Find Bugs Faster Than Hackers – USC Viterbi

Photo credit: andriano_cz/Getty Images

Malware, viruses, spyware, bots and more! Hackers have many tools at their disposal to ruin your day with your vulnerable technology. As we become increasingly dependent on internet-based products (phone, computer, smart home) and everything from toasters to toothbrushes can be connected to the internet, we must be ever vigilant against malicious attacks. .

Preventing such attacks is the goal of a group of researchers from the Binary Analysis and Systems Security (BASS) group at USC Viterbi’s Institute for Information Science (ISI). They will present their new paperwritten in collaboration with Arizona State University, at the next 35th Annual USENIX Security Symposiumone of the leading conferences in the field of cybersecurity, held August 10-12 in Boston, Mass.

“This document is about vulnerability discovery, which is finding security bugs in software that attackers or hackers could exploit to take control of remote systems, leak information, or do any number of bad things,” he said. said the co-author and co-advisor. Christopher Hausera computer science researcher at ISI and research manager.

Co-author Nicholas Weideman adds that this is in particular automatique vulnerability discovery. “Because computer programs are so large and complicated these days, we would like to automatically detect these vulnerabilities instead of having a human expert analyzing the program to find them.”

Finding bugs in zeros and ones

The article proposes a new technique for the automated discovery of vulnerabilities at the binary level. Hauser explains: “One of the specificities of this research is that we did not analyze the software at the source code level, but in fact at the binary level, the executable code. These are instructions that speak directly to the machine, they are not instructions meant to be understood by humans.

Current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. Static vulnerability detection techniques – scanning a program without actually running it – are limited in their accuracy. While dynamic vulnerability detection techniques – analyzing a program while it’s running – are difficult to scale in size and therefore in speed.

Presentation of the ARBITRATOR

In their paper, the researchers propose a hybrid method that uses both static and dynamic vulnerability detection techniques to improve the accuracy of the former and the scalability of the latter. The team implemented their technique, creating a prototype called ARBITER, and discovered that they could make several advances in the automatic analysis of binary code.

Hauser said, “It improves software security by giving security analysts the ability to scale, so we can essentially catch security bugs that hackers might try to exploit before we find them. ARBITER can find bugs quickly so they can be fixed quickly by developers, which means more security.

They demonstrated the effectiveness of ARBITER with a large-scale assessment on four common vulnerability classes. The “four common vulnerability classes” are noteworthy. Weideman said, “In the past, when static and dynamic execution were combined, it was for one very specific type of vulnerability. ARBITER, on the other hand, allows us to specify multiple vulnerabilities.

ARBITER tackles the real world

The team put ARBITER to the test in a real-world application. “Essentially, we analyzed all the packages of one of the most common Linux distributions. It is an operating system that is used in servers and desktop computers all over the world. Hauser continued, “So it’s not just a research prototype that we tried on a small-scale experiment in the corner of a lab somewhere; we’ve applied it to big software that people use every day.

Why Linux? Weidman said, “Linux is free, which is great for repeatability. It allows anyone to set up the experimental environment and check the results. There are also many open source programs created for Linux. Even though ARBITER only uses binary instructions, the source code is available to us to verify the results.

When ARBITER ran on Linux distributions, it actually found vulnerabilities. Weideman said, “Now that these vulnerabilities have been discovered, they are reported to developers who then patch the vulnerabilities to secure the software, so I would say ARBITER has already had an impact in the real world.”

What is the next step for ARBITER?

These results pave the way for future research in this area. When asked what the next steps will be, Hauser replied, “There are still things that we have to evolve because the models that we use sometimes reach hard limits, theoretical limits that we cannot exceed. unless you try to approach things slightly differently.

One approach is to take advantage of recent advances in artificial intelligence, and in particular machine learning models, as a source of transferable knowledge.

Machine learning is a way to bring additional external knowledge into the computation. “One way to do that is to look at it in a more probabilistic way. For example, using machine learning to help push those boundaries. By leveraging machine learning, we can automatically determine the best strength trade-offs,” Hauser said. “This is part of future research, in fact we are currently exploring these directions within the BASS Group.”

Hauser, Weideman and the research team are part of the LOW research group (Binary Analysis and Systems Security) in the Networks and Cybersecurity Division of ISI. Their research focuses on the analysis of binary programs for automated and semi-automated reverse engineering and vulnerability discovery, as well as other aspects of system security. As they do with future research around ARBITER, the BASS group often leverages machine learning where appropriate through collaboration with ISI Artificial Intelligence Pole.

The paper will be presented at the upcoming 35th Annual USENIX Security Symposium, which has an acceptance rate of 14.5%, down from 18.7% last year. This year, only 79 of the 546 articles submitted were accepted. According to Hauser, “USENIX Security is one of the top four system security conferences.” In addition to being a presenter, Hauser is a member of the USENIX programming committee.

Posted on August 8, 2022

Last updated August 3, 2022

Previous Accelerate fiscal consolidation efforts to restore credit downgrades – Economist
Next Call of Duty Warzone: new update is out now, fixes annoying bugs and undoes the buff