Towards Secure Lean Software
Overview
The adoption of high-level programming languages, systems, and
environments with layers of abstractions and hierarchies can result in
unnecessarily bulky software without carefully design. These
abstractions and hierarchies usually lead to more modular and reliable
software. However, in an adversarial environment with advanced
intrusion techniques such as Return-Oriented Programming (ROP), the
assumption that the layers of abstractions and hierarchies yield more
safe and secure software is shaky. Bulky software, despite its safety
guarantee within a clean and collaborative environment, is not
necessarily more secure in an adversarial environment because the
attack surface sometimes depends on the size of the code---even a
piece of code compiled from safe languages and environments can be
attacked with techniques such as ROP.
Therefore, the current approaches to software development, though
follow good principles and practice in software engineering, does not
necessarily or automatically lead to secure software; software
developed in this way is usually not lean; as a result, the attack
surface remains unnecessarily large. In this project, we aim to build
infrastructure and technologies for software customization. Our goal
is to transform bulky software to make it smaller and more secure,
with smaller attack surfaces. Upon completion, we hope to achieve
better isolation, less sharing, and less dependencies between code,
and to implicitly diversify software.
People
Press Release
ONR press release about our work on JRed.
Others see here
Software Release
Publications
-
StraightTaint: Decoupled Offline Symbolic Taint Analysis,
by Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu.
In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016),
Singapore, September 3-7, 2016.
(Acceptance rate: 19.1%)
-
BinCFP: Efficient Multi-threaded Binary Code Control Flow Profiling,
by Jiang Ming and Dinghao Wu.
In Proceedings of the 16th IEEE International Working Conference on Source Code Analysis and Manipulation, Engineering Track, (SCAM 2016),
Raleigh, NC, USA, October 2-3, 2016.
-
Impeding Behavior-based Malware Analysis via Replacement Attacks to Malware Specications,
by Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, and Bing Mao.
Journal of Computer Virology and Hacking Techniques, 2016.
A preliminary version appeared in
Proceedings of the 13th International Conference on Applied Cryptography and Network Security (ACNS 2015).
-
MalwareHunt: Semantics-Based Malware Diffing Speedup by Normalized Basic Block Memoization,
by Jiang Ming, Dongpeng Xu, and Dinghao Wu.
Journal of Computer Virology and Hacking Techniques, 2016.
A preliminary version appeared in
Proceedings of the 30th IFIP SEC 2015 International Information Security and Privacy Conference (IFIP SEC 2015).
-
JRed: Program Customization and Bloatware Mitigation based on Static Analysis,
by Yufei Jiang, Dinghao Wu, and Peng Liu.
In Proceedings of the 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC 2016),
Atlanta, Georgia, USA,
June 10-14, 2016.
(Acceptance rate: 18%)
-
Translingual Obfuscation,
by Pei Wang, Shuai Wang, Jiang Ming, Yufei Jiang, and Dinghao Wu.
In Proceedings of the 1st IEEE European Symposium on Security and Privacy (Euro S&P 2016),
Saarbrucken, Germany,
March 21-24, 2016.
(Acceptance rate: 29/168 = 17.3%)
An extended version is available at arXiv.
-
Uroboros: Instrumenting Stripped Binaries with Static Reassembling,
by Shuai Wang, Pei Wang, and Dinghao Wu.
In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016),
Osaka, Japan,
March 14-16, 2016.
-
Program-object Level Data Flow Analysis with Applications to Data Leakage and Contamination Forensics,
by Gaoyao Xiao, Jun Wang, Peng Liu, Jiang Ming, and Dinghao Wu.
In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016),
New Orleans, LA, March 9-11, 2016.
-
Feature-based Software Customization: Preliminary Analysis, Formalization, and Methods,
by Yufei Jiang, Can Zhang, Dinghao Wu, and Peng Liu.
In Proceedings of the 17th IEEE High Assurance Systems Engineering Symposium (HASE 2016),
Orlando, Florida, USA,
January 7-9, 2016.
-
LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code,
by Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu.
In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015),
Denver, Colorado, USA,
October 12-16, 2015.
(Acceptance rate: 128/646 = 19.8%)
Open source software release.
-
Reassembleable Disassembling,
by Shuai Wang, Pei Wang, and Dinghao Wu.
In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015.
(Acceptance rate: 67/426 = 15.7%)
Open source software release.
-
TaintPipe: Pipelined Symbolic Taint Analysis,
by Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu.
In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015.
(Acceptance rate: 67/426 = 15.7%)
-
A Preliminary Analysis and Case Study of Feature-based Software Customization (Extended Abstract),
by Yufei Jiang, Can Zhang, Dinghao Wu, and Peng Liu.
In Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS 2015),
Vancouver, Canada, August 3-5, 2015.
-
Replacement Attacks: Automatically Impeding Behavior-based Malware Specifications,
by Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, and Bing Mao.
In Proceedings of the 13th International Conference on Applied Cryptography and Network Security (ACNS 2015),
New York, June 2-5, 2015.
-
Memoized Semantics-Based Binary Diffing with Application to Malware Lineage Inference,
by Jiang Ming, Dongpeng Xu, and Dinghao Wu.
In Proceedings of the 30th IFIP SEC 2015 International Information Security and Privacy Conference (IFIP SEC 2015),
Hamburg, Germany, May 26-28, 2015.
-
Teaching Information Security with Virtual Laboratories, by Dinghao Wu, John Fulmer, and Shannon Johnson.
In Innovative Practices in Teaching Information Sciences and Technology: Experience Reports and Reflections, John M. Carroll (Ed.),
pages 179-192. Springer, 2014.
- Tailored Application-specific System Call Tables,
by Qiang Zeng, Zhi Xin, Dinghao Wu, Peng Liu, and Bing Mao. Technical Report. 2014.
Sponsor
-
Towards Secure Lean Software, Dinghao Wu (PI) and Peng Liu,
Office of Naval Research (ONR),
Grant No. N00014-13-1-0175, $423,520, 2013-2017.
-
Secure Lean Binary Code, Dinghao Wu (PI) and Peng Liu,
Office of Naval Research (ONR),
Grant No. N00014-16-1-2265, $504,930, 2016-2019.
|