, Dinghao Wu, and Peng Liu. In Proceedings of the 7th IEEE International Workshop on Trustworthy Computing (TC 2016), in conjunction with QRS 2016, Vienna, Austria, August 1-3, 2016.
  26. Impeding Behavior-based Malware Analysis via Replacement Attacks to Malware Specications, by Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, and Bing Mao. Journal of Computer Virology and Hacking Techniques, 2016. A preliminary version appeared in Proceedings of the 13th International Conference on Applied Cryptography and Network Security (ACNS 2015).
  27. MalwareHunt: Semantics-Based Malware Diffing Speedup by Normalized Basic Block Memoization, by Jiang Ming, Dongpeng Xu, and Dinghao Wu. Journal of Computer Virology and Hacking Techniques, 2016. A preliminary version appeared in Proceedings of the 30th IFIP SEC 2015 International Information Security and Privacy Conference (IFIP SEC 2015).
  28. Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications, by J. Wang, X. Xiong, P. Liu. In Proceedings of the 2015 USENIX Annual Technical Conference (USENIX ATC), 2015.

  29. Discover and Tame Long-running Idling Processes in Enterprise Systems, by J. Wang, Z. Qian, Z. Li, Z. Wu, J. Rhee, X. Ning, P. Liu, G, Jiang. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS), 2015.

  30. Private Browsing Mode Not Really That Private: Dealing with Privacy Breach Caused by Browser Extensions, by Bin Zhao and Peng Liu. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2015), 2015.

  31. HeapTherapy}: An Efficient End-to-end Solution against Heap Buffer Overflows, by Qiang Zeng and Mingyi Zhao and Peng Liu. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN 2015), 2015.

  32. Deviation-Based Obfuscation-Resilient Program Equivalence Checking with Application to Software Plagiarism Detection, by Jiang Ming, Fangfang Zhang, Dinghao Wu, Peng Liu, and Sencun Zhu. IEEE Transactions on Reliability, 2016. A preliminary version appeared in Proceedings of the 25th IEEE International Symposium on Software Reliability Engineering (ISSRE 2014).
  33. Repackage-proofing Android Apps, by Lannan Luo, Yu Fu, Dinghao Wu, Sencun Zhu, and Peng Liu. In Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2016), Toulouse, France, June 28 - July 1, 2016. (Acceptance rate: 58/259 = 22.4%)
  34. Translingual Obfuscation, by Pei Wang, Shuai Wang, Jiang Ming, Yufei Jiang, and Dinghao Wu. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (Euro S&P 2016), Saarbrucken, Germany, March 21-24, 2016. (Acceptance rate: 29/168 = 17.3%) An extended version is available at arXiv.
  35. Uroboros: Instrumenting Stripped Binaries with Static Reassembling, by Shuai Wang, Pei Wang, and Dinghao Wu. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016), Osaka, Japan, March 14-16, 2016.
  36. Program-object Level Data Flow Analysis with Applications to Data Leakage and Contamination Forensics, by Gaoyao Xiao, Jun Wang, Peng Liu, Jiang Ming, and Dinghao Wu. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016), New Orleans, LA, March 9-11, 2016.

Ph.D. Dissertations

  • Qiang Zeng. Improving Software Security with Concurrent Monitoring, Automated Diagnosis, and Selfshielding. (2014). The Pennsylvania State University.
  • Jiang Ming. Pipelined Symbolic Taint Analysis. (2016). The Pennsylvania State University.

Software Release

  • Efficient Multi-threaded Binary Code Control Flow Profiling Pintool. (2016).

    Sponsor

    National Science Foundation (NSF)Secure and Trustworthy Cyberspace (SaTC)

    Software Cruising for System Security, Dinghao Wu (PI) and Peng Liu, National Science Foundation (NSF) CNS-1223710, $499,745, 2012-2016.