The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

DICER: Directed Compilation for Assured Patching

Research Areas: Cyber-Physical Systems

Principal Investigator: Antonio Bianchi

Patching existing code bases quickly is of paramount importance to minimize the exposure of systems after vulnerabilities are discovered. Unfortunately, many issues hinder patch deployment, such as missing source code or unavailability of the original compilation tool-chain. Either full decompilation, patching, and recompilation, or micropatching of the original binary can address this issue. However, these approaches currently do not scale and, more importantly, do not offer any assurance that the patched binary preserves the intended functionality. In fact, formal reasoning about the functionality of a patched binary remains an intractable problem. For these reasons, embedded systems’ code is left unpatched, exposing critical devices to severe security vulnerabilities.

Our proposed system, called DICER , will automatically inject, compile, and verify code patches in binary code, without assuming the existence of the original source code, nor the original compilation tool-chain.

This project is part of a DARPA-sponsored project named DARPA AMP, "Assured Micropatching."

This project resulted in several scientific publications and tools, including:

- Patcherex2, "A versatile and easy-to-use static binary patching tool", https://github.com/purseclab/Patcherex2

- AoT-Attack on Things: A security analysis of IoT firmware updates
In Proceedings of The 8th IEEE European Symposium on Security and Privacy (EuroS&P 2023)
Muhammad Ibrahim, Andrea Continella, Antonio Bianchi.

- PatchVerif: Discovering Faulty Patches in Robotic Vehicles
Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu.
In Proceeding of the USENIX Security Symposium (Usenix SEC), 2023

-  DnD: A Cross-Architecture Deep Neural Network Decompiler
Ruoyu Wu, Taegyu Kim, Dave (Jing) Tian, Antonio Bianchi, Dongyan Xu
In Proceeding of the USENIX Security Symposium (Usenix SEC), 2022

- PGPATCH: Policy-Guided Logic Bug Patching for Robotic Vehicles
Hyungsub Kim, Muslum Ozgur Ozmen, Z. Berkay Celik, Antonio Bianchi, Dongyan Xu.
In Proceeding of the IEEE Symposium on Security and Privacy (S&P), 2022.

 

 

 

 

 

 

Personnel

Other PIs: Dave (Jing) Tian Aravind Machiry Dongyan Xu