1 / 19

N-Variant Systems A Secretless Framework for Security through Diversity

N-Variant Systems A Secretless Framework for Security through Diversity. Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong and Jason Hiser University of Virginia. USENIX Security 2006, Vancouver BC. Attacks Require Knowledge.

capobianco
Download Presentation

N-Variant Systems A Secretless Framework for Security through Diversity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. N-Variant SystemsA Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong and Jason Hiser University of Virginia USENIX Security 2006, Vancouver BC

  2. Attacks Require Knowledge Heat (1995)

  3. Artificial Diversity Methods … … …

  4. Limitations of Diversity Methods • Requires high entropy • Difficulty scales with the number of possibilities • Low entropy broken by brute force [Shacham+, CCS 04] • Attacker can learn the diversity key • Incremental attacks [Sovarel+, USENIX Sec 05] • Side channels • Security assurance difficult • Vulnerability changed, not removed • Assumes secrets can be kept

  5. N-Variant System Framework • Run variants in parallel with identical inputs • Variants designed to vary assumptions • Check behavior of variants is equivalent Variant 0 Poly- grapher Monitor Variant 1

  6. Redundant Execution • Debugging [Knowlton 68] • Rearrange code and memory segments of program and run in parallel • Robustness [Berger & Zorn 06] • Dynamically randomize layout of heap and run multiple versions in parallel comparing output • Security [Reynolds+ 03, Totel+ 05, Gao+ 05] • Design diversity with rough comparison

  7. Proving Detection • Detection property • Attack causes states between variants to diverge noticeably • If one variant is compromised another must enter alarm state • Normal equivalence • Before attack, variants must be in equivalent states • Deterministic behavior

  8. Example Variations • Address space partitioning • Detection property: access injected address • Normal equivalence: addresses identical except for high order bit • Instruction set tagging • Detection property: run injected code • Normal equivalence: instructions in variants are same except for tags

  9. Thwarting Attacks Server Variant 0 Polygrapher Monitor Input (Attack) Output Server Variant 1

  10. Implementation Requirements • Polygrapher • Identical inputs to variants at same time • Monitor • Continually examine variants completely • Variants • Fully isolated, behave identically on normal inputs Too expensive for real systems

  11. Implementation • Modified Linux 2.6.11 kernel • Run variants as processes • Create 2 new system calls • n_variant_fork • n_variant_execve • Wrap existing system calls • Replicate input • Monitor system calls V0 V1 V2 P0 Kernel Hardware

  12. Wrappers • Check consistency • I/O wrappers (e.g., read(), write()) • Perform system call once • Return same result to all variants • Reflective (e.g., setuid(), signal()) • Perform corresponding system call on all variants • Check identical result

  13. sys_write_wrapper(int fd, char __user * buf, int len){ if (!IS_VARIANT(current)) { Perform System Call } else { if (!inSystemCall(current->nv_system)) { Save Parameters Sleep Return Result Value } else if (currentSystemCall(current->nv_system) !=SYS_WRITE) { DIVERGENCE – different system calls } else if (!Parameters Match) { DIVERGENCE – different parameters } else if (!isLastVariant(current->nv_system) { Sleep Return Result Value } else { Perform System Call Save Result Wake Up All Variants Return Result Value } }}

  14. Constructing Variants • Address Space Partitioning • Specify segments’ start addresses and sizes • OS detected injected address as segmentation fault • Instruction Set Tagging • Use Diablo [De Sutter+ 03] to insert tags into binary • Use Strata [Scott+ 02] to check and remove tags

  15. Results Latency increase from 2.35 to 2.77 ms Unmodified Apache 2-Variant, Address Partitioning 2-Variant, Instruction Tagging (1 WebBench client) 17.6 ms 34.2 ms (5 hosts * 6 each WebBench clients) 48.3 ms Apache 1.3 on Linux 2.6.11

  16. Implementation Limitations • Expensive for CPU-bound servers • Requires deterministic behavior • Most sources of nondeterminism removed • Timing can be a problem (see poster) • Dangerous system calls • execve(), mmap() • Variants lack complete isolation • Does not address recovery

  17. Fundamental Limitation • Only protects against attacks whose assumptions are broken by variations • Opportunities • Low entropy variations (e.g., calling conventions, timing, root uid, …) • High-level variations • Requires knowledge of application semantics

  18. Summary N-Variant systems employ artificial diversity techniques to provide provable resilience against certain classes of attacks without needing secrets. www.cs.virginia.edu/nvariant Supported by the National Science Foundation Cyber Trust Program and DARPA SRS

  19. Questions www.nvariant.org Supported by National Science Foundation Cyber Trust Program and DARPA SRS

More Related