ASU tackles problem of patching software vulnerabilities with micropatching
From the recent Facebook data breach of over 500 million accounts to stories of hackers breaking into family homes through baby monitors, we are constantly bombarded with headlines from hackers taking advantage of security holes in the software we use. everyday.
The truth is, humans create software and humans are imperfect. Sometimes developers accidentally introduce a bug that makes software vulnerable to attack. As soon as a business or software developer discovers a vulnerability that could harm the user or disclose data, the critical solution is to provide a patch as soon as possible. This is where the patch comes in.
The patch can be thought of as a solution for software or a computer program, much like tape around a loose thread to keep it from moving. We all know of the alerts on our Apple or Microsoft devices asking us to update our systems. One of the best things a user can do is install these updates as soon as possible, protecting themselves against these known vulnerabilities. Helpful mechanisms are in place, such as automatic software updates, an automated security feature on the most commonly used internet browsers.
However, software updates are not the only solution needed.
“What happens if the software publisher no longer exists? How and who can fix these bugs? Asks Adam Doupé, director of the Center for Cybersecurity and Digital Forensics, part of the Global Security Initiative at Arizona State University. “What if the business goes bankrupt and someone finds a bug – a vulnerability that allows a remote hacker to gain access to your system?” How do we actually solve these problems? “
ASU is tackling this problem through a four-year contract with the Defense Advanced Research Projects Agency (DARPA) awarded to the center, which contributes to the research and development efforts of the Assured Micropatching (AMP) program. We spoke to Doupé about the importance of this research and the impact it is having.
What is a micropatch?
A micropatch is a small patch that fixes a vulnerability without compromising functionality.
“The point of a micropatch is to find out how to reduce the size of the patch so that we change some parts of the program,” says Doupé, who is also an associate professor at ASU’s School of Computing and Augmented Intelligence. . “Ultimately, we want to increase our confidence that we won’t break the functionality of the app – the less you change, the less you have to worry about collateral damage.”
What does the Center for Cybersecurity and Digital Forensics bring?
The center has set up VOLT (a Viscous, Orchestrated Lifting and Translation) framework, which aims to reverse engineer the software to which it is applied so that effective and efficient patches can be created.
“I have been working on software reverse engineering for over 10 years and, to my surprise, no one has created techniques to make binary patching effortlessly possible,” says Ruoyu (Fish) Wang, the principal investigator of the Assured Micropatching project. “Our VOLT framework, if successful, will be the first of its kind to allow easy bug fixing in deployed software. This capability will mean a lot to industry and national security. We really appreciate DARPA’s interest in supporting our research on this front.
One of the main strengths of the Center for Cybersecurity and Digital Forensics is “angr” – an open source framework created and founded by center researchers Yan Shoshitaishvili and Wang, with the aim of analyzing binary code to learn more about the program. applied to done. Yan and Wang will lead a team of researchers to dramatically improve the state of the art in binary decompilation techniques (transforming a binary program back into readable and understandable source code). As the technical foundation of VOLT, these techniques will allow a sound and faithful translation between the binary code and their corresponding decompilation output.
“The ‘angr’ framework allows us to perform ‘binary analysis’, which is able to take ones and zeros from a binary program and allows us to make sense of what the program is doing,” explains Doupé. “On HACCS (Harnessing Autonomy for Countering Cyberadversary Systems), a DARPA add-on program we’re involved in, we use ‘angr’ to automatically identify and exploit bugs in a binary program.
How can this improve defense in the United States?
Imagine this scenario: A modern war vehicle, like a tank, has software that executes a large number of components, from movement mechanisms and tread speed to directional navigation and targeting technology. .
“We wouldn’t want a security hole to exist (for example) in wireless communications and allow someone to jam or shut down your systems,” explains Doupé. “In this context, it would be very important that the tanks are all down during the restart of the systems. It’s quite frustrating in our day-to-day life, let alone in a war – it could be catastrophic.
“Governments buy these systems and the associated software, contract with various companies that build these binary systems to specification and run them. However, even if the government gets access to the source code, it may not have the toolchain to build and recompile them. AMP’s goal is to fully automate this process, through mathematical proofs and testing. “
Another challenge from a security perspective is that some control systems run Windows ’98, software that has not been updated for over a decade. The operating system has accumulated a vast history of known vulnerabilities and exploits, which then creates difficulties in securing the system.
At the national level, the Ministry of Defense is very interested in this type of research.
“The DOD has a lot of manpower that they can direct to a problem, but the flip side is understanding what kinds of things they don’t necessarily have power over,” says Doupé. “The key to solving any security problem is, once identified, that you really need to act on it. One of the key concepts in security is that if you find something, you have to assume that someone else – say, your opponent – can find it as well. “
What is the problem and the solution?
In general, software and device makers are good at solving problems as they arise, but there are areas where consumers are more vulnerable.
As part of DARPA Assured Micropatching, the Center for Cybersecurity and Digital Forensics team is developing new automated methods to “understand” the machine-readable form of software, reverse the translation process and generate human-readable source code . They can then repair small segments of code, re-translate the repaired segments, and reintegrate them into the deployed software. This will allow the team to resolve security issues in deployed critical software in a timely, cost effective and scalable manner.
“Operating systems, cell phones, web browsers – all generally have very good systems for delivering patches because everyone understands the importance of security,” says Doupé. “Phones are another great example of where businesses are efficient at deploying patches. Yes, you might not be able to use your phone for a short time, but keeping it up to date is very important.
But not all corrections come to your attention, and not all are under your control. For example, when was the last time you updated your Wi-Fi router for security breaches? What if a provider of a product you use over Wi-Fi no longer supports your router? This puts you in a difficult position as you cannot personally apply a fix.
“Ultimately, there should be changes at the policy level to handle cases of companies voluntarily selling a system that has known security vulnerabilities. They shouldn’t have the choice of just not updating the software, ”explains Doupé. “Regulators and policymakers should think about what exactly would companies fail or no longer support security updates on people’s devices.
“From a security perspective, it’s worse if the device works but never receives updates, especially home devices that connect to other systems. At the individual level, it is difficult. My recommendation is to enable automatic updates on all possible systems, thus doing your part for cyberhygiene.
“What’s unfortunate here is that it places more of a burden on the consumer to do this research.”