Binary Code Retrofitting and Hardening Using SGX

Wang, Shuai; Wang, Wenhao; Bao, Qinkun; Wang, Pei; Wu, Dinghao

doi:10.1145/3141235.3141244

Cited by 11 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Binary analysis is a key technique for many applications such as legacy software maintenance [Gallagher and Lyle 1991;Loyall and Mathisen 1993], reuse [Sñbjùrnsen et al 2009;Zeng et al 2013], hardening [Payer et al 2015;Wang et al 2017], debloating [Ferles et al 2017;Quach et al 2018], commercial-off-the-shelf software security testing [Li et al 2017;Rawat et al 2017], malware analysis [Song et al 2008;, and reverse engineering (e.g., communication protocol reverse engineering) [Caballero et al 2007;Lin et al 2008]. A key binary analysis is program dependence analysis that determines if there is dependence between two instructions.…”

Section: Introductionmentioning

confidence: 99%

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

Zhang

You

Tao

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Binary program dependence analysis determines dependence between instructions and hence is important for many applications that have to deal with executables without any symbol information. A key challenge is to identify if multiple memory read/write instructions access the same memory location. The state-of-the-art solution is the value set analysis (VSA) that uses abstract interpretation to determine the set of addresses that are possibly accessed by memory instructions. However, VSA is conservative and hence leads to a large number of bogus dependences and then substantial false positives in downstream analyses such as malware behavior analysis. Furthermore, existing public VSA implementations have difficulty scaling to complex binaries. In this paper, we propose a new binary dependence analysis called BDA enabled by a randomized abstract interpretation technique. It features a novel whole program path sampling algorithm that is not biased by path length, and a per-path abstract interpretation avoiding precision loss caused by merging paths in traditional analyses. It also provides probabilistic guarantees. Our evaluation on SPECINT2000 programs shows that it can handle complex binaries such as gcc whereas VSA implementations from the-state-of-art platforms have difficulty producing results for many SPEC binaries. In addition, the dependences reported by BDA are 75 and 6 times smaller than Alto, a scalable binary dependence analysis tool, and VSA, respectively, with only 0.19% of true dependences observed during dynamic execution missed (by BDA). Applying BDA to call graph generation and malware analysis shows that BDA substantially supersedes the commercial tool IDA in recovering indirect call targets and outperforms a state-of-the-art malware analysis tool Cuckoo by disclosing 3 times more hidden payloads. CCS Concepts: • Security and privacy → Software reverse engineering; • Software and its engineering → Interpreters; Automated static analysis.

show abstract

Section: Introductionmentioning

confidence: 99%

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

Zhang

You

Tao

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…SGX has been widely used in many applications [10,15,66,[73][74][75]. Recent works have intensively studied side-channel vulnerabilities in SGX [2,8,12,14,16,34,43,49,53,58,72,77,79], while memory attacks have also received increasing attention [11,46,65,71].…”

Section: Related Workmentioning

confidence: 99%

SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications via Static Symbolic Execution

Wang,

Zhang,

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Intel Security Guard Extensions (SGX) have shown effectiveness in critical data protection. Recent symbolic execution-based techniques reveal that SGX applications are susceptible to memory corruption vulnerabilities. While existing approaches focus on conventional memory corruption in ECalls of SGX applications, they overlook an important type of SGX dedicated vulnerability: cross-boundary pointer vulnerabilities. This vulnerability is critical for SGX applications since they heavily utilize pointers to exchange data between secure enclaves and untrusted environments. Unfortunately, none of the existing symbolic execution approaches can effectively detect cross-boundary pointer vulnerabilities due to the lack of an SGX-specific analysis model that properly handles three unique features of SGX applications: Multi-entry Arbitrary-order Execution, Stateful Execution, and Context-aware Pointers. To address such problems, we propose a new analysis model named Global State Transition Graph with Context Aware

show abstract

“…Human labor is usually mandatory in this process. Although there has been researched proposing methods to automatically partition a software project to partially fit it into SGX [17,26], none of them are mature enough for constructing and maintaining a high-quality software supply chain.…”

Section: Porting Third-party Librariesmentioning

confidence: 99%

“…Lind et al developed a method to automatically dissect software source code into different parts, of which the security-sensitive ones are placed into SGX enclaves [17]. Wang et al proposed a similar technique for binary code [26]. Liu proposed an automated way to transform realtime software into a TEE-compatible form while ensuring the software still meets the real-time demands [18].…”

Section: Related Workmentioning

confidence: 99%

Building and maintaining a third-party library supply chain for productive and secure SGX enclave development

Wang¹,

Ding²,

Sun³

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice

Self Cite

View full text Add to dashboard Cite

The big data industry is facing new challenges as concerns about privacy leakage soar. One of the remedies to privacy breach incidents is to encapsulate computations over sensitive data within hardware-assisted Trusted Execution Environments (TEE). Such TEE-powered software is called secure enclaves. Secure enclaves hold various advantages against competing for privacy-preserving computation solutions. However, enclaves are much more challenging to build compared with ordinary software. The reason is that the development of TEE software must follow a restrictive programming model to make effective use of strong memory encryption and segregation enforced by hardware. These constraints transitively apply to all third-party dependencies of the software. If these dependencies do not officially support TEE hardware, TEE developers have to spend additional engineering effort in porting them. High development and maintenance cost is one of the major obstacles against adopting TEE-based privacy protection solutions in production.In this paper, we present our experience and achievements with regard to constructing and continuously maintaining a third-party library supply chain for TEE developers. In particular, we port a large collection of Rust third-party libraries into Intel SGX, one of the most mature trusted computing platforms. Our supply chain accepts upstream patches in a timely manner with SGX-specific security auditing. We have been able to maintain the SGX ports of 159 open-source Rust libraries with reasonable operational costs. Our work can effectively reduce the engineering cost of developing SGX enclaves for privacy-preserving data processing and exchange.

show abstract

Binary Code Retrofitting and Hardening Using SGX

Cited by 11 publications

References 20 publications

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation

SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications via Static Symbolic Execution

Building and maintaining a third-party library supply chain for productive and secure SGX enclave development

Contact Info

Product

Resources

About