Abstract: Systems and methods of defending against stack-based cybersecurity attacks that exploit vulnerabilities in buffer overflows. The embodiments disclosed herein propose hijacking program flow in a program binary by insert call checking CFI code before calling a target. Examples of a target can be a function within the program binary, a register, or a memory location. If the call target is a valid call target (e.g., included in a global list of addresses), normal program flow resumes and the program flow is transferred to the target. On the contrary, if the call target is not a valid call target (e.g., not included in a global list of addresses), the program binary is deliberately crashed.

Abstract: Systems and methods of defending against stack-based cybersecurity attacks that exploit vulnerabilities in buffer overflows. The embodiments disclosed herein propose applying a randomized modification to the original size of the stack frames of functions of a program. By applying a randomized modification to the length of the stack frame, e.g., randomly increasing the length of the allocated stack frame memory, it becomes harder (if not impossible) for the attacker to guess or estimate the memory location where the return address of a function is stored, regardless of the attacker's knowledge of the length of the stack frame. Multiple implementations, e.g., randomizations at transform time, load time, and run time are discussed herein.

Abstract: An apparatus and method for responding to an invalid state occurrence encountered during execution of a third-party application program is included. The apparatus performing the method which includes registering a trap signal handler with a kernel of an operating system. The method also including intercepting calls from the third-party application program to the operating system and processing an exception signal corresponding to the invalid state to generate a response. The response including performing a signal reporting process.

Abstract: A method, system, or apparatus to debug software that is reorganized in memory is presented. A post-mortem debugging session is established by loading an executable code component corresponding to a packed binary file into memory. A randomly reorganized layout of the machine code corresponding to the blocks of the original source code is generated based on a transformation defined in a function randomization library corresponding to the blocks of original source code. A core dump file corresponding to the crash event associated with the executing of the executable code component and a debug data file that includes symbol table information to debug the blocks of the original source code are received. An updated debug data file is generated that includes symbol table information corresponding to the randomly reorganized layout. A debugger program is called with the executable code component, the core dump file, and the updated debug data file.

Abstract: A method, system, or apparatus to debug software that is reorganized in memory is presented. An interactive debugging session is established with an executable code component corresponding to a packed binary file includes machine code that corresponds to blocks of original source code. A randomly reorganized layout of the machine code is generated in memory based on a transformation defined in a function randomization library. An in-memory object file is created by using a debug data component corresponding to the packed binary file. The debug data component includes symbol table information to debug the blocks of the original source code generated prior to the randomly reorganized layout. The symbol table information is updated based on the randomly reorganized layout of the machine code, and the debugger program is instructed to load the in-memory object file with the updated symbol information to debug the blocks of the original source code.

Abstract: Systems and methods of cyber hardening software by modifying one or more assembly source files. In some embodiments, the disclosed SME tool transparently and seamlessly integrates into the build process of the assembly source files being modified. For example, upon integration of the disclosed SME tool into the application's development environment, the modifications in the final executable are transparent to the developer and can support other cyber hardening techniques. The SME tool includes a preprocessing tool for identifying attributes (e.g., functions) associated with the assembly source file. The SME tool also includes a transformation tool for making modifications of the assembly source file. In some embodiments, the transformations correspond to applying one or more transformations to the attributes associated with the assembly source file.

Abstract: Systems and methods of modifying a program binary by injecting code into a function of a program binary that tokenizes the return address of the function. The tokenization of the return address improves the robustness of the program binary against cyberattacks. For example, an attacker's attempt to hijack program flow before a function return will fail since any return address modified by the adversary will be tokenized (e.g., using a binary operation such as an XOR) resulting in an unusable address that will cause the system to crash. One advantage of the improved CFI consumes less average overhead and does not require all of the complications of the conventional CFI systems. In some embodiments, the tokenization includes applying a binary operation on a randomly-generated token and the return address. The token can be generated at transform time, load time, or run time.

Abstract: Disclosed is a test engine intended to evaluate the correctness and measure the performance effects of a binary transformation technique. The disclosed system takes source code as input and compiler information/flags as input. The transformation-under-test is applied to the compiler, creating a transformed compiler. A random test case generator residing within the test engine for injecting illegal code structures to modify the project source code, build flags, or compiler's operating environment, thereby creating an unlimited number of input test cases for the compiler. The test engine compiles the source code utilizing both the raw and transformed compilers and compares the results. For example, the test engine renders a pass/fail judgement on the binary transformation based on a metric of near equivalence between the results of the raw compiler and transformed compiler. By using one or more bitmasks, the evaluation process factors in differences attributed to compiler run-time generated artifacts.

Abstract: Embodiments disclosed herein are directed at applying transformations to computer code residing in original libraries for protection against cyberattacks. For example, the transformations applied on original libraries cause random reorganization of the computer code resulting in a transformed version of an original library. Although a malicious attacker can utilize a known exploit of the original library and launch a cyberattack, such knowledge is of no use on the transformed version of the original library. In some embodiments, the transformed version of the original library is stored in cache memory and shared by multiple executable programs to facilitate efficient memory utilization.

Abstract: An automated and processor agnostic method is described for modifying one or more executable binary files to insert one or more new software segments to modify the execution of the one or more executable binary files in at least certain circumstances. The modification takes into account the target microprocessor architecture of the one or more executable binary files which can be in the ELF format. In one embodiment, the new software segments are configured to add at least monitoring capabilities to monitor control flow integrity during execution of the one or more executable binary files.

Abstract: Systems and methods for guarding a controller area network are disclosed. In one embodiment, a system for guarding a controller area network comprises one or more processors. The one or more processors may be configured to receive a message destined for the controller area network. The one or more processors may further be configured to determine whether the message is legitimate. The one or more processors may further be configured to modify the message, if the message is determined as illegitimate, as an error message.

Abstract: A system and method for obfuscating binary codes are disclosed. In one embodiment, the system for obfuscating binary codes comprises one or more processors. The one or more processors may be configured to receive a binary file. The one or more processor may further be configured to obfuscate the binary file. The obfuscation may be based on rewriting the binary file and generating a second binary-randomized binary file. The binary file and the second binary-randomized binary file are functionally equivalent. The obfuscation may be based on randomizing the binary file at a load time, without changing functionality of the binary file.

Abstract: An improved CFI system and method is described that provides security from attacks to hijack computer software. The improved CFI system and method inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check. The second tag is located before the first line of any legitimate transfer destination and when discovered by the tag check allows a program to carry out the indirect transfer. This tag orientation does not prevent transfers to targets other than the origin instruction's specific intended destination but limits transfers to destinations that begin with the proper label dedication. Although, an incorrect address may be called, that will be within the software program's assortment of legitimate indirect transfer targets. Attempts to exploit or reroute indirect transfers outside of the established control flow are eliminated.

Abstract: Systems and methods for guarding a controller area network are disclosed. In one embodiment, a system for guarding a controller area network comprises one or more processors. The one or more processors may be configured to receive a message destined for the controller area network. The one or more processors may further be configured to determine whether the message is legitimate. The one or more processors may further be configured to modify the message, if the message is determined as illegitimate, as an error message.