Comparing Different Moving Target Defense Techniquesphp.scripts.psu.edu/muz16/pdf/p97-xu.pdf ·...

Comparing Different Moving Target Defense Techniques

Jun XuPennsylvania State University

[email protected]

Pinyao GuoPennsylvania State University

[email protected]

Mingyi ZhaoPennsylvania State University

[email protected] F. Erbacher

Army Research [email protected]

Minghui ZhuPennsylvania State University

[email protected]

Peng LiuPennsylvania State University

[email protected]

ABSTRACTMoving Target Defense techniques have been proposed toincrease uncertainty and apparent complexity for attackers.When more than one Moving Target Defense techniques areeffective to limit opportunities of an attack, it is required tocompare these techniques and select the best defense choice.In this paper, we propose a three-layer model to evaluateand compare effectiveness of different Moving Target De-fenses. This model is designed as an attempt to fill a gapamong existing evaluation methods and works as a system-atic framework for Moving Target Defense comparison.

Categories and Subject DescriptorsI.6 [Computing Methodologies]: Simulation And Mod-elling

General TermsDefense; Model; Evaluation

KeywordsMoving Target Defense Techniques; Performance Evalua-tion; Three Layer Comparing Model

1. INTRODUCTIONMoving Target Defense (MTD) techniques are defense mech-

anisms via changing aspects of a system (e.g. an enterprisenetwork supporting a business) to prevent attacks. The ba-sic idea is to hide properties of a system that are required byattackers to leverage an exploit [12]. Plenty of MTD tech-niques [22, 25, 23, 6, 3, 11, 7, 13, 1, 26, 2, 31] have beendeveloped to protect a system against various attacks.

In Table.1, we abstractly present effectiveness of differentMTD instances against different attack instances. An MTDinstance refers to the set of MTDs deployed in a system. Inan MTD instance, each MTD is deployed to protect one ormultiple programs in the system. For example, {Address

Copyright 2014 Association for Computing Machinery. ACM acknowledges that thiscontribution was authored or co-authored by an employee, contractor or affiliate of theUnited States government. As such, the United States Government retains a nonexclu-sive, royalty-free right to publish or reproduce this article, or to allow others to do so,for Government purposes only.MTD’14, November 3, 2014, Scottsdale, Arizona, USA.Copyright c© 2014 ACM 978-1-4503-3150-0/14/11 ...$15.00.http://dx.doi.org/10.1145/2663474.2663486.

Space Layout Randomization, Code Sequence Randomiza-tion, Instruction Set Randomization} is an MTD instanceto mitigate buffer overflow attacks. Likewise, an attack in-stance refers to a set of attack actions launched against asystem. These actions in an attack instance may form amultiple-step attack, or work independently to exploit thesame vulnerability in a system. For example, {Code Injec-tion, Return-to-libc Attack, Return Oriented ProgrammingAttack } is an attack instance to exploit a buffer overflowvulnerability. Effectiveness represents in which aspects anMTD instance can mitigate an attack instance. For instance,Instruction Set Randomization can prevent Code Injectionin a buffer overflow exploitation.

As shown in Table.1, an attack instance could be miti-gated by multiple MTD instances. In such cases, it is nec-essary to compare applicable MTD instances and select thebest one. In this paper, we study the problem of comparingMTD instances in a mission-centered way. From the pointview of a system, a mission refers to one or multiple tasks tobe completed for a certain purpose. For example, decrypt-ing an encrypted file is one mission for a crypto system.Specifically, our problem could be stated as:

When an attack instance is generated against a systemfor a mission, we want to understand how the mission willbe impacted when different MTD instances are deployed toneutralize the attack instance.

aaaaaaaDefenses

Attacks{a1, a2, ...an1} {a2, a4, ...an2} ... {a3, a6, ...anp}

{d1, d2, ..., dt1} {eff1, eff2, eff3} ∅ ... ∅{d3, d6, ..., dt2} ∅ {eff4, eff5, eff6} ... ∅

... ... ... ... ...{d5, d10, ..., dtq} {eff1, eff3} ∅ ... {eff1, eff2, eff3}

Table 1: MTD v.s. Attack: Each cell representseffectiveness of an MTD instance against an attackinstance. If an MTD instance produces no effectson an attack instance, the corresponding cell is filledwith an empty set.

Existing methods to evaluate the effectiveness of MTDtechniques could be classified into two categories: low-levelmethods [28, 30] and high-level methods [32, 19].

Low-level methods evaluate MTDs through attack-basedexperiments. In the experiments, attacks are launched tocompromise a program secured by MTDs. Low-level con-texts are captured to reflect how attacks affect the program.Such effects are interpreted to evaluate the deployed MTDs.However, low-level methods express evaluation results asprogram status, which require extra interpretations before

97

being used as comparison metrics. Also, low-level methodsreflect how attacks impact individual programs separately,without considering interactions between programs. Con-sequently, low-level methods are unable to capture effectspropagation between programs. This makes low-level meth-ods unable to evaluate effects of attacks on a whole systemthat contains multiple interconnected programs.

High-level methods evaluate MTDs based on simulationexperiments, probability models, or a combination thereof.High-level methods require little knowledge about low-levelcontexts. Applicable scope of a high-level method variesfrom individual programs to large systems with multipleprograms. Besides, high-level methods present evaluationresults in an explicit way, which could be directly used forMTDs comparison. However, high-level methods evaluateMTD techniques based on abstracted information, ratherthan contexts of programs. Consequently, results from high-level methods are abstractions or approximations of reality,which makes it less convincing.

A method for MTD comparison requires merit both fromlow-level methods and high-level methods. However, theadvantages of low-level methods are deficiencies of high-levelmethods, and vice versa. A method to incorporate meritsof both is missing, and we regard such as a gap betweenlow-level methods and high-level methods. The motivationof our work is to design an evaluation method to fill the gap,and use our method for MTD comparison.

In this paper, we propose a three-layer model as an at-tempt to fill the gap. The first layer is expected to capturethe low-level contexts information of individual programsin a system; the second layer models interactions betweendifferent programs and enables our model to apply in a sys-tem scale; the third layer is designed as a user interface,which abstracts impacts of different attacks and defenses ona mission and provides an uniform and explicit channel forMTD techniques comparison. We design a case study todemonstrate the feasibility of such a model. A comprehen-sive evaluation on this model would be our future work.

2. REVIEW OF MTD TECHNIQUES ANDEVALUATION METHODOLOGIES

2.1 MTD Techniques

2.1.1 Software-based DiversificationExisting works achieve Software-based Diversification via

directly manipulating software or relying on compilers toproduce diversification.

Software Manipulation The technique of software manipu-lation enhances security via changing software functionalityto eliminate vulnerabilities or limit their exposure. Accre-tion, excision, and replacement of functionality are all lever-aged as manipulation mechanisms. Input rectification is anexample of accretion mechanism. Via inserting functions tomanipulate inputs in software, input rectification convertseach input to stay in a secure zone. For instance, the Pineemail rectifier is developed to force messages into a specificconstrained form in [24]. In order to simplify software behav-ior and possibly avoid vulnerabilities, functionality excisionremoves functional but non-critical sections of a program,which may introduce result noise, but normally will notcause failure [22, 25]. Functionality replacement switches

between different implementations of the same function in aprogram, and thus generates system variation to neutralizeattacks [23].

Compiler-generated Diversity Jackson et. al [11] presentedtwo types of compiler-based diversity techniques: Malt-VariantExecution Environment (MVEE) and Massive-Scale Soft-ware Diversity (MSSD). Both of these techniques rely on au-tomated tools, especially the compiler, to produce function-ally equivalent, but internally different program variants.

Within MVEE, multiple semantically equivalent variantsof a program are executed, and their behaviors are comparedat synchronization points. Diverging behavior detected dur-ing synchronization indicates potential attacks. As earlyas the 1970s, Chen and Avizenis [6] developed a techniqueknown as N-Version Programming, to generate N ≥ 2 func-tionally equivalent programs. The mechanism required toachieve N-Version Programming could be completed by acompiler. The SQL interpreter known as SQLrand, pre-vents SQL injection by randomizing the Standard QueryLanguage, and reflects the idea of MVEE [3].

MSSD refers to the idea of releasing diversified softwarevariants to each user, and thus hides the internal structureof the software variants from attackers. Code Sequence Ran-domization (CSR) is a MSSD technique that uses instruc-tion scheduling, call inlining, code hoisting, loop distribu-tion, partial redundancy elimination, and many other com-piler transformations to generate variants of machine codes.CSR could mitigate attacks that rely on knowledge aboutinstruction at certain locations, such as return oriented pro-gramming attack [27, 5]. Equivalent Instructions (EI) isanother MSSD technique. In software, EI stands for a set ofinstruction sequences that have identical effects and can besubstituted for one another. Variants of machine code couldbe produced by replacing instructions through EI [11] (e.g.,loop unrolling).

2.1.2 Runtime-based DiversifitcationMany defenses techniques mitigate attacks via introduc-

ing diversification in runtime environments. Address SpaceLayout Randomization (ASLR) [28] is a widely known ex-ample of Runtime-based Diversification techniques. ASLRrandomly arranges starting positions of key code and dataareas in a process’s address space, including the base mem-ory address of the executable, the stack, the heap, and thelibraries, to prevent an attacker from correctly jumping to aparticular exploited function in memory. Kc et al. presentan Instruction Set Randomization (ISR) algorithm basedMVEE technique. With ISR, operators in machine instruc-tions are encoded with a randomization key during com-pilation. Immediately before execution, operators in ran-domized instructions are required to be correctly decoded.In a program instance with ISR, code injected by attack-ers will not properly encoded but still go through the de-coding process. This leads to illegal CPU instructions andexceptions, or at least different execution results from theprogram instance without ISR [14]. System Call NumberRandomization (SCNR) is another Runtime-based Diversi-fication technique related to ISR. Instead of encoding in-structions, SCNR encodes system calls in a program. WithSCNR, execution of injected code that contains incorrectlyencoded system call leads to an error, or a different resultfrom the normal program [7, 13].

98

2.1.3 Communication DiversificationTechniques of communication diversification protect sys-

tems against network related attacks, in a way to hide in-ternal information or communication protocols. Christodor-escu et al. propose to change the internals of a system, aim-ing at defending attacks that rely on internal knowledge ofthe system. For instance, periodically altering the schema ofthe database of a website, such as changing table titles, couldmitigate SQL injections but without causing service failures[8]. The Mutable Networks (MUTE) [1] defense architec-ture proposed by Al-Shaer enables systems to automaticallychange communication configurations, and thus reduce ad-versary’s capabilities in target scanning or exploiting. WithIP randomization, a network would change its IP addressfrequently, and only synchronize new IP addresses with au-thorized users. Hence, attackers are segregated from thenetwork. Another technique called Random Finger Print-ing in MUTE enables a system to interpret and modify itsresponse to outside requests. Fake information of a systemexposed to the public, such as OS type and application iden-tity, and such information could hinder remote exploitation.

2.1.4 Dynamic Platform TechniquesDynamic platform techniques (DPT) change platform prop-

erties to stop attacking processes [18]. Temporal changes(e.g. virtual machine rotation) and diversity (e.g. multi-ple variants execution) are widely used as DPT techniquesfor system protection. DPT techniques at compiler-levelhave been discussed above, so we focus on machine-level/OS-level DPT techniques, which includes migration-based tech-niques, server-switching techniques, and self-cleansing tech-niques. Migration-based techniques, such as Talent [17],leverage OS-level virtualization to create a virtual executionenvironment for migrating a running application across dif-ferent platforms and preserving the state of the application.DPT could also be achieved by switching between differentimplementations of servers. Saidane et al. [26] propose thedeployment of redundant servers with diverse software (e.g.Apache and IIS) in a web system. Redundancy improves sys-tem availability, and diversification increases the difficulty ofvulnerability exploitation. Self-cleansing techniques changecurrent platform instance without diversification, such as re-imaging the OS. SCIT [2] achieves self-cleansing by decom-missioning a server that has been exposed to the Internetfor a predetermined period of time, and launching a pristinecopy of the server. Ideas of DPT are also used in workson assessing software reliability. For instance, Zhang andLiu [31] designed and deployed diverse-drivers based repli-cas of virtual machines (Heter-device), to compare run-timebehaviors of drivers from different vendors. Replicas in aHeter-device load heterogeneous drivers for identical virtualdevices. The behavior of these drivers are compared to cap-ture inconsistencies as evidence of un-trustworthiness.

2.2 MTD Evaluation Methodologies

2.2.1 Attack-based ExperimentsAttack-based experiments evaluate an MTD by measur-

ing the amount of effort to compromise a program guardedby the defense. Shacham et al. explore the effectivenessof ASLR on Linux against a return-to-libc attack [10]. Intheir study, PAX ASLR was deployed to randomize Apache’suser address space, which leads to an unpredictable offset of

libc in virtual memory. However, they correctly guessed thebase address of libc through brute force, and compromisedthe Apache server with a subsequent return-to-libc attack.On average 216 seconds were required for a successful guess(under PAX with ≤ 24 bits randomization space) [28].

Inspired by Schacham et al’s work, Sovarel et al. devel-oped a technique to attack ISR-protected servers. They in-crementally broke the keys used by ISR to encode instruc-tions, through a chosen-ciphertext attack. Experimental re-sults demonstrated that on average 283.6 seconds were re-quired to crack the 32 bytes keys used by ISR, with a successrate as high as 98% [30]. Attack-based experiments quantifysecurity provided by MTD against a motivated adversaryand bring insight as to how to improve MTD techniques (e.g.keys with longer length are required in ISR). During exper-iments, contexts of the program, including user level con-texts (heap, stack, code, and data) and OS related contexts(e.g. opened files), are tracked and analyzed for evaluation.Attack-based experiments reflect what happens to a pro-gram when attacks occur. However, this evaluation methodonly reflects how attacks impact individual programs sep-arately, without considering impacts propagation betweenprograms. Further, the experiment results are representedby context statuses, which might need further interpretationto be used as comparison metrics.

2.2.2 Probability ModelProbability models are frequently used to analyze MTDs.

First, probability models are used to analyze attacking suc-cess when MTDs are deployed. Zhang et al.’s work [32]provides a model to reflect the relationship between diver-sification frequency of MTD and successful probability ofattacks. Second, probability models are proposed to under-stand the effort required to crack the randomization keysused by some MTDs [28, 30]. Third, Okhravi et al. [19]deduced a probability model to predict the expected timerequired for an attack to compromise a system that is pro-tected by MTDs. In a probability model, specifics of sys-tems, attacks and defenses are abstracted as probability pa-rameters. For instance, in [30], the length of the randomiza-tion key in ISR is represented as a numeric variable relatedto the probability of a successful attack. A probability modeldeals with effects of attacks and defenses in a concise way,which are often represented as the success rate of an attack.However, in a probability model, high excision and abstrac-tion of contexts at low-level might lead to missing of keyinformation and mismatch between the model and the realscenario.

2.2.3 Simulation-based EvaluationZhang et al. [32] propose a simulation-based approach to

study the effectiveness of MTD techniques. In their study,a simulating network based on NeSSi2 [4] is constructed,where Communication Diversification and machine-level Dy-namic Platform are deployed as MTD techniques. Peri-odic attacks are conceptually launched based on an attackgraph to compromise a mission. The success of an attackis determined by a pre-defined probability model and a spe-cific MTD implementation. Results of the simulation quan-tify the relationship between successful attacks and differentMTD settings (e.g. frequency of diversification). In theirsettings, for instance, the ratio of successful attacks is 50%when MTD is switched off, which shrinks to 16.2% if fre-

99

quency of diversification via MTD reaches 20 per time unit.Thus, such a method explicitly evaluates the effectiveness ofMTD techniques, and enables defenders to implement MTDproperly under different security requirements.

With a simulation-based approach, a whole system canbe abstracted as numeric parameter (in the simulating net-work), and there is no restriction on the specifics of attacksand defenses. Thus, a simulation-based method providespeople with a uniform approach to evaluate MTD techniqueswith the least effort. Nevertheless, no real system is involvedfor evaluation. Therefore, lessons learned from a simulation-based approach are not well-supported and might deviatefrom the real world.

2.2.4 Hybrid ApproachesResearchers also study MTD techniques based on hybrid

approaches. Okhravi et al.’s work [19] explores the effective-ness of MTD techniques, especially DPT , using a combina-tion of the three approaches explained above. They sim-ulated a system with multiple servers based on Talent [9],and deployed machine-level DPTs as MTDs. On several ma-chines in the system, two vulnerabilities CVE-2010-4165 andCVE-2010-4249 were set up. Attacks targeting at the twovulnerabilities were conducted periodically, and the successrate of the attacks were recorded. Okhravi et al. evalu-ated the effectiveness of an MTD by measuring the lengthof time when the MTD neutralizes the attacks. Differentresults are presented when different features are providedby defenses. Separate probability models are constructed toillustrate the effectiveness of different features. Inspired bythe similarities between these probability models, Okhraviet al. generalize a probability model to predict the effec-tiveness of DPTs. The generalized model involves primaryawareness of system specifics (e.g. the frequency of platformdiversification), and estimates the effectiveness of an MTDin a concise way (e.g. success time of an attack).

Though experimental results are used in a hybrid method,evaluation from such a method could still be insufficient toreflect the reality. First, results from the experiments arebased on information of coarse granularity, which can notdemonstrate what exactly happens inside a system. For in-stance, all information of a divide-by-zero error is abstractedout as merely being a successful attack and how this attackwould affect the system is neglected. Second, experimentalresults are abstracted out when being used for deducing thespecific probability models. Third, the process of construct-ing a general model also involves abstraction, which couldresult in further loss of evaluation precision.

3. THERE IS A GAPThe above four methodologies evaluate MTD techniques

based on different information and describe evaluation re-sults in different ways. Further, these methodologies havedifferent application scopes.

3.1 Low-level MethodsAttack-based experiments look into a program and focus

on the contexts of the program when an attack happens.For instance, in the experimental attack against ASLR [28],multiple context objects are collected for evaluation: (1)location of the buffer to be overwritten; (2) base-address oflibc in memory; (3) functions in libc to be attacked; (4)actions for compromising the program. We term such a

method a low-level method, as it collects low-level contextinformation for evaluation. As explained, a low-level methodinvolves information with fine granularity, thus producingevaluation results with high accuracy.

However, it is difficult to compare MTDs directly based onevaluation through attack-based experiments. First, attack-based experiments present results through program contexts,which cannot be directly used as comparable metrics. It isnecessary to interpret those contexts into attack status. Forinstance, in the attack experiment against ASLR [28], thestatus of the instruction pointer register could be interpretedas whether a return-to-libc is successful. Second, it is neces-sary to translate the attack status into explicit expression ofeffects on a mission. For example, arbitrary code-executionvia a return-to-libc attack should be interpreted as indicat-ing that the mission is under control by attackers.

Further, a low-level method works at the scope of an indi-vidual program. When used in a system with multiple inter-connected programs, a low-level method has limited applica-bility. Such limitations are caused by the absence of a modelfor interaction between different programs. Attack effectsthat propagate through program interactions could not becaptured by a low-level method. For instance, if Program1interacts with Program2 via a common database, damagecaused to the database by Program1 could propagate toProgram2. Such propagated damage might lead to furthereffects on Program2, but they can not be identified by eval-uation on Program2 by low-level methods.

3.2 High-level MethodsThe other three methodologies (including simulation-based

evaluation, probability model, and hybrid methods) evaluateMTD techniques from the scope of a whole system, whichwe call high-level methods. Contrary to low-level methods,high-level methods use information with coarser granularityfor evaluation. First, system specifics are abstracted in high-level methods. In some cases, the only required informationof a system is whether it contains certain vulnerabilities.Second, specifics of a defense are represented as general in-formation: whether a defense is deployed; what attacks canbe mitigated; the frequency of diversification if the defenseinvolves diversification. Third, in a high-level method, at-tacks are often abstracted as two variables: success rate andeffects. Success rate of an attack is either determined by aprobability model or defense specifics. Effects of an attackare expressed explicitly (e.g. time duration when the attacksucceeds), which could be directly used for comparison.

High-level methods also differ from low-level methods interm of application scope. Low-level methods focus on eval-uating MTD in a single program, while high-level methodsevaluate MTD in a whole system.

However, high-level methods possess the above two advan-tages via regarding a system as a black box. Low-level con-texts are largely abstracted or neglected in high-level meth-ods, so it is difficult for high-level methods to reflect whatreally happens in a system.

3.3 The GapWe regard the differences between low-level methods and

high-level methods as a gap. To the best of our knowledgethere is no existing works on linking the two types of meth-ods.

100

4. A NEW EVALUATION METHODIn this paper, we propose a new evaluation method that

tries to fill the gap between low-level methods and high-levelmethods. First, we would like to discuss the evaluation set-tings of our method, and we will present a concrete exampleof a practical system with such settings in the next sectionfor a case study.

4.1 The Evaluation SettingsWe evaluate MTD techniques against attacks in a system

that consists of multiple interconnected programs. This sys-tem is designed to support a mission, and a set of attacksare launched to cause the mission to fail. The evaluationaims to understand how well MTD techniques protect themission when attacks occur. And it is assumed that we haverequired knowledge of the system, the programs in the sys-tem, the mission supported by the system, the set of attacks,and the available MTD techniques.

The system Sys contains N programs {P1, P2, ..., PN }.Each program provides resources for Sys, and these resourcesrefer to low-level contexts of a program. We denote con-texts for Pi as a set of objects {ci1, ci2, ..., citi}. We fo-cus on five types of contexts: (1) data objects in the stack;(2) data objects in the heap; (3) code segments; (4) dataobjects in the data segment; (5) OS related contexts (e.g.files and sockets). To complete the mission Mis, it re-quires {cim1 , cim2 , ..., cimqi} from Pi. The set of attacksto fail the mission are known as Att = {a1, a2, ..., ana}.Each attack in Att aims at damaging resources from pro-grams. We denote the resource objects from Pj targetedby ak as {cja1 , cja2 , ..., cjark}. The available set of MTDtechniques are MTD = {d1, d2, ..., dnd}. In contrast withattacks, each MTD expects to secure resource of some pro-grams. We denote the resource objects from Pg protectedby dh as {cgd1 , cgd2 , ..., cgdvh}.

We provide evidence here to indicate that the settingsare reasonable. First, we assume that we know what pro-grams are included in a system and whether they are in-terconnected. We believe this knowledge can be identifiedfrom system descriptions. Second, we assume that we haveknowledge about contexts of a program and we summarizedfive types of contexts in the previous paragraph. In fact,such knowledge has been used by low-level methods in theirevaluation settings [28, 30]. Thus, the second assumption isalso supported. Third, we assume that we have the knowl-edge about the required set of resources to complete Mis.Though it is hard to precisely determine such a set, we canat least identify a superset of the required resources. Forexample, the set that includes all resources from each pro-gram in Sys must be such a superset. However, how toreduce redundancy in the superset depends on the missionspecifics. Fourth, we assume that we have knowledge aboutwhat resources are targeted by an attack or protected bya defense. We believe such an assumption is well founded,because low-level methods [28, 30] evaluate MTD based onsuch knowledge.

4.2 Three-layer ModelWithin the evaluation settings, we propose a three-layer

model as an attempt to fill the gap. As shown in Figure.1,the first layer captures low-level contexts information fromindividual programs. For each program, a state machine iscreated to present how attacks cause damage to the pro-

gram. The second layer connects state machines from thefirst layer, and models damage propagation between differ-ent programs. In this layer, a state machine is constructed todemonstrate how attacks damage a system. The third layerexplicitly expresses evaluation results to work as a user in-terface. Information from the second layer is abstracted andincluded in the third layer.

Each layer is modeled as a set of state machines. First,state machine is a widely used and accepted computationalmodel in computer science [15]. Second, our model is ex-pected to describe change happens in a system when attacksand MTDs occur. So the ability of sate machine to deal withchange/transition satisfies our requirements.

4.2.1 The First Layer: Program State MachineIn the first layer, a state machine (abbr. PSM) is created

for each program. We anticipate a PSM to represent how anattack instance and an MTD instance would affect resourcesin the program. Before discussing details of a PSM , wewould like to introduce the basics of a general state machine.A state machine could be presented as {Q,

∑, δ, q0, F}, in

which, Q is a set of states;∑

is a set for the input alphabet;δ : Q ×

∑→ Q is the state transition function; q0 ∈ Q is

the start state, and F ⊆ Q is the set of accept states [29].Likewise, a PSM could be described as a tuple with 5 el-

ements {Q P,∑

P, δ P, q0 P, F P}. For simplicity, we dis-cuss PSMi for Pi as an example:Q Pi: States of PSMi refer to damage on {ci1, ci2, ..., citi}.

For each cij(1 ≤ j ≤ ti), we present its status as a set of logicstatements, and such statements are interpreted as damageto cij . And a set of applicable logic statements for cij ispre-defined. For instance, given a buffer Buf with nb bytesallocated space, there are two different statements aboutits length when Buf is accessed: (1) len(Buf) ≤ nb (2)len(Buf) > nb. Damage to Buf is null, if len(Buf) ≤ nb;while damage to Buf is Buffer Overflow or Buffer Over-read, if len(Buf) > nb. Three steps are necessary to de-termine the state of a program. First, for each cij(1 ≤j ≤ ti), applicable logic statements are selected from theset of available statements. Second, each selected state-ment of cij is translated to damage on cij . The trans-lation is completed according to a mapping function, andwe denote it as Dam(cij). The function Dam dependson specifics of available logic statements. Third, the vec-tor {Dam(ci1), Dam(ci2), ..., Dam(citi)} is constructed as astate of PSMi.∑

Pi: Three types of input to Pi are regarded as inputevents to PSMi: data from network traffics (I DN); datafrom local devices (I DF ) (e.g. local disk and keyboard);data through Inter-process Communication (IPC) (I DI).I DN and I DF could be affected by users, which are re-garded as external inputs. I DI are transparent to users,which are regarded as internal inputs. However, we do notmodel some special inputs, if either they are controlled bythe operating system (e.g. SIGXCPU for CPU time limitexcess), or it is too complicated to be handled (e.g. signalcommunication between threads).δ Pi(Q P ×

∑Pi → Q Pi): In this model, the transition

function of a PSM is defined by the program itself, and eachtransition is caused by one execution of the program. Givencontext status and an input to a program, the period duringwhich the program processes the input is regarded as oneexecution. Such a processing period starts when a program

101

Start

Accept

Start

Damage 1

Accept*(Crash)

Start

Damage 2

Accept

Start

Damage 3

Accept

Input 1 Input 2

Input 3

Input 4

Input 5

Input 6

Input 9 Damage 4

Input 7

Input 8

Program 1:No AttackNo Defense

Program 1:Attack 1No Defense

Program 1:No AttackDefense 1

Program 1:Attack 1Defense 1

Start

Accept

Start

Damage 5

Accept

Start

Damage 6

Accept

Start

Damage 7

Accept

Input 10 Input 11

Input 12

Input 13

Input 14

Input 15

Input 16

Damage 8

Input 17

Input 18

Program 2:No AttackNo Defense

Program 2:Attack 1No Defense

Program 2:No AttackDefense 1

Program 2:Attack 1Defense 1

PSM Variants for Program 1 PSM Variants for Program 2

SSM Variants for System

P1Start

SystemDamage 5

AcceptInput 11 Input 12

P2Start

SystemDamage 1

Accept*(Crash)

Input 2 Input 3

MissionStart TE

ESM For the Mission

Mission Start

(Dam1, DamInf1, AttSur1 )



Dam: DamageDamInf: Damage Infection

AffSur: Attack Surface

Figure 1: Three-layer model for MTD evaluation (The bottom part presents PSM variants for two programsin the first layer; the middle part presents SSM variants for the system consist of Program 1 and Program 2,as the second layer; the top part presents the ESM constructed based on the middle part, as the third layer.Only one defense and one attack are considered in this figure).

receives the input, and ends when status of the programremains unchanged without subsequent inputs. During oneexecution, if contexts changes and different damage is causedto resource objects, a transition occurs.q0 Pi: When a program finishes initialization and receives

no inputs, its state is regarded as the start state.F Pi: There are three different accept states. First, when

no further damage can be caused to {ci1, ci2, ..., citi} by anyinput, Pi arrives at an accept state. Second, when Pi crashesand can receive further no inputs, Pi arrives at an acceptstate. Third, when a object in {cim1 , cim2 , ..., cimqi} is sodamaged that becomes unavailable to Pi and Mis can neverbe completed without the object, the mission arrives at anaccept state. For instance, if the file for decryption keys isdeleted by an attack, the mission to decrypt an encryptedfile can never be completed.PSMi as above is defined when a program is under a cer-

tain pair of attack instance and MTD instance. However,when different pairs of attack instance and defense instanceoccur, PSMi would be transformed in two aspects. First,new states could appear. For instance, a newly identified

zero-day attack could lead to new damage on {ci1, ci2, ..., citi},which would introduce a new state. Second, new transitionscould appear. For example, when new states appear, newtransition must appear to connect these new states with ex-isting states. When Pi is under no attacks and defenses,we define the PSMi to be clear. When Pi is under a pairof attack instance and defense instance, we call the corre-sponding PSMi a variant of the clear PSMi and we labelthe PSMi variant with the pair.

4.2.2 The Second Layer: System State MachineThe first layer models each program in Sys separately,

without considering interactions between different programs.Consequently, the first layer could not tell how damage prop-agates through programs, and is unable to evaluate damageto the whole system.

In our model, the second layer is designed upon the firstlayer. This layer is expected to model interaction betweenprograms, and present damage caused to Sys. Similar to thefirst layer, the second layer is designed as a state machine{Q S,

∑S, δ S, q0 S, F S}, and we name it a System State

102

Machine (SSM). Algorithm.1 in Appendix.A demonstrateshow an SSM is generated.

Two procedures are included in Algorithm.1. The firstprocedure INTERACT(PSMs) conservatively connects dif-ferent PSMs to model interactions between different pro-grams. Line 2 to line 6 initializes SSM . Def(q0S) definesq0 S as the start state, which is a virtual state; F S andδ S are initialized as empty sets; TE stands for the inputevent when transition occurs between programs. Specifi-cally, TE could be normal input event or null. Line 7 toline 12 expands SSM iteratively. All states, input events,and transitions in each PSM are included in SSM ; a tran-sition between the start state of SSM and the start stateof each PSM is included to δ S, and input event to triggerthis transition is TE. Line 13 to line 24 connects differentPSMs, to present interactions between different programs.Specifically, a transition is added between any two statesfrom two different PSMs, with TE as the input event.

When completed, INTERACT(PSMs) returns a primitiveSSM . According to such an SSM , any two programs in anystates could interact with each other. We model interactionsbetween programs in such a way, because it is hard to exactlydetermine how and when interactions would happen. For in-stance, if two programs access a common database, interac-tions between them could happen at any time. However,many interactions modeled by INTERACT(PSMs) neverhappen in practice, and thus, transitions to present thoseinteractions are redundant. We designed the second pro-cedure PRUNE(SSM) to prune redundant transitions inSSM .

The procedure PRUNE(SSM) enforces two pruning prin-ciples from line 28 to line 50 in Algorithm.1. First, if Pi

can not actively communicate with Pj , any transitions fromstates in PSMi to states in PSMj are removed. If informa-tion could flow from Pi to Pj , we say that Pi can activelycommunicate with Pj , and the function InterAct(Pi, Pj) re-turns true. Otherwise, InterAct(Pi, Pj) returns false. Sec-ond, any transition from a state in F S to another state inQ S are removed. We only propose the two principles, and itis sure that all transitions removed based on such principlesare actual redundancies.

In Algorithm.1, the SSM is constructed when the systemis under a specific pair of attack instance and defense in-stance. However, as explained previously, different pairs ofattack instance and MTD instance lead to PSM variants,and subsequently lead to variants of SSM .

4.2.3 The Third Layer: Evaluation State MachineAn SSM enables our model to analyze MTD techniques

in a system scope. However, different states in an SSMrepresent damage to different components in the system.To understand what can happen to the whole system, itis necessary to scan the state space of an SSM and collectdamage information. Also, damage information in an SSMis expressed as status of low-level contexts, which requiresfurther interpretations for being understood by general users(e.g. the mission manager). In addition, to evaluate theeffectiveness of different MTD techniques, it is necessary touse different SSM variants and switch between them.

To handle the above problems, we design the third layer,to work as a user interface. We expect this layer to supportour model in three aspects: (1) it describes damage to thewhole system in a centralized way; (2) damage is explicitly

expressed, which requires little interpretation to be under-stood; (3) a uniform mechanism to evaluate different de-fenses against different attacks is provided. This layer is de-signed as a state machine {Q E,

∑E, δ E, q0 E,F E}, and

we call it an Evaluation State Machine (ESM). An ESMis built upon variants of SSM for Sys: {SSM1, SSM2, ...,SSMNS}. Since each SSM variant is caused by a pairof attack instance and defense instance, we label differentSSM variants with {(Att1, Def1), (Att2, Def2), ..., (AttNS ,DefNS)}. For each i, we call (Atti, Defi) the label of SSMi.Now we discuss details of an ESM :Q E: For each i, SSMi is abstracted as impacts of (Atti,

Defi) on Mis, and such impacts are regarded as a state ofan ESM . In this layer, the impacts are interpreted as threemeasurements: damage (Dami); damage infection (DamInfi);and attack surface (AttSuri). First, Dami represents dam-age to the mission caused by (Atti, Defi). In this layer,Dami is explicitly presented as damage to resource objectsthat are required by Mis. If in a state of SSMi, the dam-age to a resource object is not null, then the damage wouldbe assigned to this object. If multiple damages are as-signed to a object, the largest damage or damages wouldbe kept as damage to this object. So damage could be ex-pressed as a vector Dam = {(cm1 : dam1), (cm2 : dam2),..., (cmt : damy)}. How to interpret such a damage vec-tor as damage to Mis depends on specifics of the mission,and we will give an example in the case study section. Fur-ther, any methods to quantify such a damage vector couldbe applied to get a quantitative metric of damage. Second,DamInfi represents how damage propagate through Sys toaffect Mis. Given directly damaged objects in Dami, theremaining objects in Dami are regarded as infected ones.When an attack occurs, if an object directly interacts withexternal inputs and is damaged, this object is regarded asa directly damaged object. DamInfi is measured by theinfected objects. Third, AttSuri measures the attack sur-face in Sys that can be used to damage Mis. We do notdefine attack surfaces in this paper, but our model is com-patible with many attack surface definitions. Given a modelof attack surface, AttSuri could be measured by the objectsin Dami that are defined as attack surfaces by the model.For instance, Manadhata et al. [16] define attack surface assubset of the system’s resources potentially used in attackson the system, which can help us to measure AttSur.∑

E: We regard different pairs of attack instance and de-fense instance (e.g. (Atti, Defi)) as inputs to ESM . Underdifferent pairs, different SSM variants for Sys could appearand thus lead to different states in ESM .δ E: Assuming AD = {a1, a2, ..., ana} ∪ {d1, d2, ..., dnd}

and P(AD) is the power set of AD, then ⊂ is a partialordering relation on P(AD). Thus we can create a Hassediagram (HG) for < P(AD),⊂>. Each node in HG is a setof attacks and defenses, and we divide the set into a pair ofan attack instance and a defense instance. By representingeach node with a state that is labelled by the pair, we geta new undirected graph EG. Each edge in EG represents atransition in ESM , and the transition direction is accordantwith the direction of ⊂. For instance, if node a ⊂ node b inHG, then in EG, the transition starts with the state labelledby node a and ends with the state labelled by node b.q0 E: When Sys is under no attacks and no defenses, we

think the system is clear and corresponding SSM is alsoclear. Start state is abstracted from the clear SSM .

103

F E: Accept State of an ESM is a virtual state, and it isinvolved to maintain completeness of an ESM . If a state inQ E can not transit to any other state, a transition betweenthis state and the Accepts State would be created.

4.3 Towards Filling the GapThe three-layer model is expected to fill the gap between

low-level methods and high-level methods. The first layeridentifies required contexts from individual programs as rawinformation, and interprets them as damage to Mis. In sucha way, critical low-level contexts are captured for evaluation,and contexts are translated to reduce pre-processing on con-texts in the upper layers. The second layer interconnectsPSMs for different programs, and tries to model interac-tions between different programs. This layer enables ourmodel to work in a system scale. The third layer is designedas an interface to interact with users (e.g. security man-ager). In this layer, impacts caused by attacks and defensesto Sys are explicitly abstracted as universal measurements,which can be directly used as comparison metrics.

We try to link the three layers as a whole, rather thanroughly stacking them together to fill the gap. Three hooksare designed to consolidate the whole model. First, in thefirst layer, contexts are slightly abstracted to damage to re-source objects. In this process, low-level contexts are trans-lated into damage information, and the translation main-tains sufficient low-level information for upper layers. Sec-ond, PSMs from the first layer are directly incorporatedinto the second layer, and mechanisms are designed to re-move redundancy (or mistakes) during the incorporation.Hence, we think that the first layer and second layer arehooked. Third, an SSM variant from the second layer, asa whole, is interpreted as a state in the third layer. Theinterpretation is completed based on all states in the SSM ,and required information for evaluation are reserved duringthis process. In this way, the second layer and third layerare correlated.

5. A CASE STUDYIn this section, we present a case study to elaborate our

evaluation model.

5.1 Mission and SystemThe mission is to extract information from an encrypted

and then compressed file. The compression is based on Huff-man encoding and the encryption is based on AES algo-rithm.

Two steps are required for the mission. First, data in thefile should be decompressed. Second, the decompressed dataare required to be decrypted. Though in real world, a fileshould be firstly compressed and then decrypted, this realitydoes not affect how we describe the case study.

A system is designed to support the mission. The systemconsists of two open source programs: Huffman decoder [21]for decompression and OpenAES [20] for decryption. Thetwo programs interact through a common directory. When-ever Huffman decoder gets a new file, it will decompress thefile and move it into the common directory. OpenAES pe-riodically scans the common directory and whenever a newfile is found, OpenAES will decrypt the file.

1 char KeyBuf [ 1 2 8 ] ;2 char DataBuf [ 1 2 8 ] ;

3 . . .4 f s e e k ( DataFile , 0 , SEEK END)5 f i l e s i z e = f t e l l ( D a t a f i l e ) ;6 // i f ( f i l e s i z e > 128) e x i t (ERROR SIZE ) ;7 f r ead ( DataBuf , 1 , f i l e s i z e , DataFi le ) ;8 . . .

Listing 1: OpenAES code snippet

5.2 Attack and DefenseWe insert a vulnerability into OpenAES to launch a buffer

overflow attack. As shown in Listing.1, buffer KeyBuf andDataBuf are allocated adjacently on the stack. Buffer DataBufand KeyBuf are used to store the key and encrypted data,and KeyBuf is in lower address space than DataBuf on thestack. We comment out the codes to check the size of theinput file, as showed in line 6. Once more than 128 bytesof data are read into DataBuf from the input file, KeyBuf

buffer would be overflowed.During the mission, we suppose an adversary lunches a

buffer overflow attack targeted on the revised OpenAES pro-gram. First, when the KeyBuf is partially overflowed, namelythe length of data read from DataFile exceeds 128 bytesbut less than 256 bytes, OpenAES cannot successfully de-crypt the data since decryption key is polluted. Second,an attacker can carefully design a DataFile with 256 bytes.The first 128 bytes in the DataFile are padded with fakedata that are encrypted with self-decided keys, and the re-maining 128 bytes are padded with the self-decided keys.Then the KeyBuf will be completely overflowed by 129 ∼ 256bytes in the DataFile, and OpenAES would decrypt the first128 bytes with the modified keys and return the fake date.Third, OpenAES might get data more than 256 bytes fromDataFile, which means it could pollute the KeyBuf or evenother important data on the stack. In this case, the wholeprogram might crash.

We deploy ASLR, ISR, and CSR as MTD techniques inthe system to mitigate the buffer overflow attack.

5.3 Evaluation with Three-layer ModelIn this part, we explain how to evaluate above MTDs

based on our three-layer model.

5.3.1 First LayerAs mentioned, a buffer overflow attack is launched to fail

the mission. We design a tool to track selected context ob-jects in Huffman decoder and OpenAES. In Huffman de-coder, context objects we tracked are: (1) the file that storescompressed data (datafile); (2) the memory buffer to loaddata from datafile (databuf); (3) the memory buffer fordecompressed data (outbuf); (4) the file to store data inoutbuf (outfile). In OpenAES, context objects we trackedare: (1) the file that stores encrypted data (DataFile); (2)the memory buffer to load data from DataFile (DataBuf);(3) the buffer to load decryption keys (KeyBuf); (4) the mem-ory buffer to store decrypted data (OutBuf); (5) the file tostore decrypted data (OutFile). As explained before, statusof tracked contexts are interpreted as damage, and a statemachine is created to illustrate transitions between dam-age. Figure.2-(c) shows how damage transits in Huffmandecoder and OpenAES when the attack happens and ASLRis deployed. When different MTDs are deployed, such statemachines would transform to variants.

104

ESM

A1: Buffer Overflow Attack

D1: ASLR Defense

D2: ISR Defense

D3: CSR Defense

Mission

Start

(null,

null,

null)

Dam2,

DamInf2,

AttSur2

Dam2,

DamInf2,

AttSur2

Dam2,

DamInf2,

AttSur2

Dam3,

DamInf1,

AttSur1

Dam2,

DamInf2,

AttSur2

Dam3,

DamInf1,

AttSur1

Dam3,

DamInf1,

AttSur1

Dam3,

DamInf1,

AttSur1

(A1, NULL)

Dam1: {(DataBuf, Overflowed); (KeyBuf, Overlapped); (Stack, Crash)}

Dam2: {(DataBuf, Overflowed); (KeyBuf, Tampered); (OutBuf, Tampered)}

Dam3: {(DataBuf, Overflowed); (KeyBuf, Polluted); (OutBuf, Polluted)}

DamInf1: {KeyBuf}

DamInf2: {KeyBuf, OutBuf}

AttSur1: {DataFile, DataBuf}

AttSur2: {DataFile, DataBuf, KeyBuf}

(a)Layer 3: ESM for the mission (when different MTDs are deployed)

SSM

Buffer Overflow Attack

ASLR Defense

P1

Start

Accept

(Damage Null)

Input: compressed

DataFile

P2

Start

Damage

NullInput: keyfile

Accept*

(Decryption Error*)

Accept*

(Key

Compromised*)

Accept*

(Memory Error*)

Input: DataFile (len=256)Mission

Start

Memory Error* => DataBuf Overflowed; KeyBuf Overlapped; Stack Crash

Key Compromised => DataBuf Overflowed; KeyBuf Tampered; OutBuf Tampered

Decryption Error(*) => DataBuf Overflowed; KeyBuf Polluted; OutBuf Polluted

(b)Layer 2: SSM variant for the system (when ASLR is deployed)

Start

Accept

(Damage Null)

Input: compressed

DataFile

PSM: Huffman Decompress


ASLR DefenseStart

Damage

Null

Input: keyfile

Accept*:

DataBuf Overflowed;

KeyBuf Polluted;

OutBuf Polluted

PSM: OpenAES


ASLR Defense

Accept*:

DataBuf Overflowed;

KeyBuf Tampered;

OutBuf Tampered

Accept*:

DataBuf Overflowed;

KeyBuf Overlapped;

Stack Crash

Input: DataFile (len=256)

DataBuf: Buffer for Data

KeyBuf: Buffer for Key

OutBuf: Buffer for Decrypted Data

(c)Layer 1: PSM variants for Huffman decoder and OpenAES (when ASLR isdeployed)

Figure 2: A Case Study (How the buffer overflow attack affect the mission when different MTDs are deployed).

5.3.2 Second LayerPSMs for Huffman decoder and OpenAES are merged in

this layer. As explained, Huffman decoder and OpenAES in-teract with each other via a common directory. If and only ifa file that contains attack payloads has been decompressedby Huffman decoder, the file can be loaded by OpenAESand compromise OpenAES. This is the only way can dam-age transits from Huffman decoder to OpenAES. As shownin Figure.2-(b), the only connection between Huffman de-coder and OpenAES is the edge connecting accept state ofHuffman decoder and start state of OpenAES.

This state machine presents how the attack damages thesystem when ASLR is deployed. When different MTDs aredeployed, the whole state machine would change to differentvariants.

5.3.3 Third LayerThe third layer explicitly expresses how different MTD

combinations could mitigate the launched attack. Impactsof the attack are presented in Figure.2-(a) when differentMTD instances are deployed. Dam and DamInf on re-source objects are described as explained previously. It ispossible to further interpret these descriptions: Dam1 canbe interpreted as a system crash; Dam2 means that the de-cryption key is under the control of attackers and thus, thedecryption process in the mission is controlled by attackers;and Dam3 can be viewed as a decryption error, and whichcan be identified by a mission manager. The attack surfacesare determined based on measurements proposed by Man-adhata et al. [16]. If CSR is deployed, damage caused bythe attack would be identified by the mission manager, be-

105

cause the attack would lead to a system crash. Otherwise,the attackers control the decryption process, which could beregarded as a failure of the mission, and such a failure couldnot be identified. Also, deploying CSR along with otherMTDs can not improve the defense. So in this case, a goodchoice of MTD could be CSR.

6. CONCLUSIONIn this paper, we present a three-layer model to evalu-

ate effectiveness of MTDs. This model is proposed as anattempt to fill the gap between low-level methods and high-level methods. Each layer in this model is designed to in-tegrate merits of the two types of methods. The first layercaptures low-level contexts in separate programs; the sec-ond layer models damage propagation between different pro-grams; the third layer works as a user interface to explic-itly expresses evaluation results. We made a case study todemonstrate how our model works and the feasibility of thismodel to fill the gap. In our future works, we will evaluatethis model in a more comprehensive way.

7. ACKNOWLEDGMENTSThis work was supported by ARO W911NF-09-1-0525

(MURI), NSF CNS-1223710, NSF CNS-1422594, ARO W911NF-13-1-0421 (MURI), and AFOSR W911NF1210055.

8. REFERENCES[1] E. Al-Shaer. Toward network configuration randomization

for moving target defense. In Moving Target Defense, pages153–159. Springer, 2011.

[2] A. K. Bangalore and A. K. Sood. Securing web serversusing self cleansing intrusion tolerance (scit). InDependability, 2009. DEPEND’09. Second InternationalConference on, pages 60–65. IEEE, 2009.

[3] S. W. Boyd and A. D. Keromytis. Sqlrand: Preventing sqlinjection attacks. In Applied Cryptography and NetworkSecurity, pages 292–302. Springer, 2004.

[4] R. Bye, S. Schmidt, K. Luther, and S. Albayrak.Application-level simulation for network security. InProceedings of the 1st international conference onSimulation tools and techniques for communications,networks and systems & workshops, page 33. ICST(Institute for Computer Sciences, Social-Informatics andTelecommunications Engineering), 2008.

[5] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi,H. Shacham, and M. Winandy. Return-orientedprogramming without returns. In Proceedings of the 17thACM conference on Computer and communicationssecurity, pages 559–572. ACM, 2010.

[6] L. Chen and A. Avizienis. N-version programming: Afault-tolerance approach to reliability of software operation.In Proc. 8th IEEE Int. Symp. on Fault-TolerantComputing (FTCS-8), pages 3–9, 1978.

[7] M. Chew and D. Song. Mitigating buffer overflows byoperating system randomization. 2002.

[8] M. Christodorescu, M. Fredrikson, S. Jha, and J. Giffin.End-to-end software diversification of internet services. InMoving Target Defense, pages 117–130. Springer, 2011.

[9] M. Crouse and E. W. Fulp. A moving target environmentfor computer configurations using genetic algorithms. InConfiguration Analytics and Automation (SAFECONFIG),2011 4th Symposium on, pages 1–7. IEEE, 2011.

[10] S. Designer. return-to-libc attack. Bugtraq, Aug, 1997.

[11] T. Jackson, B. Salamat, A. Homescu, K. Manivannan,G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, andM. Franz. Compiler-generated software diversity. In MovingTarget Defense, pages 77–98. Springer, 2011.

[12] S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S.Wang. Moving Target Defense. Springer, 2011.

[13] X. Jiang, H. J. Wang, D. Xu, and Y.-M. Wang. Randsys:Thwarting code injection attacks with system serviceinterface randomization. In Reliable Distributed Systems,2007. SRDS 2007. 26th IEEE International Symposiumon, pages 209–218. IEEE, 2007.

[14] G. S. Kc, A. D. Keromytis, and V. Prevelakis. Counteringcode-injection attacks with instruction-set randomization.In Proceedings of the 10th ACM conference on Computerand communications security, pages 272–280. ACM, 2003.

[15] L. Lamport. Computation and state machines. Unpublishednote, 2008.

[16] P. K. Manadhata and J. M. Wing. An attack surfacemetric. Software Engineering, IEEE Transactions on,37(3):371–386, 2011.

[17] H. Okhravi, A. Comella, E. Robinson, and J. Haines.Creating a cyber moving target for critical infrastructureapplications using platform diversity. International Journalof Critical Infrastructure Protection, 5(1):30–39, 2012.

[18] H. Okhravi, T. Hobson, D. Bigelow, and W. Streilein.Finding focus in the blur of moving target techniques. 2013.

[19] H. Okhravi, J. F. Riordan, and K. M. Carter. Quantitativeevaluation of dynamic platform techniques as adefensivemechanism ? In Research in Attacks, Intrusions,and Defenses. 2014.

[20] N. S. Ramli. Openaes portable c cryptographic library.https://code.google.com/p/openaes. Accessed: 2014-07-24.

[21] D. Richardson. huffman encoder/decoder.https://github.com/drichardson/huffman.git. Accessed:2014-07-24.

[22] M. Rinard. Probabilistic accuracy bounds for fault-tolerantcomputations that discard tasks. In Proceedings of the 20thannual international conference on Supercomputing, pages324–334. ACM, 2006.

[23] M. Rinard. Manipulating program functionality toeliminate security vulnerabilities. In Moving TargetDefense, pages 109–115. Springer, 2011.

[24] M. C. Rinard. Living in the comfort zone. ACM SIGPLANNotices, 42(10):611–622, 2007.

[25] M. C. Rinard. Using early phase termination to eliminateload imbalances at barrier synchronization points. In ACMSIGPLAN Notices, volume 42, pages 369–386. ACM, 2007.

[26] A. Saidane, V. Nicomette, and Y. Deswarte. The design ofa generic intrusion-tolerant architecture for web servers.Dependable and Secure Computing, IEEE Transactions on,6(1):45–58, 2009.

[27] H. Shacham. The geometry of innocent flesh on the bone:Return-into-libc without function calls (on the x86). InProceedings of the 14th ACM conference on Computer andcommunications security, pages 552–561. ACM, 2007.

[28] H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu,and D. Boneh. On the effectiveness of address-spacerandomization. In Proceedings of the 11th ACM conferenceon Computer and communications security, pages 298–307.ACM, 2004.

[29] M. Sipser. Introduction to the Theory of Computation.Cengage Learning, 2012.

[30] A. N. Sovarel, D. Evans, and N. Paul. Where’s the feeb?the effectiveness of instruction set randomization. In UsenixSecurity, 2005.

[31] S. Zhang and P. Liu. Assessing the trustworthiness ofdrivers. In Research in Attacks, Intrusions, and Defenses,pages 42–63. Springer, 2012.

[32] R. Zhuang, S. Zhang, S. A. DeLoach, X. Ou, andA. Singhal. Simulation-based approaches to studyingeffectiveness of moving-target network defense. In NationalSymposium on Moving Target Research, 2012.

106

APPENDIXA. ALGORITHM FOR CONSTRUCTING SSM

Algorithm 1 Generation of SSMInput: N PSMs:

PSM1 : {Q P1,∑

P1, δ P1, q0 P1, F P1},PSM2 : {Q P2,

∑P2, δ P2, q0 P2, F P2},

...PSMN : {Q PN ,

∑PN , δ PN , q0 PN , F PN }

Output: SSM: . With interaction model{Q S,

∑S, δ S, q0 S, F S}

1: procedure Interact(PSMs) . Model interactions2: Def(q0 S) . Define Start State3: Q S := {q0 S} . Assignment Expression4: F S := ∅ . Init Accept States5: δ S := ∅ . Init Transition6:

∑S := {TE} . Init Inputs

7: for i from 1 to N do8: Q S := Q S ∪Q Pi

9: F S := F S ∪ F Pi

10:∑

S :=∑

S ∪∑

Pi

11: δ S := δ S ∪ δ Pi ∪ {q0 STE−−→ q0 Pi}

12: end for13: for j from 1 to N do . PSMj

14: for k from 1 to N do . Other PSMs15: if j==k then . Exclude Self-interaction16: continue17: end if18: for all q j ∈ Q Pj do . States in PSMj

19: for all q k ∈ Q Pk do . Other States

20: δ S := δ S ∪ {q j TE−−→ q k} . 1

21: end for22: end for23: end for24: end for25: return SSM . SSM Initialized26: end procedure27: procedure PRUNE(SSM) . Prune SSM28: for j from 1 to N do . Each PSM29: for k from 1 to N do . Other PSMs30: if j==k then31: continue32: end if33: for all q j ∈ Q Pj do . Single PSM States

34: for all q k ∈ Q Pk do . Other States35: if not InterAct(PSMj , PSMk) then

36: δ S := δ S/{q j TE−−→ q k}37: end if38: if not InterAct(PSMk, PSMj) then

39: δ S := δ S/{q k TE−−→ q j}40: end if41: if q j ∈ F Pj then

42: δ S := δ S/{q j TE−−→ q k}43: end if44: if q k ∈ F Pk then

45: δ S := δ S/{q k TE−−→ q j}46: end if47: end for48: end for49: end for50: end for51: return SSM . SSM constructed52: end procedure

1An expression with format of AB−→ C represents a tran-

sition rule that transits state A to state C when receivinginput B.

107

Comparing Different Moving Target Defense Techniquesphp.scripts.psu.edu/muz16/pdf/p97-xu.pdf ·...

Documents

Transcript of Comparing Different Moving Target Defense Techniquesphp.scripts.psu.edu/muz16/pdf/p97-xu.pdf ·...