计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (7): 50-57.doi: 10.11896/jsjkx.240700026

• 计算机软件 • 上一篇    下一篇

动态库裁剪增强的程序系统调用限制方法

张淋茂1,2, 孙聪1, 饶雪1   

  1. 1 西安电子科技大学网络与信息安全学院 西安 710071
    2 华为技术有限公司 西安 710100
  • 收稿日期:2024-07-04 修回日期:2024-10-15 发布日期:2025-07-17
  • 通讯作者: 孙聪(suncong@xidian.edu.cn)
  • 作者简介:(zhanglinmao0105@163.com)
  • 基金资助:
    国家自然科学基金(62272366);陕西省重点研发计划(2023-YBGY-371)

Dynamic Library Debloating Enhanced System Call Restriction of Programs

ZHANG Linmao1,2, SUN Cong1, RAO Xue1   

  1. 1 School of Cyber Engineering, Xidian University, Xi'an 710071, China
    2 Huawei Technologies Co.,Ltd., Xi'an 710100, China
  • Received:2024-07-04 Revised:2024-10-15 Published:2025-07-17
  • About author:ZHANG Linmao,born in 1998,master.His main research interest is software security.
    SUN Cong,born in 1982,Ph.D,professor,is a member of CCF(No.28286M).His main research interests include software security,program analysis,and high-confidence software.
  • Supported by:
    National Natural Science Foundation of China(62272366) and Key Research and Development Program of Shaanxi(2023-YBGY-371).

PDF (PC)

20

摘要: 应用程序的开发和执行广泛依赖于动态库。动态库因具有多程序公用的特点,通常包含远多于特定应用程序所需函数的大量库函数。一方面,虽然应用程序通常仅使用动态库中的少量函数,但运行时会装载整个动态库,装载多余的库代码扩大了程序攻击面,对动态库进行应用程序特定的裁剪有助于减小攻击面。另一方面,现有的应用程序系统调用限制方案未考虑动态库裁剪带来的额外系统调用限制空间,因此无法实现对应用程序系统调用的严格限制。基于此,提出了一种基于中间表示的动态库裁剪增强的程序系统调用限制方案,对应用程序进行二进制裁剪,以减少应用程序本身的冗余代码对动态库裁剪与系统调用限制的影响。在动态库的中间表示上实现了一种改进的指针分析,获得与应用程序相关的库函数调用图,进而裁剪冗余库函数,生成裁剪后的动态库。在动态库中间表示上,提取与裁剪结果保留函数对应的系统调用,以确定系统调用允许集合。依据系统调用允许集合对裁剪后的二进制应用程序进行二进制重写,过滤允许集合之外的系统调用。实验结果表明,所提方案相比现有方案具有更高的库函数裁剪率和更严格的系统调用限制能力,指针分析方法具有更高精准性;在典型应用程序上,所提方案能够显著减小代码重用攻击面并避免典型的已知漏洞。

关键词: 程序库, 程序裁剪, 指针分析, 系统调用, 程序分析

Abstract: The development and execution of applications rely extensively on dynamic libraries.Dynamic libraries have the cha-racteristics of commonly used by multiple programs,thus contain a number of library functions that are far more than the functions required by the specific application.The application uses only a few library functions.However,the library is completely loaded at run time.Loading redundant library code makes a broader attack surface towards the program.The application-specific debloating of the dynamic library helps reduce the attack surface.Meanwhile,state-of-the-art system-call restriction frameworks have yet to consider the extra restriction space of the system calls brought by dynamic library debloating.These frameworks can not realize the strict restriction on the system calls of the specific application.This paper proposes a dynamic-library-debloating enhanced system-call restriction framework based on intermediate representation. Binary debloating of applications is used to reduce the impact of redundant code on dynamic library debloating and system call restrictions.An improved pointer analysis has been implemented on the intermediate representation of the dynamic library,which obtains the application-specific library function call graph. Then,the redundant library functions are trimmed to generate the debloated dynamic library.On the intermediate representation of the dynamic library,the system calls corresponding to the preserved functions are extracted to determine the allowed set of system calls.Based on the allowed system-call set, a binary rewriting is developed on the debloated binary application to filter out system calls outside the allowed system-call set. The experimental results demonstrate that the proposed framework has higher debloating degrees of library functions and more strict system-call restriction ability than the state-of-the-art framework,and the pointer analysis has higher accuracy than SVF.In typical applications,the proposed approach can reduce the attack surface of code-reuse attacks and avoid typical known vulnerabilities.

Key words: Program library, Program debloating, Pointer analysis, System call, Program analysis

中图分类号: 

  • TP309
[1]FLYNN C.PyPI Stats[EB/OL].[2024-07-01].https://pypistats.org/packages/all.
[2]Packagist statistics[EB/OL].(2012-04-13)[2024-07-01].https://packagist.org/statistics.
[3]QUACH A,ERINFOLAMI R,DEMICCO D,et al.A Multi-OS Cross-Layer Study of Bloating in User Programs,Kernel and Managed Execution Environments[C]//Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation.ACM,2017:65-70.
[4]AGADAKOS I,DEMARINIS N,JIN D,et al.Large-Scale Debloating of Binary Shared Libraries[J].Digital Threats:Research and Practice,2020,1(4):1-28.
[5]AGADAKOS I,JIN D,WILLIAMS-KING D,et al.Nibbler:Debloating Binary Shared Libraries[C]//Proceedings of the 35th Annual Computer Security Applications Conference.ACM,2019:70-83.
[6]ZHANG H,REN M,LEI Y,et al.One Size Does Not Fit All:Security Hardening of MIPS Embedded Systems via Static Binary Debloating for Shared Libraries[C]//Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems.ACM,2022:255-270.
[7]QIAN C,HU H,ALHARTHI M,et al.RAZOR:A Framework for Post-Deployment Software Debloating[C]//Proceedings of the 28th USENIX Security Symposium.USENIX Association,2019:1733-1750.
[8]DING D,SUN C,ZHENG T.Robust Binary Program Debloating[J].Computer Science,2024,51(10):208-217.
[9]GHAVAMNIA S,PALIT T,BENAMEUR A,et al.Confine:Automated System Call Policy Generation for Container Attack Surface Reduction[C]//Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses.USENIX Association,2020:443-458.
[10]GHAVAMNIA S,PALIT T,MISHRA S,et al.Temporal System Call Specialization for Attack Surface Reduction[C]//Proceedings of the 29th USENIX Security Symposium.USENIX Association,2020:1749-1766.
[11]DEMARINIS N,WILLIAMS-KING K,JIN D,et al.Sysfilter:Automated System Call Filtering for Commodity Software[C]//Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses.USENIX Association,2020:459-474.
[12]Seccomp BPF(SECure COMPuting with filters)[EB/OL].[2024-07-01].https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html.
[13]QUACH A,PRAKASH A,YAN L.Debloating Softwarethrough Piece-Wise Compilation and Loading[C]//Proceedings of the 27th USENIXSecurity Symposium.USENIX Association,2018:869-886.
[14]PORTER C,MURURU G,BARUA P,et al.Blankit Library Debloating:Getting What You Want instead of Cutting What You don't[C]//Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation.ACM,2020:164-180.
[15]WILLIAMS-KING D,KOBAYASHI H,WILLIAMS-KING K,et al.Egalito:Layout-Agnostic Binary Recompilation[C]//Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems.ACM,2020:133-147.
[16]SHOSHITAISHVILI Y,WANG R,SALLS C,et al.Sok:(State of) the Art of War:Offensive Techniques in Binary Analysis[C]//Proceedings of 2016 IEEE symposium on security and privacy.IEEE,2016:138-157.
[17]RAJAGOPALAN V L,KLEFTOGIORGOS K,GOKTAS E,et al.SysPart:Automated Temporal System Call Filtering for Binaries[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security.ACM,2023:1979-1993.
[18]GAIDIS A J,ATLIDAKIS V,KEMERLIS V P.SysXCHG:Refining Privilege with Adaptive System Call Filters[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security.ACM,2023:1964-1978.
[19]SUI Y L,XUE J L.SVF:Interprocedural Static Value-Flow Analysis in LLVM[C]//Proceedings of the 25th International Conference on Compiler Construction.ACM,2016:265-266.
[20]SUI Y,YE D,XUE J.Detecting Memory Leaks Statically with Full-Sparse Value-Flow Analysis[J].IEEE Transaction on Software Engineering,2014,40(2):107-122.
[21]LU K,HU H.Where Does It Go?:Refining Indirect-Call Targets with Multi-Layer Type Analysis[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.ACM,2019:1867-1881.
[22]Seccomp Tools[EB/OL].[2024-07-01].https://github.com/david942j/seccomp-tools.
[23]pwntools-CTF toolkit[EB/OL].[2024-07-01].https://github.com/Gallopsled/pwntools.
[24]Musl Libc[EB/OL].[2024-07-01].https://www.musl-libc.org.
[25]SHACHAM H.The Geometry of Innocent Flesh on the Bone:Return-into-Libc without Function Calls(on the X86)[C]//Proceedings of the 2007 ACM Conference on Computer and Communications Security.ACM,2007:552-561.
[26]SIDIKE PA-ERHATIJIANG,MA J,SUN C.Fine-Grained Control Flow Integrity Method on Binaries[J].Computer Science,2019,46(S2):417-420.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发