Ioannia Agadakos, Nicholas DeMarinis, Di Jin, Kent Williams-King, Jearson Alfajardo, Benjamin Shteinfeld, David Williams-King, Vasileios P. Kemerlis, Georgios Portokalidis. Large-Scale Debloating of Binaries and Shared Libraries.. , Nov 2020.
 [Link] [PDF] [Software]Developers nowadays have access to an arsenal of toolkits and libraries for rapid application prototyping. However, when an application loads a library, the entirety of that library's code is mapped into the process address space, even if only a single function is actually needed. The unused portion is bloat that can negatively impact software defenses by unnecessarily inflating their overhead or increasing the attack surface. In this paper, we investigate whether debloating is possible and practical at the binary level. To this end, we present libfilter: a system that identifies and erases unused functions within dynamic shared libraries. libfilter works in tandem with defenses like continuous code re-randomization and control-flow integrity, enhancing them without incurring additional run-time overhead. We developed and tested a prototype of libfilter on x86-64 Linux; libfilter reduces the size of shared libraries and the number of available functions, for real-world binaries and the SPEC CINT2006 suite, by up to 56% and 82%, respectively. We also demonstrate that libfilter benefits defenses by showing that: (i) it improves the deployability of a continuous re-randomization system for binaries, namely Shuffler, by increasing its efficiency by 20%, and (ii) it improves certain fast, but coarse and context-insensitive control-flow integrity schemes by reducing the number of gadgets reachable through indirect branch instructions by 75% and 49%, on average. Lastly, we apply libfilter on ≈30k C/C++ binaries and ≈5k unique dynamic shared libraries (ie., almost the complete set of the Debian sid distribution), as well as on 9 official Docker images (with millions of downloads in Docker Hub), reporting entrancing findings regarding code bloat at large.
Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, Vasileios P. Kemerlis. Sysfilter: Automated System Call Filtering for Commodity Software. 23rd International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), Oct 2020.
 [Link] [PDF] [Software]Modern OSes provide a rich set of services to applications, primarily accessible via the system call API, to support the ever growing functionality of contemporary software. However, despite the fact that applications require access to part of the system call API (to function properly), OS kernels allow full and unrestricted use of the entire system call set. This not only violates the principle of least privilege, but also enables attackers to utilize extra OS services, after seizing control of vulnerable applications, or escalate privileges further via exploiting vulnerabilities in less-stressed kernel interfaces.
To tackle this problem, we present sysfilter: a binary analysis-based framework that automatically (1) limits what OS services attackers can (ab)use, by enforcing the principle of least privilege with respect to the system call API, and (2) reduces the attack surface of the kernel, by restricting the system call set available to userland processes. We implement sysfilter for x86-64 Linux, and present a set of program analyses for constructing system call sets statically, and in a scalable, precise, and complete (safe over-approximation) manner. In addition, we evaluate our prototype in terms of correctness using 411 binaries (real-world C/C++ applications) and ≈38.5K tests to assert their functionality. Furthermore, we measure the impact of our enforcement mechanism(s), demonstrating minimal, or negligible, run-time slowdown. Lastly, we conclude with a large scale study of the system call profile of ≈30K C/C++ applications (from Debian sid), reporting insights that justify our design and can aid that of future (system call-based) policing mechanisms.
Nicholas DeMarinis, Stefanie Tellex, Vasileios P. Kemerlis, George Konidaris, Rodrigo Fonseca. Scanning the Internet for ROS: A View of Security in Robotics Research. International Conference on Robotics and Automation (ICRA), May 2019.
 [Link] [PDF] [Website] [Wired]Security is particularly important in robotics, as robots can directly perceive and affect the physical world. We describe the results of a scan of the entire IPv4 address space of the Internet for instances of the Robot Operating System (ROS), a widely used robotics software platform. We identified a number of hosts supporting ROS that are exposed to the public Internet, thereby allowing anyone to access robotic sensors and actuators. As a proof of concept, and with the consent of the relevant researchers, we were able to read image sensor information from and actuate a physical robot present in a research lab in an American university. This paper gives an overview of our findings, including our methodology, the geographic distribution of publicly-accessible platforms, the sorts of sensor and actuator data that is available, and the different kinds of robots and sensors that our scan uncovered. Additionally, we offer recommendations on best practices to mitigate these security issues in the future.
Nicholas DeMarinis, Rodrigo Fonseca. Toward Usable Network Traffic Policies for IoT Devices in Consumer Networks. ACM Workshop on IoT Security and Privacy (IoTSP), Nov 2017.
 [Link] [PDF]The Internet of Things (IoT) revolution has brought millions of small, low-cost, connected devices into our homes, cities, infrastructure, and more. However, these devices are often plagued by security vulnerabilities that pose threats to user privacy or can threaten the Internet architecture as a whole. Home networks can be particularly vulnerable to these threats as they typically have no network administrator and often contain unpatched or otherwise vulnerable devices.
In this paper, we argue that the unique security challenges of home networks require a new network-layer architecture to both protect against external threats and mitigate attacks from compromised devices. We present initial findings based on traffic analysis from a small-scale IoT testbed toward identifying predictable patterns in IoT traffic that may allow construction of a policy-based framework to restrict malicious traffic. Based on our observations, we discuss key features for the design of this architecture to promote future developments in network-layer security in smart home networks.
Tim Nelson, Nicholas DeMarinis, Timothy Adam Hoff, Rodrigo Fonseca, Shriram Krishnamurthi. Switches are Monitors Too! Stateful Property Monitoring as a Switch Design Criterion. ACM Workshop on Hot Topics in Software Defined Networking (HotNets), Nov 2016.
 [Link] [PDF]Testing and debugging networks in situ is notoriously difficult. Many vital correctness properties involve histories over multiple packets (e.g., prior established connections). Checking such properties requires cross-packet state, which cannot be fully captured on stateless switch hardware.
Recent SDN work is enabling limited switch operations on persistent state. We present runtime checking of cross-packet correctness properties as a unique and instructive use case for developing stateful switch primitives. In this paper, we examine a set of cross-packet properties and distill from them switch features needed to monitor their correctness. We then contrast these against features provided by current approaches to switch state in SDNs and identify semantic gaps with an eye toward informing future switch instruction sets.
Tim Nelson, Nicholas DeMarinis, Timothy Adam Hoff, Rodrigo Fonseca, Shriram Krishnamurthi. Compiling Stateful Network Properties for Runtime Verification. ArXiv ePrint, July 2016.
 [Link] [PDF]Networks are difficult to configure correctly, and tricky to debug. These problems are accentuated by temporal and stateful behavior. Static verification, while useful, is ineffectual for detecting behavioral deviations induced by hardware faults, security failures, and so on, so dynamic property monitoring is also valuable. Unfortunately, existing monitoring and runtime verification for networks largely focuses on properties about individual packets (such as connectivity) or requires a digest of all network events be sent to a server, incurring enormous cost.
We present a network monitoring system that avoids these problems. Because traces of network events correspond well to temporal logic, we use a subset of Metric First-Order Temporal Logic as the query language. These queries are compiled down to execute completely on the network switches. This vastly reduces network load, improves the precision of queries, and decreases detection latency. We show the practical feasibility of our work by extending a widely-used software switch and deploying it on networks. Our work also suggests improvements to network instruction sets to better support temporal monitoring.