The latest software development practices can turn out new programs and products in record time. However, with enhanced speed and convenience come “code bloat,” creating a larger attack surface with a proliferation of security vulnerabilities, just waiting for hackers. Recent advances in software development often result in the need for constant system updates or bug fixes. Failure to implement these “fixes,” as believed to be the case in the recent Equifax breach, cost the end-user time and money.
A team of researchers in the Department of Computer Science at Stony Brook University were recently awarded $3.5M by the Office of Naval Research to address “debloating,” by removing unneeded code and constraining the use of remaining code, thus enhancing performance as well as security. In this project, entitled “Multi-layer Software Transformation for Attack Surface Reduction and Shielding,” Professors R. Sekar and Michalis Polychronakis will leverage recent advances they have made in binary code analysis and transformation, to remove code bloat and tighten security of today’s software.
“Our project is based on the experience and insight gained from our prior research in this area. To keep it well-managed and to optimize effectiveness, we specifically targeted three main areas: code analysis foundations, debloating and dynamic attack surface reduction, and software shielding,” said Polychronakis.
“The attack surface will be reduced by removing unnecessary code and restricting capabilities of remaining code,” Sekar says. “We plan to disrupt unintended data flows that are often used in exploits and freeze data that does not need to be modified during operation.”
New protection mechanisms will help shield software against exploitation, while significantly advancing control-flow containment, code isolation, and diversification.