Babak Salamat
Michael Franz
ABSTRACT
In a Multi-Variant Execution Environment (MVEE), several slightly different versions of the same program are executed in lockstep. While this is done, a monitor compares the behavior of the versions at certain synchronization points with the aim of detecting discrepancies which may indicate attacks.
As we show, the monitor can be implemented entirely in user space, eliminating the need for kernel modifications. As a result, the monitor is not a part of the trusted code base.
We have built a fully functioning MVEE, named Orchestra, and evaluated its effectiveness. We obtained benchmark results on a quad-core system, using two variants which grow the stack in opposite directions. The results show that the overall penalty of simultaneous execution and monitoring of two variants on a multi-core system averages about 15% relative to unprotected conventional execution
- Aleph One. Smashing the stack for fun and profit. Phrack, 7 (2), 1996.Google Scholar
- Apache Software Foundation. ab -- Apache HTTP Server Benchmarking Tool.Google Scholar
- J. Avariento. Exploit for Apache mod_rewrite off-by-one, 2006. URL http://ciberjacobo.com/sec/mod_rewrite.html.Google Scholar
- A. Avizienis and L. Chen. On the implementation of n-version programming for software fault tolerance during execution. In IEEE International Computer Software and Applications Conference (COMPSAC), volume 77, pages 149--155, 1977.Google Scholar
- E.G. Barrantes, D.H. Ackley, T.S. Palmer, D. Stefanovic, and D.D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 281--289, 2003. Google ScholarDigital Library
- E.D. Berger and B.G. Zorn. Diehard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 158--168, 2006. Google ScholarDigital Library
- S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120, 2003. Google ScholarDigital Library
- Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286, 2005. Google ScholarDigital Library
- M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Department of Computer Science, Carnegie Mellon University, 2002.Google Scholar
- F. Cohen. Operating system protection through program evolution. Computers and Security, 12 (6): 565--584, October 1993. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, 1998. Google ScholarDigital Library
- B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
- Diet libc. URL http://www.fefe.de/dietlibc/.Google Scholar
- M. Dowd. Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability, 2006. URL http://www.securityfocus.com/archive/1/441487/30/0/threaded.Google Scholar
- Crazy Einstein. Apache mod_include Local Buffer Overflow Vulnerability, 2004. URL http://www.securityfocus.com/bid/11471.Google Scholar
- Crazy Einstein. Apache łeq 1.3.31 mod_include Local Buffer Overflow Exploit, 2006. URL http://milw0rm.com/exploits/587.Google Scholar
- S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In 6th Workshop on Hot Topics in Operating Systems (HotOS), 1997. Google ScholarDigital Library
- GNU. GNU Compiler Collection (GCC). URL http://gcc.gnu.org.Google Scholar
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, volume 136, 1992.Google Scholar
- W. Hsu and A.J. Smith. Characteristics of I/O traffic in personal computer and server workloads. IBM Systems Journal, 2003. Google ScholarDigital Library
- Intel. Paul Otellini Keynote. Intel Developer Forum, September 2006.Google Scholar
- M.K. Joseph and Avizienis. A. A fault tolerance approach to computer viruses. In 1988 IEEE Symposium on Security and Privacy, pages 52--58, 1988.Google ScholarDigital Library
- B. Kauer. Oslo: Improving the security of trusted computing. In Proceedings of the 16th USENIX Security Symposium, pages 229--237, 2007. Google ScholarDigital Library
- G.S. Kc, A.D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pages 272--280, 2003. Google ScholarDigital Library
- B. A. Kuperman, C. E. Brodley, H. Ozdoganoglu, T. N. Vijaykumar, and A. Jalote. Detection and prevention of stack buffer overflow attacks. Communications of the ACM, 48 (11): 50--56, 2005. Google ScholarDigital Library
- A. Manion and J. Gennari. US-CERT Vulnerability Note VU #175500, October 2005. URL http://www.kb.cert.org/vuls/id/175500.Google Scholar
- J.M. McCune, B.J. Parno, A. Perrig, M.K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proceedings of the 3rd European Conference on Computer Systems (EuroSys), pages 315--328, 2008. Google ScholarDigital Library
- J. McDermott, R. Gelinas, and S. Ornstein. Doc, wyatt, and virgil: Prototyping storage jamming defenses. In 13th Annual Computer Security Applications Conference (ACSAC), pages 265--273, 1997. Google ScholarDigital Library
- N. Mehta. Snort Back Orifice Parsing Remote Code Execution, 2005.Google Scholar
- D.G. Murray, G. Milos, and S. Hand. Improving Xen security through disaggregation. In Proceedings of the fourth ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, pages 151--160, 2008. Google ScholarDigital Library
- Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack, 2001.Google Scholar
- N. Nethercote and J. Seward. Valgrind: A Program Supervision Framework. Electronic Notes in Theoretical Computer Science, 2003.Google Scholar
- T. Oh. Advanced Buffer Overflow Exploit, 2000. URL http://www.windowsecurity.com/uplarticle/1/advanced.txt.Google Scholar
- C. Parampalli, R. Sekar, and R. Johnson. A practical mimicry attack against powerful system-call monitors. In ACM Symposium on Information, Computer & Communication Security (ASIACCS), pages 156--167, 2008. Google ScholarDigital Library
- PaX. URL http://pax.grsecurity.net.Google Scholar
- J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, pages 20--27, 2004. Google ScholarDigital Library
- E. Pinheiro, R. Bianchini, E.V. Carrera, and T. Heath. Load balancing and unbalancing for power and performance in cluster-based systems. In Workshop on Compilers and Operating Systems for Low Power, pages 182--195, 2001.Google Scholar
- C. Pu, A. Black, C. Cowan, and J. Walpole. A specialization toolkit to increase the diversity of operating systems. In ICMAS Workshop on Immunity-Based Systems, 1996.Google Scholar
- rd. THCsnortbo 0.3 -- Snort BackOrifice PING exploit, October 2005. URL http://milw0rm.com/exploits/1272.Google Scholar
- B. Salamat, A. Gal, and M. Franz. Reverse stack execution in a multi-variant execution environment. In Workshop on Compiler and Architectural Techniques for Application Reliability and Security (CATARS), 2008.Google Scholar
- B. Salamat, A. Gal, T. Jackson, K. Manivannan, G. Wagner, and M. Franz. Multi-variant program execution: Using multi-core systems to defuse buffer-overflow vulnerabilities. In Proceedings of the International Conference on Complex, Intelligent and Software Intensive Systems (CISIS'08), pages 843--848, March 2008. Google ScholarDigital Library
- Solar Designer. Non-executable user stack. URL http://www.openwall.com.Google Scholar
- Standard Performance Evaluation Corporation (SPEC). URL http://www.spec.org.Google Scholar
- C. Taschner and A. Manion. US-CERT Vulnerability Note VU #196240, February 2007. URL http://www.kb.cert.org/vuls/id/196240.Google Scholar
- J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Annual Symposium On Network And Distributed System Security, 2003.Google Scholar
Index Terms
- Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space
Recommendations
Variant-based competitive parallel execution of sequential programs
CF '10: Proceedings of the 7th ACM international conference on Computing frontiersCompetitive parallel execution (CPE) is a simple yet attractive technique to improve the performance of sequential programs on multi-core and multi-processor systems. A sequential program is transformed into a CPE-enabled program by introducing multiple ...
Exploiting task and data parallelism in ILUPACK's preconditioned CG solver on NUMA architectures and many-core accelerators
Specialized implementations of ILUPACK's iterative solver for NUMA platforms.Specialized implementations of ILUPACK's iterative solver for many-core accelerators.Exploitation of task parallelism via OmpSs runtime (dynamic schedule).Exploitation of task ...
Data-aware scheduling of legacy kernels on heterogeneous platforms with distributed memory
SPAA '10: Proceedings of the twenty-second annual ACM symposium on Parallelism in algorithms and architecturesIn this paper, we describe a runtime to automatically enhance the performance of applications running on heterogeneous platforms consisting of a multi-core (CPU) and a throughput-oriented many-core (GPU). The CPU and GPU are connected by a non-coherent ...
Comments