1 / 24

N-Variant Systems and Data Diversity

N-Variant Systems and Data Diversity. Benjamin Cox University of Virginia. M.C.S. Presentation May 3, 2007. Artificial Diversity Methods. Randomize property of program to break exploits Requires high entropy Difficulty scales with the number of possibilities

ayala
Download Presentation

N-Variant Systems and Data Diversity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. N-Variant Systemsand Data Diversity Benjamin Cox University of Virginia M.C.S. Presentation May 3, 2007

  2. Artificial Diversity Methods • Randomize property of program to break exploits • Requires high entropy • Difficulty scales with the number of possibilities • Low entropy broken by brute force [Shacham+, CCS 04] • Attacker can learn the randomization key • Incremental attacks [Sovarel+, USENIX Sec 05] • Side channels • Security assurance difficult • Vulnerability changed, not removed • Assumes secrets can be kept 2

  3. N-Variant System Framework • Run variants in parallel with identical inputs • Variants designed to vary assumptions • Address space • Instruction set • Check behavior of variants is equivalent Variant 0 Poly- grapher Monitor Variant 1 3

  4. Thwarting Attacks Server Variant 0 Polygrapher Monitor Input (Attack) Output Server Variant 1 4

  5. Implementation • Modified Linux 2.6.16 kernel • Run variants as processes • Create 2 new system calls • n_variant_fork • n_variant_execve • Wrap existing system calls • Replicate input • Monitor system calls V0 V1 V2 P0 Kernel Hardware 5

  6. Fundamental Limitation • Only protects against attacks whose assumptions are broken by variations • Address space partitioning: memory corruption attacks [Cox+, USENIX Sec 06] • Instruction set tagging: code injection attacks [Cox+, USENIX Sec 06] • Can we defend against other attacks? 6

  7. Data Corruption Attacks • Programs use data to control behavior • Program(Data)  Normal Behavior • Attackers corrupt data to change program behavior • Program(Corrupted Data)  Malicious Behavior

  8. Data Corruption Attacks Program user_id uid_t user_id; char* name; user_id = authenticate(); : : : if(user_id == 0) { : } else { : } setuid(user_id); 500 500 500

  9. Data Corruption Attacks Program user_id uid_t user_id; char* name; user_id = authenticate(); : : : if(user_id == 0) { : } else { : } setuid(user_id); 500 0 user_id corrupted 0 0

  10. Data Variations • Create variants that use different data representations • Variant 0: Program0(Data0) • Program0 (Data0)BehaviorNormal • Variant 1: Program1(Data1) • Program1(Data1)BehaviorNormal

  11. Creating Variants Variant 0 (original) Variant 1 M1-1(d) T(P0) d P0 M1-1(d) P1

  12. UID Meaning Function M0(Data) Data Space Meaning Space 0 1 99 500 root bin nobody cox

  13. UID Data Meaning Function • Create variants with different meaning functions M0() M1() root bin nobody cox root bin nobody cox 0 1 99 500 0x7FFFFE0B 0x7FFFFF9C 0x7FFFFFFE 0x7FFFFFFF

  14. Creating UID/GID Variants Variant 0 (original) Variant 1 M1-1(d) • M1(UID) = UID XOR 0x7FFFFFFF • M1-1 (UID) = UID XOR 0x7FFFFFFF • T(P) = M1° P • Normal Equivalence • T(P)(d1) = P(M1 (M1 -1(d)) = P(d) T(P0) d P0 M1-1(d) P1

  15. UID Code Transformation • Identify UID variables and constants • Apply M1-1() on UID constants • Assignment: Remains unchanged • Arithmetic: Not allowed • Comparison: Reverse inequalities • System Calls: Embed meaning function into system call wrappers

  16. Guaranteeing Detection • Monitor must observe divergence as it occurs – not guaranteed • Transform program to expose UID usage to monitor • Single UID value usage • uid_t uid_value(uid_t uid) • UID Comparison • bool cc_eq(uid_t, uid_t)

  17. Data Corruption Attacks Program user_id Program user_id uid_t user_id; char* name; user_id = authenticate(); : : : if(cc_eq(user_id, 0)) { : } else { : } setuid(user_id); uid_t user_id; char* name; user_id = authenticate(); : : : if(cc_eq(user_id, 0x7FFFFFFF)) { : } else { : } setuid(user_id); 0x1F4 0x7FFFFE0B 0 0 user_id corrupted user_id corrupted 0 0

  18. External Data Variant 0 (original) Variant 1 d P0 M1-1(d) P1 /etc/passwd /etc/passwd

  19. Original N-Variant Kernel • Each file opened once • I/O performed once, results given to all variants nv_struct files nv_struct files Variant 0 Variant 1 in out err /etc/passwd /etc/passwd root:0:0:… bin:1:1:… nobody:99:99:… cox:500:500:… console

  20. Unshared files nv_struct files nv_struct files shared_files Variant 0 Variant 1 in out err /etc/passwd-0 1 1 1 0 filler filler filler /etc/passwd-1 console /etc/passwd-1 root:7FFF:7FFF:… bin:7FFE:7FFE:… nobody:7F9C:7F9C:… cox:7E0B:7E0B:… /etc/passwd-0 root:0:0:… bin:1:1:… : nobody:99:99:… cox:500:500:…

  21. Case Study: Apache • Transform code by hand • 15 constant UID values • 22 conditional statements (with detection checks) • 36 additional detection checkpoints • Create /etc/passwd-{0, 1} files • Used lex to scan and replace UID/GID values

  22. Results Unmodified Apache Transformed Apache 2-Variant – Shared File Kernel 2-Variant – Unshared FileKernel 2-Variant UID Variation 22

  23. Future Work • Automate program transformation • Identify/infer UID variables within the program • Apply transformations • Examine other data variations • Configuration Data • Decision making data

  24. Questions

More Related