Soumyakant Priyadarshan, Huan Nguyen, and R. SekarSee our USENIX paper for an overview of our approach.
- Compatibility with COTS binaries: Today's software distribution model is centered around binaries. Even open source software is predominantly distributed in binary format for convenience. Source-based instrumentation techniques do not play well with this model: they not only require per-user recompilation, but also the distribution of distinct binaries and distinct patches for distinct users. Worse, some open-source software may rely on libraries or packages whose source code is not available. And of course, source-based randomization is not an option for closed-source applications.
- Completeness: Security policies such as CFI and code randomization are secure only to the extent they are complete. If parts of an application are not instrumented, e.g., (some) libraries, then attackers can find and exploit gadgets from these components. Operating on binaries gives SAFER the ability to instrument all code, including hand written assembly and code portions inserted by compiler tool chain, e.g., initialization and clean up functions present in every executable. Such code portions are usually missed by source code based approaches.
- Robustness: Ability to correctly instrument complex real world applications gives SAFER an edge over contemporary instrumentation tools. SAFER has been tested on low-level system libraries containing substantial hand-written assembly, such as the glibc and libpthread.so system libraries. Altogether, it has been tested on over 1.1 GB of binaries, including 572 of the most commonly used libraries on Ubuntu Linux. It has been successfully tested with these libraries, as well as the coreutils and SPEC benchmark suite and other complex applications such as gimp, gedit and evince.
- Fail-crash: SAFER can tolerate most common disassembly errors and provides a fail-crash for other undetected errors. The fail-crash detects the error and runtime and halts the program immediately to prevent error propagaton. This helps in two ways: (i) It prevents unpredictable behavior and severe damage such as data loss and security failure. (ii) It helps identify program module that has error. The module can then be re-instrumented correctly with full address translation.
- Performance: SAFER introduces a minimal overhead of 2% and hence is the perfect tool for real world deployment.
- C++ exception compatibility: SAFER updates all exception handling and stack tracing related metadata so that the instrumented binaries maintain compatiblity without compromising on performance.
- In built security features: SAFER comes pre-packaged with CFI,
shadow stack and code randomization. User can choose to apply any of those
security policies on instrumented binaries. Each of the policy will result in
additional overhead on top of SAFER's 2% overhead.
Shipped under GPLv3. The download is available in the form of a preconfigured Linux VM image in the open virtual architecture (ova) format.
This work was supported by an ONR grant N00014-17-1-2891 and in part by NSF grants 1918667 and 2153056.