Secure and efficient application monitoring and replication

Memory corruption vulnerabilities remain a grave threat to systems software written in C/C++. Current best practices dictate compiling programs with exploit mitigations such as stack canaries, address space layout randomization, and control-flow integrity. However, adversaries quickly find ways to circumvent such mitigations, sometimes even before these mitigations are widely deployed. In this paper, we focus on an "orthogonal" defense that amplifies the effectiveness of traditional exploit mitigations. The key idea is to create multiple diversified replicas of a vulnerable program and then execute these replicas in lockstep on identical inputs while simultaneously monitoring their behavior. A malicious input that causes the diversified replicas to diverge in their behavior will be detected by the monitor; this allows discovery of previously unknown attacks such as zero-day exploits. So far, such multi-variant execution environments (MVEEs) have been held back by substantial runtime overheads. This paper presents a new design, ReMon, that is non-intrusive, secure, and highly efficient. Whereas previous schemes either monitor every system call or none at all, our system enforces cross-checking only for security critical system calls while supporting more relaxed monitoring policies for system calls that are not security critical. We achieve this by splitting the monitoring and replication logic into an in-process component and a cross-process component. Our evaluation shows that ReMon offers same level of security as conservative MVEEs and run realistic server benchmarks at near-native speeds

Building the Next Generation of Security Focused NVX Systems: Overcoming Limitations of N-Variant Execution

N-Variant Execution (NVX) systems utilize artificial diversity techniques to enhance software security. The general idea is to run multiple different variants of the same program alongside each other while monitoring their run-time behavior. If a malicious input causes the execution paths of the diversified variants to diverge, the monitor can detect divergences, e.g. at the system call level, and take defensive action.Several NVX systems have been proposed over the last two decades, providing different security/performance characteristics. In general, security-oriented NVX systems greatly degrade performance, while high performance NVX systems have two disadvantages; they significantly increase the size of the Trusted Computing Base (TCB) or sacrifice security. In this dissertation, we want to investigate if it is possible to build an alternative NVX design that unifies the strengths of existing approaches.Security-oriented NVX systems are considered strong defenses that protect against a variety of attacks. However, a subset of modern attacks have the potential to bypass existing NVX systems. We identify limited available diversity as the main reason for that. Existing NVX systems execute diversified program variants on a single host. This means that the level of inter-variant diversity will be limited to what a single platform can offer.The main focus of this dissertation is to investigate the possibility of building the first distributed heterogeneous NVX system that executes program variants across multiple heterogeneous hosts. This approach can increase the level of internal diversity between the simultaneously running variants that can be supported, encompassing different instruction sets, endianness, calling conventions, system call interfaces, and differences in hardware security features. We expect that new challenges will arise from the distributed and heterogeneous nature of this design, however we believe that we will be able to provide sufficient solutions

Towards an Error Control Scheme for a Publish/Subscribe Network

Abstract—Many proposals for the next generation of the Internet suggest moving from an end-point oriented to an informationcentric oriented architecture. Many of these proposals are based on the publish/subscribe paradigm, which lends itself naturally to native multicast support, a key factor for efficient content distribution. However, the design of efficient reliable transport protocols for multicast is a largely open problem, due to the problem of feedback implosion towards the sender as group size grows. In this paper we propose a hierarchical retransmissionbased error control scheme for a native publish/subscribe internetwork. We compare our protocol with similar approaches proposed for IP multicast and evaluate its performance against IP multicast with unicast-based error control. Index Terms—Information-centric networks, error recovery, multicast, transport layer I

Distributed Heterogeneous N-Variant Execution

status: publishe

Sharing is caring : secure and efficient shared memory support for MVEEs

Multi-Variant Execution Environments (MVEEs) are a powerful tool for protecting legacy software against memory corruption attacks. MVEEs employ software diversity to run multiple variants of the same program in lockstep, whilst providing them with the same inputs and comparing their behavior. Well-constructed variants will behave equivalently under normal operating conditions but diverge when under attack. The MVEE detects these divergences and takes action before compromised variants can damage the host system. Prior research has shown that multi-variant execution only works if the variants receive identical inputs. Existing MVEEs replicate inputs at the system call boundary, and therefore do not support programs that use shared-memory IPC with other processes, since shared memory pages can be read from and written to directly without system calls. We analyzed modern applications, ranging from web servers, over media players, to browsers, and observe that they rely heavily on shared memory, in some cases for their basic functioning and in other cases for enabling more advanced functionality. It follows that modern applications cannot enjoy the security provided by MVEEs unless those MVEEs support shared-memory IPC. This paper first identifies the requirements for supporting shared-memory IPC in an MVEE. We propose a design that involves techniques to identify and instrument accesses to shared memory pages, as well as techniques to replicate I/O through shared-memory IPC. We implemented these techniques in a prototype MVEE and report our findings through an evaluation of a range of benchmark programs. Our contributions enable the use of MVEEs on a far wider range of programs than previously supported. By overcoming one of the major remaining limitations of MVEEs, our contributions can help to bolster their real-world adoption