A3: Does Less Code Mean a Smaller Attack Surface?
Return-oriented Programming (ROP), as well as other code-reuse techniques, exploits existing code to launch malicious computations as intended by adversaries. As a result, “innocent” regular code may become a weapon for attackers to harm the program itself. Intuitively, less code means less opportunity for attackers, i.e., a smaller attack surface. This view was shared by many security researchers and practitioners. However, Brown et al. challenged this opinion in paper
Read this paper and answer the questions below. Answer the questions in your own words, even if the answers can be found directly in the paper.
Questions
- (4 points) Summarize this paper in 4 to 8 sentences.
- (1 point) What is software bloating and debloating?
- (1 point) What are the common reasons causing software bloating?
- (1 point) In general, why is it easier to find code-reuse gadgets in x86 than RISC processors like AArch64?
- (1 point) What is the fundamental reason that may make debloated software less secure?
- (1 points) Why is gadget count reduction not a good security metric?
- (2 points) What are this paper’s proposed metrics for measuring the exploitability of code-reuse gadgets? Briefly summarize the metrics.
- (2 points) What are the two suggestions the paper makes for future research on debloating and relevant security measurement?
- (2 points) For the example discussed in Figure 1, why does the debloated version have more ROP gadgets than the original code?
Terminologies not covered in lectures
- JOP: Jump-oriented Programming. Similar to ROP but exploiting instruction sequences ending with a jump instruction.
- COP: Call-oriented Programming. Similar to ROP but exploiting instruction sequences ending with a call instruction.
What you need to submit
Submit your work through Blackboard. The deadline is October 17th by midnight. The submission should be a PDF file that contains the answers to the questions.