skip to main content
10.1145/3545948.3545981acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article
Public Access

Towards Deceptive Defense in Software Security with Chaff Bugs

Published: 26 October 2022 Publication History

Abstract

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we propose a new defensive technique called chaff bugs, which instead targets the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. In a prototype, we demonstrate two strategies for ensuring non-exploitability for memory safety bugs in C/C++ programs and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not impaired and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated bug-finding tools.

References

[1]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS ’05). ACM, New York, NY, USA, 340–353. https://doi.org/10.1145/1102120.1102165
[2]
ApacheBench - G-Wan. 2009. abc. http://gwan.com/source/ab.c.
[3]
Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser. 2014. From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS ’14). ACM, New York, NY, USA, 942–953. https://doi.org/10.1145/2660267.2660329
[4]
Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo, and David Brumley. 2014. Automatic Exploit Generation. Commun. ACM 57, 2 (Feb. 2014), 74–84. https://doi.org/10.1145/2560217.2560219
[5]
Gogul Balakrishnan and Thomas Reps. 2010. WYSINWYX: What You See is Not What You eXecute. ACM Trans. Program. Lang. Syst. 32, 6, Article 23 (Aug. 2010), 84 pages. https://doi.org/10.1145/1749608.1749612
[6]
Michael D. Brown and Santosh Pande. 2019. Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19).
[7]
Charlie Miller. 2010. Anti-Fuzzing. Unpublished. Available: https://www.scribd.com/document/316851783/anti-fuzzing-pdf.
[8]
Mark Chen, Jerry Tworek, Heewoo Jun, Qiming Yuan, Henrique Ponde de Oliveira Pinto, Jared Kaplan, Harrison Edwards, Yuri Burda, Nicholas Joseph, Greg Brockman, Alex Ray, Raul Puri, Gretchen Krueger, Michael Petrov, Heidy Khlaaf, Girish Sastry, Pamela Mishkin, Brooke Chan, Scott Gray, Nick Ryder, Mikhail Pavlov, Alethea Power, Lukasz Kaiser, Mohammad Bavarian, Clemens Winter, Philippe Tillet, Felipe Petroski Such, Dave Cummings, Matthias Plappert, Fotios Chantzis, Elizabeth Barnes, Ariel Herbert-Voss, William Hebgen Guss, Alex Nichol, Alex Paino, Nikolas Tezak, Jie Tang, Igor Babuschkin, Suchir Balaji, Shantanu Jain, William Saunders, Christopher Hesse, Andrew N. Carr, Jan Leike, Joshua Achiam, Vedant Misra, Evan Morikawa, Alec Radford, Matthew Knight, Miles Brundage, Mira Murati, Katie Mayer, Peter Welinder, Bob McGrew, Dario Amodei, Sam McCandlish, Ilya Sutskever, and Wojciech Zaremba. 2021. Evaluating Large Language Models Trained on Code. https://arxiv.org/abs/2107.03374.
[9]
Christian Collberg, Clark Thomborson, and Douglas Low. 1998. Manufacturing Cheap, Resilient, and Stealthy Opaque Constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, California, USA) (POPL ’98). ACM, New York, NY, USA, 184–196. https://doi.org/10.1145/268946.268962
[10]
DARPA. 2016. Cyber Grand Challenge (CGC). https://www.darpa.mil/program/cyber-grand-challenge.
[11]
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems.
[12]
Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. 2020. RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization. In 2020 IEEE Symposium on Security and Privacy (SP).
[13]
Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan. 2015. Repeatable Reverse Engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop (Los Angeles, CA, USA) (PPREW-5). ACM, New York, NY, USA, Article 4, 11 pages. https://doi.org/10.1145/2843859.2843867
[14]
B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In IEEE Symposium on Security and Privacy. 110–121. https://doi.org/10.1109/SP.2016.15
[15]
N. Dragoni, S. Giallorenzo, A. Lluch Lafuente, M. Mazzara, F. Montesi, R. Mustafin, and L. Safina. 2016. Microservices: yesterday, today, and tomorrow. ArXiv e-prints (June 2016). arxiv:1606.04036 [cs.SE]
[16]
Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2018. HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security. In 27th USENIX Security Symposium (USENIX Security 18).
[17]
Emil Edholm and David Göransson. 2016. Escaping the Fuzz - Evaluating Fuzzing Techniques and Fooling them with Anti-Fuzzing. Master’s thesis. 64.
[18]
Kimberly J Ferguson-Walter, Maxine M Major, Chelsea K Johnson, and Daniel H Muhleman. 2021. Examining the efficacy of decoy-based and psychological cyber deception. In 30th USENIX Security Symposium (USENIX Security 21). 1127–1144.
[19]
Jonathan Foote. 2012. gdb exploitable. https://github.com/jfoote/exploitable.
[20]
Google, Inc.2008. Multi-process Architecture. https://blog.chromium.org/2008/09/multi-process-architecture.html.
[21]
Samuel Groß. 2021. Project Zero: A Look at iMessage in iOS 14. https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html.
[22]
Emre Güler, Cornelius Aschermann, Ali Abbasi, and Thorsten Holz. 2019. AntiFuzz: Impeding Fuzzing Audits of Binary Executables. In 28th USENIX Security Symposium (USENIX Security 19).
[23]
Xiao Han, Nizar Kheir, and Davide Balzarotti. 2018. Deception techniques in computer security: A research perspective. ACM Computing Surveys (CSUR) 51, 4 (2018), 1–36.
[24]
Patrick Hulin, Andy Davis, Rahul Sridhar, Andrew Fasano, Cody Gallagher, Aaron Sedlacek, Tim Leek, and Brendan Dolan-Gavitt. 2017. AutoCTF: Creating Diverse Pwnables via Automated Bug Injection. In 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/woot17/workshop-program/presentation/hulin
[25]
Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making Password-cracking Detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS ’13). ACM, New York, NY, USA, 145–160. https://doi.org/10.1145/2508859.2516671
[26]
Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee, and Taesoo Kim. 2019. Fuzzification: Anti-Fuzzing Techniques. In 28th USENIX Security Symposium (USENIX Security 19).
[27]
Vineeth Kashyap, Jason Ruchti, Lucja Kot, Emma Turetsky, Rebecca Swords, Shih An Pan, Julien Henry, David Melski, and Eric Schulte. 2019. Automated Customized Bug-Benchmark Generation. In 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM).
[28]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18).
[29]
Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 147–163. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsov
[30]
Chris Lattner. 2002. LLVM: An Infrastructure for Multi-Stage Optimization. Master’s thesis. Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL.
[31]
Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. 2017. Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In 2017 USENIX Annual Technical Conference (USENIX ATC 17).
[32]
Tom Liston. 2003. LaBrea. http://labrea.sourceforge.net/labrea-info.html.
[33]
Zhuo Lu, Cliff Wang, and Shangqing Zhao. 2020. Cyber deception for computer and network security: Survey and challenges. arXiv preprint arXiv:2007.14497(2020).
[34]
Mikhail J. Atallah Mohammed Almeshekah, Eugene H. Spafford. 2013. Improving Security Using Deception. Technical Report.
[35]
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI ’07).
[36]
James Newsome and Dawn Song. 2005. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed Systems Symposium (NDSS).
[37]
Augustus Odena, Charles Sutton, David Martin Dohan, Ellen Jiang, Henryk Michalewski, Jacob Austin, Maarten Paul Bosma, Maxwell Nye, Michael Terry, and Quoc V. Le. 2021. Program Synthesis with Large Language Models. https://arxiv.org/abs/2108.07732.
[38]
Younghee Park and Salvatore J Stolfo. 2012. Software decoys for insider threat. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 93–94.
[39]
Jibesh Patra and Michael Pradel. 2021. Semantic Bug Seeding: A Learning-Based Approach for Creating Realistic Bugs. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering(ESEC/FSE 2021).
[40]
Jannik Pewny and Thorsten Holz. 2016. EvilCoder: Automated Bug Insertion. In Proceedings of the 32Nd Annual Conference on Computer Security Applications (Los Angeles, California, USA) (ACSAC ’16). ACM, New York, NY, USA, 214–225. https://doi.org/10.1145/2991079.2991103
[41]
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-Oriented Programming: Systems, Languages, and Applications. ACM Trans. Inf. Syst. Secur. 15, 1, Article 2 (March 2012), 34 pages.
[42]
Subhajit Roy, Awanish Pandey, Brendan Dolan-Gavitt, and Yu Hu. 2018. Bug Synthesis: Challenging Bug-Finding Tools with Deep Faults. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Lake Buena Vista, FL, USA) (ESEC/FSE 2018). 224–234.
[43]
Naveen Sharma and Sanjiv Kumar Gupta. 2003. Optimal Stack Slot Assignment in GCC. In GCC Developers Summit. 223.
[44]
Eugene Spafford. 2011. More than a Passive Defense. https://www.cerias.purdue.edu/site/blog/post/more_than_passive_defense/.
[45]
Rahul Sridhar. 2018. Adding diversity and realism to LAVA, a vulnerability addition system. Ph.D. Dissertation. Massachusetts Institute of Technology.
[46]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Network and Distributed Systems Symposium (NDSS).
[47]
Frederick Ulrich. 2017. Exploitability assessment with TEASER. Master’s thesis. Northeastern University.
[48]
Jonathan Voris, Jill Jermyn, Nathaniel Boggs, and Salvatore Stolfo. 2015. Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment. In Proceedings of the Eighth European Workshop on System Security (Bordeaux, France) (EuroSec ’15). ACM, New York, NY, USA, Article 3, 7 pages. https://doi.org/10.1145/2751323.2751326
[49]
Jonathan Voris, Jill Jermyn, Angelos D Keromytis, and Salvatore J Stolfo. 2013. Bait and snitch: Defending computer systems with decoys. In Cyber Infrastructure Protection Conference.
[50]
Ollie Whitehouse. 2014. Introduction to Anti-Fuzzing: A Defence in Depth Aid. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/january/introduction-to-anti-fuzzing-a-defence-in-depth-aid.
[51]
Michal Zalewski. 2014. American Fuzzy Lop (AFL). http://lcamtuf.coredump.cx/afl/.

Cited By

View all
  • (2024)Assessing the Effectiveness of Deception-Based Cyber Defense with CyberBattleSimDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_15(224-243)Online publication date: 3-Apr-2024

Index Terms

  1. Towards Deceptive Defense in Software Security with Chaff Bugs

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
      October 2022
      536 pages
      ISBN:9781450397049
      DOI:10.1145/3545948
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 26 October 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Funding Sources

      • NSF

      Conference

      RAID 2022

      Acceptance Rates

      Overall Acceptance Rate 43 of 173 submissions, 25%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)232
      • Downloads (Last 6 weeks)30
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Assessing the Effectiveness of Deception-Based Cyber Defense with CyberBattleSimDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_15(224-243)Online publication date: 3-Apr-2024

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media