文章目录
前言
本文旨在阅读 NDSS 2018 论文:InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android.
1 基本信息
Chen Y, Li Y, Lu L, et al. InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android[C]//2018 Network and Distributed System Security Symposium (NDSS’18). 2018.
很奇怪,这篇文章在百度学术上找不到。
而且在Google学术上,到现在还没有人引用。
一作:Yaohui Chen
所在大学:Northeastern University (东北大学,位于美国马萨诸塞州的州府,即波士顿市,是美国的顶尖私立研究型大学),学校主页: https://www.northeastern.edu/
一作的学术论文: https://scholar.google.com/citations?user=8-1ve50AAAAJ&hl=zh-CN&oi=sra
2016-2018 每年一篇S&P (只有2018年是二作,其他都一作)
2018年还有一篇NDSS,很厉害。
作者列表中还有两位值得关注,介绍如下:
1.1 Long Lu
感觉是一作的导师,也在东北大学,最近还搞了个300万美元的项目,很强。
谷歌学术主页: https://scholar.google.com/citations?user=5whzpxEAAAAJ&hl=zh-CN&oi=sra
个人主页:https://www.longlu.org/
值得关注的原因:
1)在安全领域前沿,有很多好论文,可以说是一位大牛了;
2)主页有很多课件(讲安全的课程): https://www.longlu.org/teaching/ 以后需要可以去读。
1.2 Zhi Wang
谷歌学术主页: https://scholar.google.com/citations?user=Y9SwH_0AAAAJ&hl=zh-CN&oi=sra
个人主页:http://www.cs.fsu.edu/~zwang/
关注原因:
1)Adaptive Android Kernel Live Patching 的作者;
2)安全领域的大牛,论文被引用次数达3439次(截至2019年2月19日20:33:52);
3)主页同样也有很多有用的课件:
2 文章内容
先介绍热补丁(hot-patches):
Hot-patches, easier to develop and faster to deploy than permanent patches, are used to timely (and temporarily) block exploits of newly discovered vulnerabilities while permanent patches are being developed and tested. Researchers recently proposed to apply hot-patching techniques to system programs on Android as a quick mitigation against critical vulnerabilities.
然后说出挑战(however):
However, existing hot-patching techniques, though widely used in conventional computers, are rarely adopted by Android OS or device vendors in reality.
给出自己的理解(为什么有这样的挑战):
Our study uncovers a major hurdle that prevents existing hot-patching methods from being effective on mobile devices: after being developed, hot-patches for mobile devices have to go through lengthy compatibility tests that Android device partners impose on all system code updates. This testing and release process can take months, and therefore, erase the key benefit of hot-patches (i.e., quickly deployable).
我们的工具:
We propose InstaGuard, a new approach to hot-patch for mobile devices that allows for instant deployment of patches (i.e., “carrier-passthrough”) and fast patch development for device vendors.
和其他工具相比,好处在于:
Unlike existing hot-patching techniques, InstaGuard avoids injecting new code to programs being patched. Instead, it enforces instantly updatable rules that contain no code (i.e., no carrier test is needed) to block exploits of unpatched vulnerabilities in a timely fashion.
克服的难题:
When designing InstaGuard, we overcame two major challenges that previous hot-patching methods did not face. First, since no code addition is allowed, InstaGuard needs a rule language that is expressive enough to mitigate various kinds of vulnerabilities and efficient to be enforced on mobile devices. Second, rule generation cannot require special skills or much efforts from human users.
进一步充实工作:
We designed a new language for hot-patches and an enforcement mechanism based on the basic debugging primitives supported by ARM CPUs. We also built RuleMaker, a tool for automatically generating rules for InstaGuard based on high-level, easy-to-write vulnerability descriptions.
实验和实验效果:
We have implemented InstaGuard on Google Nexus 5X phones. To demonstrate the coverage of InstaGuard, we show that InstaGuard can handle all critical CVEs from Android Security Bulletins reported in 2016. We also conduct unit tests using critical vulnerabilities from 4 different categories. On average, InstaGuard increases program memory footprint by 1.69% and slows down program execution by 2.70%, which are unnoticeable to device users in practice.
大意是:
热补丁比永久补丁更易开发,可以更快部署,通常用于在永久补丁还没开发出来之前,对新发现的漏洞就行封锁。最近研究者们开始把热补丁技术用在Android的系统程序中,作为一个对危险漏洞的快速缓解。
但是呢,现有的热补丁技术通常都是在计算机领域应用的多,但是不被Android OS或者设备的开发商接受。
本文发现,原因有一:当前热补丁技术对移动设备产生的补丁需要经历太长的兼容性测试周期,所以没法做到“热”,即快速修复。
我们为此推出InstaGuard,可以快速部署,快速开发补丁。与现有技术不同,我们的工具不注射额外代码进入程序,而是通过强制执行快速可更新的规则(rules)。
所以呢,就需要新建一个规则语言了,挑战有二:1)怎么建立一个高效、适用于移动设备的、表达性强的rule language;2)怎么让产生规则的过程变得简单(使人容易理解)。为此,本文解决有二:1)基于ARM CPUs建立了一个规则语言;2)设计了一个规则自动创建工具。
本文工具已经部署到Google Nexus 5X phones上,而且InstaGuard 能够解决2016年安卓安全汇报上的所有重要的CVEs。更好的是,InstaGuard 几乎不影响程序性能。
3 几个QAs
3.1 QA1
问:当前的热补丁技术都有哪些?
参考:
To remedy the prolonged security update process that plagues Android OS, researchers proposed to apply vulnerability hot-patching techniques to system programs on Android that cannot be updated till the next OS upgrade [32], [28], [37], [22].
However, despite the wide adoption in desktops and servers [6], [1], [13], hot-patch solutions are not well received on Android platforms.
Despite the obvious need for hot-patching on Android and the availability of existing techniques [1], [13], [6], mobile device vendors rarely introduce hot-patching to Android.
We call a hot-patching system “restrictive” when its patches can only restrict program execution (e.g., forbidding certain execution paths), rather than amplifying it (e.g., add new execution paths or permissions), which may lead to abuse of the hot-patching system itself as previously reported [15], [17]
Many hot patching techniques have been proposed, including those for computer programs [30], [21], [18], [20], [24], [26], for the Linux kernel [35], [6], [19], and more recently, for Android [28], [22].
程序漏洞检测,修复技术:
This line of research is related to InstaGuard in that they represent parallel methods for reducing the vulnerability response or patching time. DIRA [34] removes certain controlhijacking vulnerabilities from programs via recompilation. Automatic patches were also used to defend against worms [33]. VSEF [29] hardens program binaries by filtering out execution traces that correspond to exploitations of specific vulnerabilities. First-Aid [23] monitors program execution for memory management bugs. When it determines such a bug is triggered, it reverts the program execution to the last checkpoint and allow it to proceed with patched code.
Talos [25] is a recent vulnerability mitigation system. It pre-plants a kill-switch in every function in a program. When a function is later found vulnerable, it activates the corresponding kill-switch to disable that function. Talos achieves vulnerability mitigation without using code patches.
3.2 QA2
问:当前领域有什么挑战,问题还没解决
答:
1)打补丁的速度跟不上发现漏洞的速度。(快速补丁生成技术,程序自动修复技术,代码自动生成?)
2)打补丁的时间太长,而且还很怕引入新的bug (测试用例相关测试技术,单元测试,回归测试?测试用例生成?缩短测试的时间)
3)
参考文中内容:
A daunting challenge for securing the Android ecosystem is device vendors’ inability of instantly releasing system security updates to users’ devices. For example, the notorious QuadRooter vulnerabilities [12], affecting more than 900 million Android devices equipped with Qualcomm chipsets, were initially reported to Google in April 2016. However, it was after 5-7 months that large device vendors such as Samsung and HTC started pushing out system updates that finally patched the vulnerabilities. Even today, more than a year since the disclosure of the vulnerabilities, a large number of devices from other vendors have not been patched or will never receive a patch.
3.3 QA3
问:这篇文章还有什么不足?未来工作?
答:首先我认为这个不是一个人能够完成的工作。广泛调研(包括在Google内部调研);热补丁技术开发(包括规则语言设计+规则自动生成);实验验证(包括请专家来验证;部署到Google手机上)。可快可慢,看作者的水平。
这是一篇半学术半工业的文章。
从作图就能看出水平。
3.4 InstaGuard的修复原理
在制造商一端:
1)先根据漏洞的报告写出相应规则语言(包括:漏洞类型;代码位置;涉及的数据)
2)用rulemaker自动生成规则(包括:目标;断点/watch points(观察点);断言)
3)把这个规则发给客户端(即移动设备一端)
在移动设备端:
1)系统的守护进程(system daemons)收到规则后,现场安装规则;
2)根据规则,来阻断程序执行的时候可能会触发漏洞的路径。
总结
陷入沉思。。。
见自己的注释。
未来还以做 & 作者给出的未来工作.
参考文献
创建时间:2019年2月19日23:16:13
修改:2019年2月21日13:28:58