On the Design, Implications, and Effects of Implementing Software Diversity for Security

摘要

Networked computers are running identical and equally vulnerable code, and are under constant attack from a variety of attackers. The prevalence of identical code creates a software monoculture, which encourages attackers. We counter the software monoculture with two methods.;First, we extend Salamat et al.'s multi-variant execution environment to work on 64-bit platforms. A multi-variant execution environment runs multiple versions of a program that are identical in functionality but differ their low-level implementation in parallel and checks for divergences. Central to the multi-variant execution idea is a monitor program, which performs the synchronization tasks while managing input and output. Attacks are detected when variants diverge in their system calls, which is a strong indicator of an attack. With this, we create a limited form of instruction set randomization and system call randomization. However, we developed a simplified heuristic for arrival times between variants.;Another addition to Salamat et al.'s environment enables it to synchronize variants at function call entry. This environment can detect attacks earlier than the original multi-variant execution environment by integrating a dynamic binary instrumentor. The instrumentor performs introspection into the variant that the monitor cannot do. Because of the added code of fine-grained monitoring, this environment uses heuristics to switch between two modes of operation.;Additionally, we examined the problems of creating variants for multi-variant execution environments. To that end, we have developed compiler techniques that generate semantically identical but functionally equivalent executables. Combining these techniques with an online software distribution marketplace---such as Apple's App Store or Google Play---makes it possible to distribute a unique executable to all users. Our compiler focuses on a particular class of code-reuse attacks, where attackers utilize the code already present in an executable and does so in a way that is transparent to both developers and users. These attacks require intimate knowledge of the internal layout of an executable and is only feasible on a wide scale because of the software monoculture. The compiler has several methods of diversifying software, which allow the user to customize the performance/security tradeoff. Our analysis shows that large-scale diversity is possible, with a reasonable performance overhead while also effectively thwarting code-reuse attacks. In addition, we have done case studies to measure the effects of the compiler's methods and examined many aspects of how these variants can be used.