Practical Program Modularization with Type-Based Dependence Analysis

2023 IEEE Symposium on Security and Privacy (SP) Pub Date : 2023-05-01 DOI:10.1109/SP46215.2023.10179412

Kangjie Lu

{"title":"Practical Program Modularization with Type-Based Dependence Analysis","authors":"Kangjie Lu","doi":"10.1109/SP46215.2023.10179412","DOIUrl":null,"url":null,"abstract":"Today's software programs are bloating and have become extremely complex. As there is typically no internal isolation among modules in a program, a vulnerability can be exploited to corrupt the memory and take control of the whole program. Program modularization is thus a promising security mechanism that splits a complex program into smaller modules, so that memory-access instructions can be constrained from corrupting irrelevant modules. A general approach to realizing program modularization is dependence analysis which determines if an instruction is independent of specific code or data; and if so, it can be modularized. Unfortunately, dependence analysis in complex programs is generally considered infeasible, due to problems in data-flow analysis, such as unknown indirect-call targets, pointer aliasing, and path explosion. As a result, we have not seen practical automated program modularization built on dependence analysis.This paper presents a breakthrough—Type-based dependence analysis for Program Modularization (TyPM). Its goal is to determine which modules in a program can never pass a type of object (including references) to a memory-access instruction; therefore, objects of this type that are created by these modules can never be valid targets of the instruction. The idea is to employ a type-based analysis to first determine which types of data flows can take place between two modules, and then transitively resolve all dependent modules of a memory-access instruction, with respect to the specific type. Such an approach avoids the data-flow analysis and can be practical. We develop two important security applications based on TyPM: refining indirect-call targets and protecting critical data structures. We extensively evaluate TyPM with various system software, including an OS kernel, a hypervisor, UEFI firmware, and a browser. Results show that on average TyPM additionally refines indirect-call targets produced by the state of the art by 31%-91%. TyPM can also remove 99.9% of modules for memory-write instructions to prevent them from corrupting critical data structures in the Linux kernel.","PeriodicalId":439989,"journal":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP46215.2023.10179412","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Today's software programs are bloating and have become extremely complex. As there is typically no internal isolation among modules in a program, a vulnerability can be exploited to corrupt the memory and take control of the whole program. Program modularization is thus a promising security mechanism that splits a complex program into smaller modules, so that memory-access instructions can be constrained from corrupting irrelevant modules. A general approach to realizing program modularization is dependence analysis which determines if an instruction is independent of specific code or data; and if so, it can be modularized. Unfortunately, dependence analysis in complex programs is generally considered infeasible, due to problems in data-flow analysis, such as unknown indirect-call targets, pointer aliasing, and path explosion. As a result, we have not seen practical automated program modularization built on dependence analysis.This paper presents a breakthrough—Type-based dependence analysis for Program Modularization (TyPM). Its goal is to determine which modules in a program can never pass a type of object (including references) to a memory-access instruction; therefore, objects of this type that are created by these modules can never be valid targets of the instruction. The idea is to employ a type-based analysis to first determine which types of data flows can take place between two modules, and then transitively resolve all dependent modules of a memory-access instruction, with respect to the specific type. Such an approach avoids the data-flow analysis and can be practical. We develop two important security applications based on TyPM: refining indirect-call targets and protecting critical data structures. We extensively evaluate TyPM with various system software, including an OS kernel, a hypervisor, UEFI firmware, and a browser. Results show that on average TyPM additionally refines indirect-call targets produced by the state of the art by 31%-91%. TyPM can also remove 99.9% of modules for memory-write instructions to prevent them from corrupting critical data structures in the Linux kernel.

查看原文本刊更多论文

基于类型依赖分析的实用程序模块化

今天的软件程序正在膨胀，并且已经变得极其复杂。由于程序中的模块之间通常没有内部隔离，因此可以利用漏洞破坏内存并控制整个程序。因此，程序模块化是一种很有前途的安全机制，它将一个复杂的程序分割成更小的模块，这样内存访问指令就可以受到约束，不会破坏不相关的模块。实现程序模块化的一般方法是依赖性分析，它确定指令是否独立于特定的代码或数据;如果是这样，它可以被模块化。不幸的是，由于数据流分析中存在未知的间接调用目标、指针混叠和路径爆炸等问题，复杂程序中的依赖分析通常被认为是不可行的。因此，我们还没有看到建立在依赖性分析基础上的实用的自动化程序模块化。提出了一种突破性的基于类型的程序模块化(TyPM)依赖分析方法。它的目标是确定程序中的哪些模块永远不能将对象类型(包括引用)传递给内存访问指令;因此，由这些模块创建的这种类型的对象永远不可能是指令的有效目标。其思想是采用基于类型的分析，首先确定两个模块之间可以发生哪种类型的数据流，然后根据特定类型传递地解析内存访问指令的所有依赖模块。这种方法避免了数据流分析，具有实用性。我们基于TyPM开发了两个重要的安全应用程序:精炼间接调用目标和保护关键数据结构。我们使用各种系统软件对TyPM进行了广泛的评估，包括操作系统内核、管理程序、UEFI固件和浏览器。结果表明，平均而言，TyPM对现有技术产生的间接调用目标进行了31%-91%的额外改进。TyPM还可以删除99.9%的内存写指令模块，以防止它们破坏Linux内核中的关键数据结构。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量