ASU tackles the problem of fixing software vulnerabilities through micropatching
From the recent Facebook data breach of over 500 million accounts, to stories of hackers getting into family homes through baby monitors, we are constantly bombarded by headlines of hackers taking advantage of security vulnerabilities in the software we use every day.
The truth is, humans create software, and humans are imperfect. Sometimes developers accidentally introduce a bug that leaves the software vulnerable to attacks. As soon as a company or software developer discovers a vulnerability that could harm the user or leak data, the critical solution is to provide a fix as soon as possible. This is where patching comes in.
Patching can be thought of as a fix for a computer software or program, kind of like duct tape around a loose wire to prevent wiggling. We are all familiar with the alerts on our devices from Apple or Microsoft asking us to update our systems. One of the best things the user can do is to install those updates as soon as possible, protecting against those known vulnerabilities. There are helpful mechanisms in place, such as automatic software updates — an automated safety feature on most commonly used internet browsers.
However, software updates are not the only solution needed.
“What happens if the software company no longer exists? How and who can fix those bugs?” asks Adam Doupé, director of the Center for Cybersecurity and Digital Forensics, part of the Global Security Initiative at Arizona State University. “What if the company goes bankrupt and somebody finds a bug — a vulnerability that allows a remote hacker to have access to your system? How do we actually fix those problems?”
ASU is tackling this problem through a four-year Defense Advanced Research Projects Agency (DARPA) contract awarded to center, which is contributing research and development efforts to the Assured Micropatching program (AMP). We spoke to Doupé about the importance of this research and the impact it provides.
What is a micropatch?
A micropatch is a small patch that fixes one vulnerability without jeopardizing functionality.
“The goal of a micropatch is to figure out how to reduce the size of the patch so that we change few parts of the program,” says Doupé, who is also an associate professor in ASU’s School of Computing and Augmented Intelligence. “Ultimately, we want to increase our confidence that we will not break the functionality of the application — the less you change, the less you have to worry about in terms of collateral damage.”
What is the Center for Cybersecurity and Digital Forensics bringing to the table?
The center has put together VOLT (a Viscous, Orchestrated Lifting and Translation framework), which aims to reverse engineer the software it is applied to so that efficient and effective patches can be created.
“I have worked on software reverse engineering for over 10 years, and much to my surprise, no one has created techniques to make effortless binary patching possible,” says Ruoyu (Fish) Wang, the lead project investigator of the Assured Micropatching project. “Our VOLT framework, upon success, will be the first of its kind that enables easy bug fixing on deployed software. This capability will mean a lot to both industry and national security. We really appreciate DARPA’s interest in supporting our research on this front.”
One of the core strengths of the Center for Cybersecurity and Digital Forensics is “angr” — an open-source framework created and founded by core center researchers Yan Shoshitaishvili and Wang, with the goal of analyzing binary code to learn about what the program it’s being applied to does. Yan and Wang will lead a team of researchers to significantly improve the state of the art of binary decompilation techniques (transforming a binary program back into readable and understandable source code). As the technical foundation of VOLT, these techniques will enable sound and faithful translation between binary code and their corresponding decompilation output.”
"The ‘angr’ framework enables us to perform 'binary analysis,' which is able to take the ones and zeros of a binary program and allows us to make sense of what the program does,” says Doupé. “On HACCS (Harnessing Autonomy for Countering Cyberadversary Systems), an additional DARPA program we’re involved with, we use 'angr' to automatically identify and exploit bugs in a binary program.
How can this improve defense in the United States?
Imagine this scenario: A modern warfare vehicle, like a tank, has software that runs a vast number of components — from movement mechanisms and the speed of the tread to directional navigation and targeting technology.
“We would not want a security vulnerability that exists (for example) in the wireless communications that allows someone to jam or shut down your systems,” says Doupé. “In this context, it would be very impactful if the tanks were all down while systems reboot. It’s frustrating enough in our everyday lives, let alone within the setting of warfare — it could be catastrophic.
“Governments buy these systems and related software, procure contracts with various companies that build those binary systems to specification and run them. However, even if the government gains access to the source code, they may not have the tool chain of how to build and recompile them. The goal of AMP is to completely automate this process, through mathematical proofs and testing.”
Another challenge from a security perspective is that some control systems run on Windows '98, a software which hasn’t been updated in over a decade. The operating system has accrued a vast history of vulnerabilities and known exploits, which then creates difficulties when securing the system.
On a national level, the Department of Defense is very interested in this type of research.
“The DOD has a lot of manpower that they can direct at a problem, but the flipside is understanding what kind of things they don’t necessarily have power over,” says Doupé. “The key to addressing any security problem is, once identified, you need to actually act on it. One of the key concepts of security is if you find something, you should assume that someone else — say, your adversary — can find it as well.”
What is the problem and the solution?
In general, software and device manufacturers do a good job of fixing problems as they come up, but there are areas where consumers are more vulnerable.
Under DARPA Assured Micropatching, the Center for Cybersecurity and Digital Forensics team is developing new automated methods for “understanding” the machine-readable form of software, reversing the translation process, and generating human-readable source code. They can then repair small segments of code, retranslate the repaired segments and integrate them back into the deployed software. This will allow the team to address security issues in deployed mission-critical software in a timely, cost-effective and scalable manner.
“Operating systems, cellphones, web browsers — all typically have very good systems for pushing out patches, as everyone understands the security importance,” says Doupé. “Phones are another great example where companies are efficient with deploying fixes. Yes, you may be unable to use your phone for a short while, but it’s really important to keep it up to date.”
But not all fixes come to your attention, and not all of them are in your control. For example, when was the last time you updated your Wi-Fi router for security vulnerabilities? And what if a vendor of a product you use through Wi-Fi no longer supports your router anymore? This puts you in a difficult position because you cannot personally apply a fix.
“Ultimately, there should be changes at the policy level to handle cases of companies willingly selling a system that has known security vulnerabilities. They should not have the choice to simply not update software,” says Doupé. “Regulators and policymakers should be thinking about the exact aspect of companies going bankrupt, or no longer supporting the security updates on people’s devices.
“It’s worse from a security perspective if the device works but never receives updates, especially home-based devices that connect to other systems. From the individual level, it’s difficult. My recommendation is to enable automatic updates on every system possible, thus doing your bit for cyber hygiene.
“The unfortunate thing here is that this puts more burden on the consumer to do that research.”