1 / 19

Polygraphing Processes: N ‑ Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me

Jefferson’s Polygraph. Polygraphing Processes: N ‑ Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Meeting 12 July 2005. Hoover’s Polygraph. Motivating Observation. Previous diversity approaches (including ours) rely on keeping secrets

lucia
Download Presentation

Polygraphing Processes: N ‑ Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Me

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Jefferson’s Polygraph Polygraphing Processes:N‑Variant Systems for Secretless SecurityDavid EvansUVa/CMU Genesis ProjectDARPA SRS PIs Meeting12 July 2005 Hoover’s Polygraph

  2. Motivating Observation • Previous diversity approaches (including ours) rely on keeping secrets • Keeping secrets is hard • [Shacham, et al., CCS 2004] • [Sovarel, et al., USENIX Security 2005] Can we use diversity effectively without needing any secrets? DARPA SRS Genesis Project

  3. N-Variant Systems • Construct a system that requires attacker to “simultaneously” compromise multiple variants • Variations designed to make this impossible for certain attack classes • Provides security without needing secrets • Framework for proving resistance to classes of attack DARPA SRS Genesis Project

  4. Multiple teams of programmers implement same spec Voter compares results and selects most common No guarantees: teams may make same mistake Transformer automatically produces diverse variants Monitor compares results and detects attack Guarantees: variants behave differently on particular input classes N-Version N-Variant Programming System [Avizienis & Chen, 1977] DARPA SRS Genesis Project

  5. Server Variant 0 Monitor Input (Possibly Malicious) Output Server Variant 1 2-Variant System Polygrapher DARPA SRS Genesis Project

  6. Variant 0 Poly- grapher Monitor Variant 1 N-Variant Framework • Polygrapher • Replicate “same” input to all variants • Monitor • Delay effects until all variants finish successfully • Detect failure of one variant: • “Crash”: other variants may have been compromised • Need to recover to known valid states • Set of Variants • Must be disjoint with respect to attack requirement • An attack input that succeeds against one variant, must cause some other variant to fail detectably DARPA SRS Genesis Project

  7. Establishing Disjoint Variants • Normal Equivalence Property • Under normal inputs, the variants stay in equivalent states: A0(S0) A1(S1) • Detection Property • Any attack that compromises one variant causes another variant to exhibit detection behavior (e.g., crash) DARPA SRS Genesis Project

  8. Example: Memory Partitioning • Variation • Variant 0: addresses all start with 0 • Variant 1: addresses all start with 1 • Normal Equivalence • Map addresses to same address space • Broken if code depends on absolute addresses • Detection Property • Any absolute load/store is invalid on one of the variants DARPA SRS Genesis Project

  9. Instruction Set Partitioning JMP JMP CALL CALL JO JO JNO JNO JB JB JNB JNB JZ JZ JNZ JNZ … Variant A Variant B DARPA SRS Genesis Project

  10. Instruction Set Tagging • Variation: add an extra bit to all opcodes • Variation 0: tag bit is a 0 • Variation 1: tag bit is a 1 • At run-time check and remove tag using Strata • Normal Equivalence: Remove the tag bits • Detection Property • Any (tagged) opcode is invalid on one variant • Injected code (identical on both) cannot run on both DARPA SRS Genesis Project

  11. Composing Variations Must preserve normal equivalence property Detect memory attack Detect direct code injection 0 0 1 Memory Space 0 1 1 Instruction Tags P2 P3 P1 DARPA SRS Genesis Project

  12. Implementations • Two prototypes: • Linux Kernel Modification • Divert Sockets • Ad hoc establishment of normal equivalence • Transformation used to create variants • Run-time checking for equivalent behavior at security-critical events DARPA SRS Genesis Project

  13. Kernel Implementation • Modify process table to record variants • Create new fork routine to launch variants • Intercept system calls: • Check parameters match for all variants • Make call once • Send same result to all • Low overhead, lack of isolation DARPA SRS Genesis Project

  14. Divert Sockets Implementation • Process intercepts traffic (nvpd) • Uses divert sockets to send copies to isolated variants (can be on different machines) • Waits until all variants respond to request before returning to client • Adjusts TCP sequence numbers to each variant appears to have normal connection DARPA SRS Genesis Project

  15. Divert Sockets 3-Variant System P1 Polygrapher Input from Client P2 Output to Client Monitor P3 nvpd Server DARPA SRS Genesis Project

  16. Results • Implemented 3-Variant system • Address space partitioning • Instruction set tagging • Thwarts any attack that: • Depends on referencing an absolute address • Depends on executing directly injected code • Latency Overhead (apache) DARPA SRS Genesis Project

  17. Open Problems • Non-determinism, persistent state • Formally establishing normal equivalence • Statically + dynamically • Variations to prevent larger classes of attacks • File naming, scheduling, protocol, configuration, etc. • Limited by need to preserve (unspecified) application semantics DARPA SRS Genesis Project

  18. N-Variant Systems Summary • Use artificial diversity in a controlled way • Framework requires attacker to compromise multiple variants “simultaneously” • Create variations that make this impossible (for important attack classes) • Opens promise of system security proofs that do not require any assumptions about keeping secrets DARPA SRS Genesis Project

  19. Credits Ben Cox Jack Davidson David Evans Adrian Filipi Jason Hiser Wei Hu John Knight Anh Nguyen‑Tuong Jonathan Rowanhill DARPA SRS Genesis Project

More Related