slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Polygraphing Processes: N ? Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me PowerPoint Presentation
Download Presentation
Polygraphing Processes: N ? Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me

Loading in 2 Seconds...

play fullscreen
1 / 19

Polygraphing Processes: N ? Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

Jefferson’s Polygraph. Polygraphing Processes: N ‑ Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Meeting 12 July 2005. Hoover’s Polygraph. Motivating Observation. Previous diversity approaches (including ours) rely on keeping secrets

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Polygraphing Processes: N ? Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me' - lucia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Jefferson’s

Polygraph

Polygraphing Processes:N‑Variant Systems for Secretless SecurityDavid EvansUVa/CMU Genesis ProjectDARPA SRS PIs Meeting12 July 2005

Hoover’s Polygraph

motivating observation
Motivating Observation
  • Previous diversity approaches (including ours) rely on keeping secrets
  • Keeping secrets is hard
    • [Shacham, et al., CCS 2004]
    • [Sovarel, et al., USENIX Security 2005]

Can we use diversity effectively without needing any secrets?

DARPA SRS Genesis Project

n variant systems
N-Variant Systems
  • Construct a system that requires attacker to “simultaneously” compromise multiple variants
  • Variations designed to make this impossible for certain attack classes
  • Provides security without needing secrets
    • Framework for proving resistance to classes of attack

DARPA SRS Genesis Project

n version n variant programming system
Multiple teams of programmers implement same spec

Voter compares results and selects most common

No guarantees: teams may make same mistake

Transformer automatically produces diverse variants

Monitor compares results and detects attack

Guarantees: variants behave differently on particular input classes

N-Version N-Variant Programming System

[Avizienis & Chen, 1977]

DARPA SRS Genesis Project

2 variant system

Server

Variant

0

Monitor

Input

(Possibly Malicious)

Output

Server

Variant

1

2-Variant System

Polygrapher

DARPA SRS Genesis Project

n variant framework

Variant

0

Poly-

grapher

Monitor

Variant

1

N-Variant Framework
  • Polygrapher
    • Replicate “same” input to all variants
  • Monitor
    • Delay effects until all variants finish successfully
    • Detect failure of one variant:
      • “Crash”: other variants may have been compromised
      • Need to recover to known valid states
  • Set of Variants
    • Must be disjoint with respect to attack requirement
    • An attack input that succeeds against one variant, must cause some other variant to fail detectably

DARPA SRS Genesis Project

establishing disjoint variants
Establishing Disjoint Variants
  • Normal Equivalence Property
    • Under normal inputs, the variants stay in equivalent states:

A0(S0) A1(S1)

  • Detection Property
    • Any attack that compromises one variant causes another variant to exhibit detection behavior (e.g., crash)

DARPA SRS Genesis Project

example memory partitioning
Example: Memory Partitioning
  • Variation
    • Variant 0: addresses all start with 0
    • Variant 1: addresses all start with 1
  • Normal Equivalence
    • Map addresses to same address space
      • Broken if code depends on absolute addresses
  • Detection Property
    • Any absolute load/store is invalid on one of the variants

DARPA SRS Genesis Project

instruction set partitioning
Instruction Set Partitioning

JMP

JMP

CALL

CALL

JO

JO

JNO

JNO

JB

JB

JNB

JNB

JZ

JZ

JNZ

JNZ

Variant A

Variant B

DARPA SRS Genesis Project

instruction set tagging
Instruction Set Tagging
  • Variation: add an extra bit to all opcodes
    • Variation 0: tag bit is a 0
    • Variation 1: tag bit is a 1
    • At run-time check and remove tag using Strata
  • Normal Equivalence: Remove the tag bits
  • Detection Property
    • Any (tagged) opcode is invalid on one variant
    • Injected code (identical on both) cannot run on both

DARPA SRS Genesis Project

composing variations
Composing Variations

Must preserve normal equivalence property

Detect memory attack

Detect direct code injection

0

0

1

Memory

Space

0

1

1

Instruction

Tags

P2

P3

P1

DARPA SRS Genesis Project

implementations
Implementations
  • Two prototypes:
    • Linux Kernel Modification
    • Divert Sockets
  • Ad hoc establishment of normal equivalence
    • Transformation used to create variants
    • Run-time checking for equivalent behavior at security-critical events

DARPA SRS Genesis Project

kernel implementation
Kernel Implementation
  • Modify process table to record variants
  • Create new fork routine to launch variants
  • Intercept system calls:
    • Check parameters match for all variants
    • Make call once
    • Send same result to all
  • Low overhead, lack of isolation

DARPA SRS Genesis Project

divert sockets implementation
Divert Sockets Implementation
  • Process intercepts traffic (nvpd)
  • Uses divert sockets to send copies to isolated variants (can be on different machines)
  • Waits until all variants respond to request before returning to client
  • Adjusts TCP sequence numbers to each variant appears to have normal connection

DARPA SRS Genesis Project

divert sockets 3 variant system
Divert Sockets 3-Variant System

P1

Polygrapher

Input

from Client

P2

Output

to Client

Monitor

P3

nvpd

Server

DARPA SRS Genesis Project

results
Results
  • Implemented 3-Variant system
    • Address space partitioning
    • Instruction set tagging
  • Thwarts any attack that:
    • Depends on referencing an absolute address
    • Depends on executing directly injected code
  • Latency Overhead (apache)

DARPA SRS Genesis Project

open problems
Open Problems
  • Non-determinism, persistent state
  • Formally establishing normal equivalence
    • Statically + dynamically
  • Variations to prevent larger classes of attacks
    • File naming, scheduling, protocol, configuration, etc.
    • Limited by need to preserve (unspecified) application semantics

DARPA SRS Genesis Project

n variant systems summary
N-Variant Systems Summary
  • Use artificial diversity in a controlled way
  • Framework requires attacker to compromise multiple variants “simultaneously”
    • Create variations that make this impossible (for important attack classes)
  • Opens promise of system security proofs that do not require any assumptions about keeping secrets

DARPA SRS Genesis Project

credits
Credits

Ben Cox Jack Davidson David Evans Adrian Filipi Jason Hiser Wei Hu John Knight Anh Nguyen‑Tuong Jonathan Rowanhill

DARPA SRS Genesis Project