Standard protocols such as SSL, SSH, etc. are implemented as one-size-fits-all libraries. To maximize compatibility, these libraries implement rarely used features that increase attack surface. Examples include the SSL Heart Beat feature (HeartBleed) and weak SSH ciphers (LOGJAM). The Navy would like to reduce software attack surface by removing unused protocol features. Our proposal, LeastProtocol, aims to develop a means to identify and eliminate features from existing software binaries. We will base our feature removal and identification research on two techniques: monitored execution and differential slicing. Multiple research papers have demonstrated that monitored execution combined with statistical techniques can map coarse protocol features to implementation code. Differential slicing compares two program executions and identifies locations where execution differs, enabling precise feature identification. For Phase 1, we will implement a proof of concept that works on a single protocol and implementation. The protocol and implementation will be of a real, deployed protocol but limited to open source software that runs on x86 Linux. We envision LeastProtocol will accept a protocol specification, a list of features, and a program binary. The tool will output a new binary that speaks the same protocol sans unwanted features.
Benefit: The Navy maintains numerous COTS and GOTS software installations that utilize standard protocol libraries. These libraries include features unused by the Navy, but which cannot be disabled, needlessly increasing attack surface. LeastProtocol would reduce attack surface by eliminating these unused features while preserving standard protocol functionality and semantics. Ships, submarines and airplanes utilize multiple networked computers that live in a closed environment -- they only ever talk to each other, not the outside world. Due to development costs, software on these machines uses standard protocol libraries, even though standard protocols are not required because there are not external clients. LeastProtocol could transform these systems into versions that only speak the minimal required protocol, which may break standard compatibility. The benefit to the military is twofold: first, a reduction in attack surface and software complexity, and second, a reliable means to identify intruders. Any machine speaking the full standard protocol in this closed system would be highly suspicious. Large financial institutions face a problem similar to the military: they maintain business-critical proprietary software built with standard libraries, but desire to minimize attack surface. Trail of Bits has been in contact with a large financial firm that is a perfect use-case for LeastProtocol. The firm runs software that must talk to banks via a standard protocol. The software is relatively old and may not have been developed with proper security development guidelines. The source code is not available. We are currently helping the firm identify the full extent of actions supported by the software using our open source program analysis tools. LeastProtocol would allow the firm keep required functionality but eliminate features that may lead to compromise or unwanted actions. From having done multiple consulting and software development engagements with large financial institutions, we are aware that this particular issue is endemic to the financial industry. A reliable solution for identifying and removing unwanted features from protocol libraries could be repeatedly licensed to financial firms and become a successful product that does not rely on further government support.
Keywords: protocol subsetting, protocol subsetting, protocol minimization, Feature Identification, Feature removal, program analysis
