Vasileios Kemerlis Wins A $3.2M Grant For OS Kernel Protection


    Click the link that follows for more Brown CS content about Vasileios Kemerlis.

    Bloating, or adding unnecessary functionality to software that damages its performance or ease of use, probably started very soon after the first program was written. For most of us, the reaction is mostly frustration: we only want to make a playlist, or write a letter, and we're distracted by virtual assistants that were intended to be helpful, or we can't find the option we want because the menu has swelled with choices.  

    But Professor Vasileios Kemerlis of Brown University's Department of Computer Science (Brown CS) sees a much bigger problem: "More code means a larger attack surface, and more vulnerabilities. It's no different than trying to protect a mansion against intruders instead of a tiny shed." His work with Georgios Portokalidis of Stevens Institute of Technology and Junfeng Yang of Columbia University has just won a shared $3,200,000 grant from the Office of Naval Research (ONR). "Our proposal," he explains, "uses new methods and tools to reduce the attack surface of deployed binary applications, and then we take advantage of the reduced surface to secure them by adding a breadth of targeted defenses." 

    Their project, ABIDES (Adaptive BInary DEbloating and Security), views attack surface as a multifaceted concept and aims to reduce it by:

    1. hiding and removing unused library and kernel code,
    2. adaptively “hiding” the code that the OS kernel doesn't need during its various phases of execution,
    3. disabling unwanted and potentially buggy features, and
    4. specializing APIs by concretizing function arguments that remain constant across all function invocations

    To quantify the benefits of reducing the attack surface, Kemerlis and his colleagues will devise metrics that go beyond code size and consider qualitative aspects of the removed or disabled code. Once they reduce the attack surface and identify its various facets, protecting the resultant software becomes much simpler, so they intend to follow that insight by creating effective defenses for debloated software, extending their previous work on continuous code randomization and control-flow integrity (CFI).

    "We're very excited about this," Vasileios says. "Beyond simply removing unused code and functionality, we're developing fine-grained, dynamic debloating techniques, and we think our work will truly improve the state of the art in attack surface reduction for binaries and the OS kernel."

    For more information, click the link that follows to contact Brown CS Communication Outreach Specialist Jesse C. Polhemus.