N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,

Slides:

Advertisements

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Advertisements

Moving Target Defense in Cyber Security

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

David Evans University of Virginia Computer Security Research CS696 Fall September 2007.

Address Space Layout Permutation

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Promising Breaks and Breaking Promises David Evans University of Virginia Program Analysis in Theory and Practice.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

CS533 Concepts of Operating Systems Jonathan Walpole.

Mitigation of Buffer Overflow Attacks

N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans

Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans

Identification and Protection of Security-Critical Data Nora Sovarel University of Virginia Computer Science June 6, 2006 MCS Project Presentation.

University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002.

DATA STRUCTURE & ALGORITHMS (BCS 1223) NURUL HASLINDA NGAH SEMESTER /2014.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,

1 Diversifying Sensors to Improve Network Resilience Wenliang (Kevin) Du Electrical Engineering & Computer Science Syracuse University.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

Where’s the FEEB? Effectiveness of Instruction Set Randomization CERIAS Security Seminar Purdue University 9 March 2005 David Evans University of Virginia.

The Performance of μ-Kernel-Based Systems H. Haertig, M. Hohmuth, J. Liedtke, S. Schoenberg, J. Wolter Presenter: Sunita Marathe.

1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Buffer overflow and stack smashing attacks Principles of application software security.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

G ENESIS: Security Through Software Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie.

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

What is a Process ? A program in execution.

1 Redundant Computing for Security David Evans University of Virginia Yahoo! Tech Talk 16 October 2008 Work with Ben Cox, Anh Nguyen-Tuong, Jonathan Rowanhill,

ACCESS MATRIX IMPLEMENTATION AND COMPARISON By: Rushabh Dharwadkar Roll no: TE COMP.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Week#3 Software Quality Engineering.

Lecture 3 – MapReduce: Implementation CSE 490h – Introduction to Distributed Computing, Spring 2009 Except as otherwise noted, the content of this presentation.

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

Efficient Software-Based Fault Isolation

The Hardware/Software Interface CSE351 Winter 2013

University of Virginia

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

Secure Software Development: Theory and Practice

Countering Trusting Trust through Diverse Double-Compiling

Introduction to Operating Systems

Stealing Secrets and Secretless Security Structures

Jefferson’s Polygraph

Foundations and Definitions

In Today’s Class.. General Kernel Responsibilities Kernel Organization

Meltdown & Spectre Attacks

Presentation transcript:

N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong and Jason Hiser University of Virginia USENIX Security 2006, Vancouver BC

Attacks Require Knowledge Heat (1995)

Artificial Diversity Methods Attack ClassAssumptionsDiversity Code Injection Instruction Set Instruction Set Randomization [Barrantes ], [Kc ] Memory Corruption Address Space Layout Address Space Randomization [Forrest + 97], [Bhatkar ] Return to Lib-C Calling Convention Calling Sequence Diversity Time Of Check To Time Of Use Process Scheduling ??? ………

Limitations of Diversity Methods Requires high entropy –Difficulty scales with the number of possibilities –Low entropy broken by brute force [Shacham +, CCS 04] Attacker can learn the diversity key –Incremental attacks [Sovarel +, USENIX Sec 05] –Side channels Security assurance difficult –Vulnerability changed, not removed –Assumes secrets can be kept

N-Variant System Framework Run variants in parallel with identical inputs Variants designed to vary assumptions Check behavior of variants is equivalent Variant 0 Variant 1 Poly- grapher Monitor

Redundant Execution Debugging [Knowlton 68] –Rearrange code and memory segments of program and run in parallel Robustness [Berger & Zorn 06] –Dynamically randomize layout of heap and run multiple versions in parallel comparing output Security [Reynolds + 03, Totel + 05, Gao + 05] –Design diversity with rough comparison

Proving Detection Detection property –Attack causes states between variants to diverge noticeably –If one variant is compromised another must enter alarm state Normal equivalence –Before attack, variants must be in equivalent states –Deterministic behavior

Example Variations Address space partitioning –Detection property: access injected address –Normal equivalence: addresses identical except for high order bit Instruction set tagging –Detection property: run injected code –Normal equivalence: instructions in variants are same except for tags

Thwarting Attacks Input (Attack) Server Variant 0 Server Variant 1 Output Polygrapher Monitor

Implementation Requirements Polygrapher –Identical inputs to variants at same time Monitor –Continually examine variants completely Variants –Fully isolated, behave identically on normal inputs Too expensive for real systems

Implementation Modified Linux kernel Run variants as processes Create 2 new system calls –n_variant_fork –n_variant_execve Wrap existing system calls –Replicate input –Monitor system calls V0V0 V1V1 V2V2 P0P0 Kernel Hardware

Wrappers Check consistency I/O wrappers (e.g., read(), write() ) –Perform system call once –Return same result to all variants Reflective (e.g., setuid(), signal() ) –Perform corresponding system call on all variants –Check identical result

sys_write_wrapper(int fd, char __user * buf, int len){ if (!IS_VARIANT(current)) { Perform System Call } else { if (!inSystemCall(current->nv_system)) { Save Parameters Sleep Return Result Value } else if (currentSystemCall(current->nv_system) !=SYS_WRITE) { DIVERGENCE – different system calls } else if (!Parameters Match) { DIVERGENCE – different parameters } else if (!isLastVariant(current->nv_system) { Sleep Return Result Value } else { Perform System Call Save Result Wake Up All Variants Return Result Value } }}

Constructing Variants Address Space Partitioning –Specify segments’ start addresses and sizes –OS detected injected address as segmentation fault Instruction Set Tagging –Use Diablo [De Sutter + 03] to insert tags into binary –Use Strata [Scott + 02] to check and remove tags

Results Unmodified Apache 2-Variant, Address Partitioning 2-Variant, Instruction Tagging (1 WebBench client) (5 hosts * 6 each WebBench clients) Apache 1.3 on Linux Latency increase from 2.35 to 2.77 ms 34.2 ms 48.3 ms 17.6 ms

Implementation Limitations Expensive for CPU-bound servers Requires deterministic behavior –Most sources of nondeterminism removed –Timing can be a problem (see poster) Dangerous system calls –execve(), mmap() Variants lack complete isolation Does not address recovery

Fundamental Limitation Only protects against attacks whose assumptions are broken by variations Opportunities –Low entropy variations (e.g., calling conventions, timing, root uid, …) –High-level variations Requires knowledge of application semantics

Summary N-Variant systems employ artificial diversity techniques to provide provable resilience against certain classes of attacks without needing secrets. Supported by the National Science Foundation Cyber Trust Program and DARPA SRS

Questions Supported by National Science Foundation Cyber Trust Program and DARPA SRS