Practical Protection of Binary Applications via Transparent Immunization

In the past few years, massive data breach attacks on large organizations (e.g., Anthem Inc., Equifax) have compromised sensitive data of tens or even hundreds of millions of people. The 2017 Equifax data breach attack has compromised sensitive data of 148 million people and has costed Equifax $\$ 1.4$ billion as of May 2019. Unfortunately the average time to detect, contain a data breach was 206 days and 73 days respectively in 2019. There is a pressing need to develop practical and deployable capability to detect and block previously unseen, application specific cyberattacks on vulnerable binary applications in real-time. In this paper, we present AppImmu, a practical cyber defense system that can detect and block previously unknown cyber-attacks on vulnerable binary applications in real-time with no false positive. Given a potentially vulnerable ELF binary application, AppImmu can transparently and statically immunize it into an immunized version via binary rewriting. At run-time, AppImmu uses kernel level immunization based anomaly detection techniques to detect and block previously unknown cyberattacks on immunized binary applications without any prior knowledge of the attacks. We have successfully immunized real world large binary applications such as Apache Java execution environment, bash shell, Snort in Linux and have successfully detected and blocked real world data breach attacks (e.g., Apache Strut exploit used in 2017 Equifax data breach attack, Shellshock exploit) in true real-time. Our benchmark experiments show that AppImmu incurs less than 6% run-time overhead in overall system performance, 2.1% run-time overhead for applications under typical workload.