FineGrained Library Customization Linhai Song and Xinyu Xing

  • Slides: 53
Download presentation
Fine-Grained Library Customization Linhai Song and Xinyu Xing Pennsylvania State University

Fine-Grained Library Customization Linhai Song and Xinyu Xing Pennsylvania State University

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities –

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities – Library user has limited usage scenarios • Bloated code widely exists • Bloated code causes a lot of problems – Contain potential vulnerabilities

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities –

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities – Library user has limited usage scenarios • Bloated code widely exists • Bloated code causes a lot of problems – Contain potential vulnerabilities – Increase memory pressure

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities –

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities – Library user has limited usage scenarios • Bloated code widely exists • Bloated code causes a lot of problems – Contain potential vulnerabilities – Increase memory pressure – Incur computation inefficiency

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities –

Motivation • Modular design leads to code bloat – Library provides comprehensive functionalities – Library user has limited usage scenarios • Bloated code widely exists • Bloated code causes a lot of problems – Contain potential vulnerabilities – Increase memory pressure – Incur computation inefficiency – Consume network bandwidth during distribution

Existing Debloating Techniques • Utilize function as customization granularity • May miss some debloating

Existing Debloating Techniques • Utilize function as customization granularity • May miss some debloating opportunities //Application int main() { … struct packet * p; … while(func_B(p)) { if(p. type == a) {…} else if(p. type ==b) {…} } } //Library void func_A() { func_C(); } void func_B(struct packet * p) { p. type = …; if(p. type == a) {…} else if (p. type == b) {…} else if (p. type == c ) { func_D(); } } void func_C() {…} void func_D() {…}

Our Approach • Explore opportunities inside invoked functions – Code not executed under the

Our Approach • Explore opportunities inside invoked functions – Code not executed under the calling context – Code not producing any side effect //Application int main() { … struct packet * p; … while(func_B(p)) { if(p. type == a) {…} else if(p. type ==b) {…} } } //Library void func_A() { func_C(); } void func_B(struct packet * p) { p. type = …; if(p. type == a) {…} else if (p. type == b) {…} else if (p. type == c ) { func_D(); } } void func_C() {…} void func_D() {…}

Problem Scope • Our focus: network protocol implementation – Protocol implementation is widely used

Problem Scope • Our focus: network protocol implementation – Protocol implementation is widely used – Most attacks are conducted through network – Our technique is not limited to network protocol • Collected Benchmarks – Network Middleware Programs – Internet of Things Applications

Modeling Protocol Implementation • System Call: receive raw packet data • Decoder: change raw

Modeling Protocol Implementation • System Call: receive raw packet data • Decoder: change raw data to packet structures • Handler: achieve desired functionalities typedef struct { int i. Type; int i. Msg. Size; … } MIDI_MSG; void * buf; System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }

Key Observations • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable

Key Observations • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable decoder • 3. Knowledge of incoming packets type 1 System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }

Outline • • • Introduction Observation 1: details and an example Observation 2: details

Outline • • • Introduction Observation 1: details and an example Observation 2: details and an example Observation 3: details and an example Future works and conclusions

Outline • • • Introduction Observation 1: details and an example Observation 2: details

Outline • • • Introduction Observation 1: details and an example Observation 2: details and an example Observation 3: details and an example Future works and conclusions

MIDIlib Overview • MIDI: a protocol for electronic music • MIDIlib: a C library

MIDIlib Overview • MIDI: a protocol for electronic music • MIDIlib: a C library to handle MIDI protocol – I/O libraries for MIDI files • Implemented in midifile. c – 5 executable applications • m 2 rtttl and 4 others System Call fread(…) Decoder Handler midifile. c m 2 rtttl. c

Packet Field Analysis System Call Decoder return a midi packet //Decoder BOOL midi. Read.

Packet Field Analysis System Call Decoder return a midi packet //Decoder BOOL midi. Read. Next. Msg (…, MIDI_MSG * msg)) { … switch(msg. i. Type) { case msg. Note. Off: msg->Data. Note. Off. i. Ch = …; msg->Data. Note. Off. i. Note = …; … 44 break; case msg. Note. On: … packet define break; fields case msg. Meta. Event: … break; case msg. Note. Key. Press: … break; case msg. Set. Parameter: … break; … } } Handler the decoder function fields defined 9 fields used //Handler while(midi. Read. Next. Msg(mf, &msg)) { … switch(msg. i. Type) { case msg. Note. Off: if(i. Channel == msg. Data. Note. Off. i. Ch) { out. Stdout(…); i. Curr. Playing. Note = -1; … use packet } fields case msg. Note. On: … break; case msg. Meta. Event: … break; default: break; } }

Packet Type Analysis System Call Decoder assemble an //Decoder msg. Note. Off packet(…, MIDI_MSG

Packet Type Analysis System Call Decoder assemble an //Decoder msg. Note. Off packet(…, MIDI_MSG * msg)) { BOOL midi. Read. Next. Msg … switch(msg. i. Type) { case msg. Note. Off: msg->Data. Note. Off. i. Ch = …; msg->Data. Note. Off. i. Note = …; … 9 types assembled break; case msg. Note. On: … break; 3 types used case msg. Meta. Event: … break; case msg. Note. Key. Press: … break; case msg. Set. Parameter: … break; … } } Handler //Handler while(midi. Read. Next. Msg(mf, &msg)) { … switch(msg. i. Type) { case msg. Note. Off: if(i. Channel == msg. Data. Note. Off. i. Ch) { out. Stdout(…); i. Curr. Playing. Note -1; process= an … msg. Note. Off packet } case msg. Note. On: … break; case msg. Meta. Event: … break; default: break; } } ignore other types

Eliminate Dead Field Assignments • • Compute struct field offset Identify dead fields and

Eliminate Dead Field Assignments • • Compute struct field offset Identify dead fields and their assignments Simple data dependence analysis Trim all identified instructions typedef struct { int a; offset: 0 int b; offset: 4 } packet; (r, w) (w) //decoder packet p; p. a = …; (0, write) d=… p. b = d; (4, write) //handler if (p. a == …) { (0, read) … }

Eliminate Unused Packet Types • Extract execution constraints from handler • Detect conflicting constraints

Eliminate Unused Packet Types • Extract execution constraints from handler • Detect conflicting constraints inside decoder • Trim corresponding instructions Field: a typedef struct { int type; int a; int b; } packet; Condition: type == 2 //decoder packet p; if(p. type==1) {…} else if(p. type==2) { p. a = xxx; } X Condition: type == 1 //handler if (p. type==1) { printf(”%dn”, p. a); printf(“%dn”, p. b); }

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How many packet field assignments are cut (PF)? – How many lines of source code are cut (LOC)? – How many lines of LLVM IR are cut (LOLL)? Dead Field Assignment Unused Packet Type Total PF 6 33 36 LOC 6 62 65 LOLL 51 355 367 more effective

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How many packet field assignments are cut (PF)? – How many lines of source code are cut (LOC)? – How many lines of LLVM IR are cut (LOLL)? Dead Field Assignment Unused Packet Type Total PF 6 33 36 37. 80% LOC 6 62 65 LOLL 51 355 367 48. 36%

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How many packet field assignments are cut (PF)? – How many lines of source code are cut (LOC)? – How many lines of LLVM IR are cut (LOLL)? Dead Field Assignment Unused Packet Type Total PF 6 33 36 LOC 6 62 65 LOLL 51 355 367

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How

Experimental Results • Implantation based on LLVM-5. 0. 0 • Evaluation metrics: – How many packet field assignments are cut (PF)? – How many lines of source code are cut (LOC)? – How many lines of LLVM IR are cut (LOLL)? Dead Field Assignment Unused Packet Type Total PF 6 33 36 39. 63% LOC 6 62 65 LOLL 51 355 367 50%

Summary • A simple code analysis on midilib – 9 types of packets assembled

Summary • A simple code analysis on midilib – 9 types of packets assembled by the decoder – 3 types of packets processed • Mismatch between a decoder and a handler • 40% decoder code can be eliminated System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }

Outline • • • Introduction Observation 1: details and an example Observation 2: details

Outline • • • Introduction Observation 1: details and an example Observation 2: details and an example Observation 3: details and an example Future works and conclusions

Snort Overview • An open-source intrusion detection system • Take configuration rules as input

Snort Overview • An open-source intrusion detection system • Take configuration rules as input – Action: accept/drop/alert – Condition: <protocol, sip, dip, sport, dport> • Multiple-layer decoders are used action destination ip source ip drop tcp 10. 0/24 80 10. 1. 0. 0/24 50 protocol source port destination port

Layer-2 Decoder System Call if (…) { layer 2_decoder = Decode. Eth. Pkt; }

Layer-2 Decoder System Call if (…) { layer 2_decoder = Decode. Eth. Pkt; } else if (…) { layer 2_decoder = Decode. Slip. Pkt; } else { layer 2_decoder = Decode. Raw. Pkt; } pcap_loop(. . . , layer 2_decoder, …) the system call to receive packets Decoder Handler layer-2 decoders void Decode. Eth. Pkt(u_char *pkt, …) { pkt_type = ntohs(pkt->ether_type) switch(pkt_type) { case TYPE_IP: Decode. IP(…); return; case TYPE_ARP: layer-3 Decode. ARP(…); return; decoders case TYPE_IPX: Decode. IPX(…); return; } } Layer 4 Layer 3 Layer 2

Layer-3 Decoder System Call typedef struct _Net. Data { unsigned long sip; unsigned long

Layer-3 Decoder System Call typedef struct _Net. Data { unsigned long sip; unsigned long dip; unsigned short sport; unsigned short dport; unsigned int proto; } Net. Data; Net. Data net; Decoder Handler void Decode. IP(u_char *pkt, …) { iph = (IPHdr *)pkt; net. sip = iph->ip_src; net. dip = iph->ip_dst; extract packet switch(iph->ip_proto) { information case TCP: net. proto = TCP; Decode. TCP(…); return; case UDP: net. proto = UDP; layer-4 Decode. UDP(…); return; decoders case ICMP: net. proto = ICMP; Decode. ICMP(…); return; } } Layer 4 Layer 3 Layer 2

Layer-4 Decoder System Call typedef struct _Net. Data { unsigned long sip; unsigned long

Layer-4 Decoder System Call typedef struct _Net. Data { unsigned long sip; unsigned long dip; unsigned short sport; unsigned short dport; unsigned int proto; } Net. Data; Net. Data net; used during rule matching Decoder void Decode. TCP(u_char *pkt, …) { tcph = (TCPHdr *)pkt; net. sport = ntohs(tcph->sport); net. dport = ntohs(tcph->dport); … } extract port information Handler Layer 4 Layer 3 Layer 2

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport Layer-3 IP, IPX, ARP Layer-2 Ethernet, SLIP protocol, sip, dip

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport Layer-3 IP, IPX, ARP Layer-2 Ethernet, SLIP protocol, sip, dip

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport Layer-3 IP, IPX, ARP Layer-2 Ethernet, SLIP protocol, sip, dip

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport Layer-3 IP, IPX, ARP Layer-2 Ethernet, SLIP protocol, sip, dip

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport

Decoder System Call Decoder Handler Protocol Layer-4 TCP, UDP, ICMP Extract Information sport, dport Layer-3 IP, IPX, ARP Layer-2 Ethernet, SLIP protocol, sip, dip

Rule Matching System Call void Apply. Rules() { while(…) { r = … //fetch

Rule Matching System Call void Apply. Rules() { while(…) { r = … //fetch a rule if(Match. Rule(r)) { … //take some actions return; } } } Decoder Handler

Rule Matching System Call Decoder Handler compare protocols void Apply. Rules() { while(…) {

Rule Matching System Call Decoder Handler compare protocols void Apply. Rules() { while(…) { r = … //fetch a rule if(Match. Rule(r)) { … //take some actions return; } } } int Match. Rule(r) { if(r->proto != net. proto ) goto bottom; if(r->sip != net. sip) goto bottom; if(r->dip != net. dip) goto bottom; if(r->sport != ANY && r->sport != net. sport) goto bottom; if(r->dport != ANY && r->dport != net. dport) goto bottom; return 1; bottom: return 0; }

Rule Matching System Call Decoder compare ips void Apply. Rules() { while(…) { r

Rule Matching System Call Decoder compare ips void Apply. Rules() { while(…) { r = … //fetch a rule if(Match. Rule(r)) { … //take some actions return; } } } Handler int Match. Rule(r) { if(r->proto != net. proto ) goto bottom; if(r->sip != net. sip) goto bottom; if(r->dip != net. dip) goto bottom; if(r->sport != ANY && r->sport != net. sport) goto bottom; if(r->dport != ANY && r->dport != net. dport) goto bottom; return 1; bottom: return 0; }

Rule Matching System Call void Apply. Rules() { while(…) { r = … //fetch

Rule Matching System Call void Apply. Rules() { while(…) { r = … //fetch a rule if(Match. Rule(r)) { … //take some actions return; } } } Decoder Handler int Match. Rule(r) { ports if(r->protocompare != net. proto ) goto bottom; if(r->sip != net. sip) goto bottom; if(r->dip != net. dip) goto bottom; if(r->sport != ANY && r->sport != net. sport) goto bottom; if(r->dport != ANY && r->dport != net. dport) goto bottom; return 1; bottom: return 0; }

Debloating Opportunity • Wildcard “any” configured for port numbers – match any port number

Debloating Opportunity • Wildcard “any” configured for port numbers – match any port number – widely used to block traffic between two subnets • layer-4 decoders can possibly be trimmed int Match. Rule(r) { if(r->proto != net. proto ) goto bottom; if(r->sip != net. sip) goto bottom; if(r->dip != net. dip) goto bottom; if(r->sport != ANY && r->sport != net. sport) goto bottom; if(r->dport != ANY && r->dport != net. dport) goto bottom; return 1; bottom: return 0; How “any” is } handled during rule matching

How to Debloat? • Propagate constant values from configuration • Fold statically computable expressions

How to Debloat? • Propagate constant values from configuration • Fold statically computable expressions • Eliminate dead code void Decode. TCP(u_char *pkt, …) { tcph = (TCPHdr *)pkt; net. sport = ntohs(tcph->sport); net. dport = ntohs(tcph->dport); … } int Match. Rule(r) { if(r->proto != net. proto ) goto bottom; if(r->sip != net. sip) goto bottom; if(r->dip != net. dip) goto bottom; if(r->sport ANY != ANY && r->sport != net. sport) goto bottom; ANY != ANY && r->dport != net. dport) goto bottom; if(r->dport return 1; bottom: False return 0; }

Experimental Results • Evaluation metrics: – How many lines of source code are cut

Experimental Results • Evaluation metrics: – How many lines of source code are cut (LOC)? • 313 LOC (46. 99% decoder code) can be eliminated – Performance improvement after debloating 15%

Summary • A simple empirical study on snort – “any” is configured for port

Summary • A simple empirical study on snort – “any” is configured for port numbers – Layer-4 decoders can be trimmed • Configurable handler cuttable decoder • 46. 99% decoder code can be eliminated System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }

Outline • • • Introduction Observation 1: details and an example Observation 2: details

Outline • • • Introduction Observation 1: details and an example Observation 2: details and an example Observation 3: details and an example Future works and conclusions

Open 62541 Overview • Open-source implementation of OPC UA – OPC UA: OPC Unified

Open 62541 Overview • Open-source implementation of OPC UA – OPC UA: OPC Unified Architecture – Support 6 packet types – Provide code for both client and server Client Server enum message. Type { UA_HEL = 0 x 48454 C, // H E L UA_ACK = 0 x 41434 B, // A C k UA_ERR = 0 x 455151, // E R R UA_OPN = 0 x 4 F 504 E, // O P N UA_MSG = 0 x 4 D 5347, // M S G UA_CLO = 0 x 434 C 4 F // C L O };

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y UA_CLO Y Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y UA_CLO Y Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y UA_CLO Y Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y UA_CLO Y Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y UA_CLO Y Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Empirical Study • Whethere are unused handlers? Packet Type C -> S S ->

Empirical Study • Whethere are unused handlers? Packet Type C -> S S -> C S Handler C Handler UA_HEL Y N UA_ACK N Y N N UA_ERR N Y Y Y UA_OPN Y Y UA_MSG Y Y Y UA_CLO Y Y mismatch Y C -> S: Client -> Server S -> C: Server -> Client S Handler: Server Side Handler C Hander: Client Side Hander

Outline • • • Introduction Observation 1: details and an example Observation 2: details

Outline • • • Introduction Observation 1: details and an example Observation 2: details and an example Observation 3: details and an example Future works and conclusions

Future Works • Study more protocol implementations – Look for more debloating opportunities –

Future Works • Study more protocol implementations – Look for more debloating opportunities – Verify whether identified patterns widely exist • Build automated static techniques – Identify cases following our patterns – Apply corresponding debloating Study Building tools

Conclusions • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable decoder

Conclusions • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable decoder • 3. Knowledge of incoming packets type 1 System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }

Thanks a lot! 52

Thanks a lot! 52

Questions? • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable decoder

Questions? • 1. Mismatch between decoder and handler • 2. Configurable handler cuttable decoder • 3. Knowledge of incoming packets type 1 System Call Decoder recv(sockfd, buf, …) switch(msg. i. Type) { case type 1: msg. i. Msg. Size = 2; … case type 2: … case type 3: … case type 4: … …} Handler switch(msg. i. Type) { case type 1: handle_type 1(…); … case type 2: handle_type 2(…); … case type 3: handle_type 3(…); … default: }