E unibus pluram: massive-scale software diversity as a defense mechanism

  title={E unibus pluram: massive-scale software diversity as a defense mechanism},
  author={Michael Franz},
  booktitle={NSPW '10},
  • M. Franz
  • Published in NSPW '10 21 September 2010
  • Computer Science
We contend that the time has come to revisit the idea of software diversity for defense purposes. Four fundamental paradigm shifts that have occurred in the past decade now make it viable to distribute a unique version of every program to every user. We outline a practical approach for providing compiler-generated software diversity on a massive scale. It is based on an "App Store" containing a diversification engine (a "multicompiler") that automatically generates a unique, but functionally… 

Figures from this paper

Compiler-Generated Software Diversity

This work argues that the compiler is at the heart of the solution for software diversity, and presents two orthogonal compiler-based techniques that make it harder for an attacker to run a successful attack.

SoK: Automated Software Diversity

This paper systematically study the state-of-the-art in software diversity and highlights fundamental trade-offs between fully automated approaches, including "hybrid solutions", error reporting, patching, and implementation disclosure attacks on diversified software.

Tailored source code transformations to synthesize computationally diverse program variants

This work addresses two objectives: comparing dierent transformations for increasing the likelihood of sosie synthe- sis (densifying the search space for sosies); demonstrating computation diversity in synthesized sosying.

Algorithmic Diversity for Software Security

An improvement in security is demonstrated so that a code-reuse attack based on any one variant has minimal chances of success on another and the costs of this method are analysed.

Search Based Clustering for Protecting Software with Diversified Updates

The problem of maximizing software diversity from a search-based optimization point of view is addressed, and the problem of selecting the subset of most diversified versions to be deployed is formulated as an optimisation problem, that is tackled with different search heuristics.

Analysis of defenses against code reuse attacks on modern and new architectures

It is found that it is possible for a program in which CFI is perfectly enforced to be exploited via a novel control flow attacks, and the potential for hardware support for CFI and other techniques via generalized tagged architectures is examined.

XIFER: A Software Diversity Tool Against Code-Reuse Attacks

This work presents, for the first time, a code transformation tool that completely mitigates code-reuse attacks by applying software diversity to the binary at runtime.

Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks

This work proposes a novel defensive approach called code shredding: a defensive scheme based on the idea of embedding the checksum value of a memory address as a part of itself, which hinders designation of specific address used in code-reuse attacks.

Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM

This work proposes a randomization solution, called Xifer, that disperses all code (executable and libraries) across the whole address space, re-randomizes the address space for each run, is compatible to code signing, and does neither require offline static analysis nor source-code.

Software Profiling Options and Their Effects on Security Based Diversification

It is shown that static and dynamic profiling methods both reduce run-time overhead to under 2.5% while preventing over 95% of original gadgets from appearing in any diversified binary, and that the two methods offer nearly identical security characteristics.



Multi-variant Program Execution: Using Multi-core Systems to Defuse Buffer-Overflow Vulnerabilities

This work presents a novel approach that accepts the existence of overflow vulnerabilities and uses parallelism available through current and future multi-core architectures to detect vulnerabilities by monitoring the parallel execution of several slightly varying instances of the same application.

A Specialization Toolkit to Increase the Diversity of Operating Systems

A specialization toolkit to improve operating system survivability against implementations attacks and the Tempo-C specializer tool, which helps programmers generate and manage diverse specialized implementations of software modules.

Transparent runtime randomization for security

  • Jun XuZ. KalbarczykR. Iyer
  • Computer Science
    22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings.
  • 2003
A large class of security attacks exploit software implementation vulnerabilities such as unchecked buffers. This paper proposes transparent runtime randomization (TRR), a generalized approach for

Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space

A fully functioning MVEE is built, named Orchestra, and the results show that the overall penalty of simultaneous execution and monitoring of two variants on a multi-core system averages about 15% relative to unprotected conventional execution.

Reverse Stack Execution in a MultiVariant Execution Environment

Through evaluation, the prototype system can interdict the execution of malicious code in popular applications such as the Apache web server by trading off a small performance penalty for a high degree of security.

An experimental evaluation of the assumption of independence in multiversion programming

N-version programming has been proposed as a method of incorporating fault tolerance into software and it is revealed that the programs were individually extremely reliable but that the number of tests in which more than one program failed was substantially more than expected.

Review and analysis of synthetic diversity for breaking monocultures

This work proposes a functional architecture for synthetic diversity at the executable code level that reduces the common mode failure problem in COTS applications by several orders of magnitude.

An architecture a day keeps the hacker away

This paper outlines a possible comprehensive solution for binary-based attacks, using virtual machines, machine descriptions, and randomization to achieve broad heterogeneity at the machine level to reduce the "cost" of broad-based binary attacks.

The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

  • H. Shacham
  • Computer Science, Mathematics
    CCS '07
  • 2007
A return-into-libc attack to be mounted on x86 executables that calls no functions at all is presented, and how to discover such instruction sequences by means of static analysis is shown.

Building diverse computer systems

Several methods of achieving software diversity are discussed based on randomizations that respect the specified behavior of the program, which could potentially increase the robustness of software systems with minimal impact on convenience, usability, and efficiency.