Multi-layer API Specialization for Attack Surface Reduction

Abstract

Code reuse attacks have been a threat to software security since the introduction of non-executable memory protections. Despite significant advances in various types of additional defenses, such as control flow integrity (CFI) and leakage-resilient code randomization, recent code reuse attacks have demonstrated that these defenses are often not enough to prevent successful exploitation. Sophisticated exploits can reuse code comprising larger code fragments that conform to the enforced CFI policy and which are not affected by randomization. The sophistication and complexity of recent exploitation techniques, which rely on memory disclosure and whole-function reuse to bypass address space layout randomization and control flow integrity, is indicative of the effect that the combination of exploit mitigations has in challenging the construction of reliable exploits. In addition to software diversification and control flow enforcement, recent efforts have focused on the complementary approach of code and API specialization to restrict further, the critical operations that an attacker can perform as part of a code reuse exploit.

As a step towards improving our defenses against code reuse attacks, in this talk, we present API Specialization, a defense-in-depth exploit mitigation technique. We start by introducing our binary analysis and specialization tool, Shredder, that scans application binaries to identify critical function invocations and uses backwards flow analysis to derive policies for usage of those critical functions and generate white-listing policies. We follow this up, with our compiler-level defense-in-depth, library specialization tool, Saffire. Saffire performs source code level transformations and individually specializes and hardens every critical function invocation. This is achieved by performing backwards analysis similar to Shredder, while also introducing a novel narrow-scope data-integrity approach called ‘Dynamic binding’ to harden critical function arguments known only as runtime. We talk about security impact of our approach by discussing real world applications and exploits tested with and without API Specialization in place.

We conclude by discussing future domains that similar approaches could be used in.

In this talk, I will provide a background to code reuse attacks, attack surface reduction as a means of mitigating these attacks and introduce the concept of API Specialization. I will discuss the metrics we used to evaluate our techniques and the results of our experimental evaluation with real-world code reuse exploits, demonstrating the effectiveness of API Specialization in preventing such attacks while incurring a negligible runtime overhead.