Towards Secure Lean Software


The adoption of high-level programming languages, systems, and environments with layers of abstractions and hierarchies can result in unnecessarily bulky software without carefully design. These abstractions and hierarchies usually lead to more modular and reliable software. However, in an adversarial environment with advanced intrusion techniques such as Return-Oriented Programming (ROP), the assumption that the layers of abstractions and hierarchies yield more safe and secure software is shaky. Bulky software, despite its safety guarantee within a clean and collaborative environment, is not necessarily more secure in an adversarial environment because the attack surface sometimes depends on the size of the code---even a piece of code compiled from safe languages and environments can be attacked with techniques such as ROP.

Therefore, the current approaches to software development, though follow good principles and practice in software engineering, does not necessarily or automatically lead to secure software; software developed in this way is usually not lean; as a result, the attack surface remains unnecessarily large. In this project, we aim to build infrastructure and technologies for software customization. Our goal is to transform bulky software to make it smaller and more secure, with smaller attack surfaces. Upon completion, we hope to achieve better isolation, less sharing, and less dependencies between code, and to implicitly diversify software.


Press Release

ONR press release about our work on JRed. Others see here

Software Release