On-the-fly Code Activation for Attack Surface Reduction

TL;DR

This paper introduces OCA, a runtime technique that dynamically disables specific functions to significantly reduce attack gadgets in software, enhancing security with minimal performance impact.

Contribution

OCA is a novel, general approach that reduces attack surface by on-the-fly function control without requiring user input or application modification.

Findings

73.2% gadget reduction on SPEC CPU 2017

87.2% gadget reduction on GNU coreutils

80.3% gadget reduction on nginx with 2% slowdown

Abstract

Modern code reuse attacks are taking full advantage of bloated software. Attackers piece together short sequences of instructions in otherwise benign code to carry out malicious actions. Eliminating these reusable code snippets, known as gadgets, has become one of the prime concerns of attack surface reduction. The aim is to break these chains of gadgets, thereby making such code reuse attacks impossible or substantially less common. Previous work on attack surface reduction has typically tried to eliminate such attacks by subsetting the application, e.g. via user-specified inputs, configurations, or features, or by focusing on third-party libraries to achieve high gadget reductions with minimal interference to the application. In this work we present a general, whole-program attack surface reduction technique called OCA that significantly reduces gadgets and has minor performance degradation. OCA requires no user inputs and leaves all features intact. OCA identifies specific program points and through analysis determines key function sets to enable/disable at runtime. The runtime system, thus, controls the set of enabled functions during execution, thereby significantly reducing the set of active gadgets an attacker can use, and by extension, cutting down the set of active gadget chains dramatically. On SPEC CPU 2017, our framework achieves 73.2% total gadget reduction with only 4% average slowdown. On 10 GNU coreutils applications, it achieves 87.2% reduction. On the nginx server it achieves 80.3% reduction with 2% slowdown. We also provide a gadget chain-breaking study across all applications, and show that our framework breaks the shell-spawning chain in all cases.