Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University...
-
Upload
ashley-booker -
Category
Documents
-
view
217 -
download
1
Transcript of Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University...
![Page 1: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/1.jpg)
Security Security through through DiversityDiversity
MIT (a “UVa-spinoff University”)23 June 2005
David Evanshttp://www.cs.virginia.edu/evans
University of VirginiaComputer Science
![Page 2: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/2.jpg)
2www.cs.virginia.edu/evans/mit05
![Page 3: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/3.jpg)
3www.cs.virginia.edu/evans/mit05
Jefferson’s plan for the University of Virginia, 1817
Rotunda
10 Pavilions
![Page 4: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/4.jpg)
4www.cs.virginia.edu/evans/mit05
RotundaRotunda Pavilions
Pavilions Pavilions
Pavilions
![Page 5: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/5.jpg)
5www.cs.virginia.edu/evans/mit05
Pavilion VPavilion V
![Page 6: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/6.jpg)
6www.cs.virginia.edu/evans/mit05
Jefferson’s plan for the University of Virginia, Rockfish Gap Report 1818
(Note: 3 years before Electrical Engineering existed)
![Page 7: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/7.jpg)
7www.cs.virginia.edu/evans/mit05
Jefferson’s plan for the University of Virginia, Rockfish Gap Report 1818
![Page 8: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/8.jpg)
8www.cs.virginia.edu/evans/mit05
Course V Professors
• Charles Bonnycastle (1825-1832)– Switched to Mathematics
• Robert Patterson (~1833-1835)– Resigned (went to direct U.S. Mint)
• Board selected Joseph Henry– Declined position
![Page 9: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/9.jpg)
9www.cs.virginia.edu/evans/mit05
William Barton Rogers
• 1835: appointed Professor of Natural Philosophy (Course V)
• 1840s: students riot and kill professor
• 1853: Resigns position
• 1861: Founds MITQuote from teaching evaluation at end!
![Page 10: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/10.jpg)
Where’s the FEEB?Effectiveness of Instruction Set Randomization
To appear in USENIX Security Symposium, August 2005. Ana Nora Sovarel, David Evans and Nathanael Paul.
![Page 11: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/11.jpg)
11www.cs.virginia.edu/evans/mit05
Security Through Diversity• Today’s Computing Monoculture
– Exploit can compromise billions of machines since they are all running the same software
• Biological Diversity– All successful species use very expensive
mechanism (i.e., sex) to maintain diversity
• Computer security research: [Cohen 92], [Forrest+ 97], [Cowan+ 2003], [Barrantes+ 2003], [Kc+ 2003], [Bhatkar+2003], [Just+ 2004]
![Page 12: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/12.jpg)
12www.cs.virginia.edu/evans/mit05
Instruction Set Randomization[Barrantes+, CCS 03] [Kc+, CCS 03]
• Code injection attacks depend on knowing the victim machine’s instruction set
• Defuse them all by making instruction sets different and secret– Its expensive to design new ISAs and build
new microprocessors
![Page 13: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/13.jpg)
13www.cs.virginia.edu/evans/mit05
Derandomizer
Processor
Automating ISR
Randomizer
Secret Key
OriginalCode
OriginalExecutable
RandomizedExecutable
![Page 14: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/14.jpg)
14www.cs.virginia.edu/evans/mit05
Derandomizer
Processor
ISR Defuses Attacks
Randomizer
Secret Key
OriginalExecutable
RandomizedExecutable
MaliciousInjected
Code
Broken Malicious
Code
![Page 15: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/15.jpg)
15www.cs.virginia.edu/evans/mit05
ISR Designs
Columbia [Kc 03]RISE [Barrantes 03]
Randomization Function
XOR or32-bit transposition
XOR
Key Size32 bits (same key used for all locations)
program length (each location XORed with different byte)
Transformation Time
Compile Time Load Time
Derandomization
HardwareSoftware (Valgrind)
![Page 16: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/16.jpg)
16www.cs.virginia.edu/evans/mit05
How secure is ISR?
Slows down an attack about 6 minutes!
Under the right circumstances…
![Page 17: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/17.jpg)
17www.cs.virginia.edu/evans/mit05
ISR Attack
Attack ClientISR-protected
Server
Incorrect Guess
Crash!
Attack Client Correct Guess ISR-protectedServer
Observable Behavior
![Page 18: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/18.jpg)
18www.cs.virginia.edu/evans/mit05
Server Requirements
• Vulnerable: buffer overflow is fine• Able to make repeated guesses
– No rerandomization after crash– Likely if server forks requests (Apache)
• Observable: notice server crashes• Cryptanalyzable
– Learn key from one ciphertext-plaintext pair
– Easy with XOR
![Page 19: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/19.jpg)
19www.cs.virginia.edu/evans/mit05
Two Attack Ideas• RET (0xC3): return from procedure
– 1-byte instruction: up to 256 guesses– Returns, leaves stack inconsistent
• Only works if server does something observable before crashing
• JMP -2 (0xEBFE): jump offset -2– 2-byte instruction: up to 216 guesses– Produces infinite loop
• Incorrect guess usually crashes server
![Page 20: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/20.jpg)
20www.cs.virginia.edu/evans/mit05
Jump AttackV
uln
era
ble
Buff
er
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unkn
ow
n M
asks
Correct guess producesinfinite loop
216 possible guesses for 2-byte instruction
![Page 21: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/21.jpg)
21www.cs.virginia.edu/evans/mit05
Incremental Jump Attack
Guessing next byte: < 256 attempts
Vuln
era
ble
Buff
er
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unkn
ow
n M
asks
Guessing first 2 byte masks
Overwritten Return Address
0xEB (JMP)0xFE (-2)
Unkn
ow
n M
asks
0xCD (INT)Guessed
Masks
![Page 22: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/22.jpg)
22www.cs.virginia.edu/evans/mit05
Guess Outcomes
Observe “Correct” Behavior
Observe “Incorrect” Behavior
Correct Guess Success False Negative
Incorrect Guess
False Positive Progress
![Page 23: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/23.jpg)
23www.cs.virginia.edu/evans/mit05
False Positives
• Injected bytes produce an infinite loop:– JMP -4 – JNZ -2
• Injected bytes are “harmless”, later executed instruction causes infinite loop
• Injected guess causes crash, but timeout expires before remote attacker observes
![Page 24: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/24.jpg)
24www.cs.virginia.edu/evans/mit05
False Positives – Good News
• Can distinguish correct mask using other instructions
• Try injecting a “harmless” one-byte instruction– Correct: get loop– Incorrect: usually crashes
• Difficulty: dense opcodes– No pair that differs in only
last bit are reliably different in harmfullness
Overwritten Return Address
0x90 (NOOP)0xEB (JMP)
Unkn
ow
n M
asks
0xFE (-2)Guessed
Masks
![Page 25: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/25.jpg)
25www.cs.virginia.edu/evans/mit05
False Positives – Better News
• False positives are not random– Conditional jump instructions– Opcodes 01110000-0111111
• All are complementary pairs: 0111xyza not taken 0111xyzā is!• 32 guesses always find an infinite
loop• About 8 additional guesses to
determine correct mask
![Page 26: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/26.jpg)
26www.cs.virginia.edu/evans/mit05
Extended Attack“C
rash
Zone”
Overwritten Return Address
0xCD (INT)0xE9 (Near Jump)
32-b
it o
ffse
t(t
o ju
mp
to
orig
inal
re
turn
addr
ess)
0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0x06 (offset)0xEB (JMP)
• Near jump to return location– Execution continues
normally– No infinite loops
• 0xCD 0xCD is interrupt instruction guaranteed to crash
![Page 27: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/27.jpg)
27www.cs.virginia.edu/evans/mit05
Expected Attempts
~ 15½ to find first jumping instruction
+ ~ 8 to determine
correct mask 23½ expected
attempts per byte
“Cra
sh Z
one”
Overwritten Return Address
0xCD (INT)0xE9 (Near Jump)
32-b
it o
ffse
t(t
o ju
mp
to
orig
inal
re
turn
addr
ess)
0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0xCD (INT)0x06 (offset)0xEB (JMP)
![Page 28: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/28.jpg)
28www.cs.virginia.edu/evans/mit05
Experiments• Implemented attack against constructed
vulnerable server protected with RISE [Barrantes et. al, 2003]– Memory space randomization works!
• Turned of Fedora’s address space randomization
– Needed to modify RISE• Ensure forked processes use same randomization
key (other proposed ISR implementations wouldn’t need this)
• Obtain correct key over 95% of the time– Sometimes can’t because unable to inject
NULLs
![Page 29: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/29.jpg)
29www.cs.virginia.edu/evans/mit05
Attempts Required
4339 attemptsto get first 2 bytes
101,651
attempts
to get 4096 bytes
![Page 30: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/30.jpg)
30www.cs.virginia.edu/evans/mit05
Total Time
4-byte key (Columbia implementation) in <
3½ minutes
4096-byte keyin 48 minutes
Attacker: “Is this good enough?” Defender: “Is this bad enough?”
![Page 31: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/31.jpg)
31www.cs.virginia.edu/evans/mit05
How many key bytes needed?
• Inject malcode in one ISR-protected host– Sapphire worm = 376 bytes
• Create a worm that spreads on a network of ISR-protected servers– Space for FEEB attack code: 34,723
bytes– Need to crash server ~800K times
![Page 32: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/32.jpg)
32www.cs.virginia.edu/evans/mit05
Maybe less…?• VMWare: 3,530,821 bytes • Java VM: 135,328 bytes • Minsky’s UTM: 7 states, 4 colors
•MicroVM: 100 bytes
![Page 33: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/33.jpg)
33www.cs.virginia.edu/evans/mit05
En
tire
Mic
roV
M
Cod
e push dword ebp mov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax)read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb ; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET]begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi ; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm
![Page 34: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/34.jpg)
34www.cs.virginia.edu/evans/mit05
save worm address in ebpmove stack frame pointer
WormIP 0copy worm code into buffer
update WormIPsave MicroVM registers
load worm registers
22-byte worm execution buffer
save worm registersload MicroVM registersjmp to read next block
saved registers
worm code
host key masks
guessed (target) masks
other worm data
Learned Key
Bytes 76 bytes of code+ 22 bytes for execution+ 2 bytes to avoid NULL= 100 bytes is enough > 99% of the time
MicroVM
Worm code must be coded in blocks that fit
into execution buffer (pad with noops so
instructions do not cross block boundaries)
![Page 35: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/35.jpg)
35www.cs.virginia.edu/evans/mit05
Making Jumps
• Within a block - short relative jump is fine
• Between worm blocks– From end of block, to beginning of block – Update the WormIP stored on the stack– Code conditional jump, JZ target in worm
as:JNZ +5 ; if opposite condition, skipMOV [ebp + WORMIP_OFFSET] target
![Page 36: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/36.jpg)
36www.cs.virginia.edu/evans/mit05
Deploying a Worm
• Learn 100 key bytes to inject MicroVM– Median time: 311 seconds, 8422 attempts– Fast enough for a worm to spread effectively
• Inject pre-encrypted worm code– XORed with the known key at location– Insert NOOPs when necessary to avoid
NULLs
• Inject key bytes– Needed to propagate worm
![Page 37: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/37.jpg)
37www.cs.virginia.edu/evans/mit05
Preventing Attack: Break Attack Requirements
• Vulnerable: eliminate vulnerabilities– Rewrite all your code in a type safe language
• Able to make repeated guesses– Rerandomize after crash
• Observable: notice server crashes– Maintain client socket after crash?
• Cryptanalyzable– Use a strong cipher like AES instead of XOR
![Page 38: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/38.jpg)
38www.cs.virginia.edu/evans/mit05
Better Solution
• Avoid secrets!– Keeping them is hard– They can be broken or stolen
• Prove security properties without relying on assumptions about secrets or probabilistic arguments
![Page 39: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/39.jpg)
39www.cs.virginia.edu/evans/mit05
Polygraphing Processes:
N‑Variant Systems for
Secretless Security
Jefferson’s Polygraph
Hoover’s Hoover’s PolygraphPolygraph
work with Ben Cox, Jack Davidson,
Adrian Filipi, Jason Hiser, Wei Hu, John Knight, Anh Nguyen‑Tuong, Jonathan Rowanhill
![Page 40: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/40.jpg)
40www.cs.virginia.edu/evans/mit05
2-Variant System
Input(Possibly Maliciou
s)
Server Variant
0
ServerVariant
1
MonitorOutpu
t
Poly
gra
ph
er
![Page 41: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/41.jpg)
41www.cs.virginia.edu/evans/mit05
Disjoint Variants
• Normal Equivalence Property
Under normal inputs, the variants stay in equivalent states:
A0(S0) A1(S1)
• Detection PropertyAny attack that compromises Variant 0 causes Variant 1 to “crash”
Variant
0
Variant
1
MonitorPoly-grapher
• Monitor– Must delay effects
of one variant until other is synchronized
– Must observe crash of one variant and recover
![Page 42: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/42.jpg)
42www.cs.virginia.edu/evans/mit05
Memory Partitioning• Variation
– Variant 0: addresses all start with 0– Variant 1: addresses all start with 1
• Normal Equivalence– Map addresses to same address
space
• Detection Property– Any absolute load/store is invalid on
one of the variants
![Page 43: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/43.jpg)
43www.cs.virginia.edu/evans/mit05
Instruction Set Tagging• Variation: add an extra bit to all opcodes
– Variation 0: tag bit is a 0– Variation 1: tag bit is a 1
• Run-time emulator checks bit and removes it (software dynamic translation using Strata)
• Normal Equivalence: Remove the tag bits• Detection Property
– Any (tagged) opcode is invalid on one variant– Injected code (identical on both) cannot run on
both
![Page 44: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/44.jpg)
44www.cs.virginia.edu/evans/mit05
0 10
Composing VariationsMust preserve normal equivalence property
P1 P2 P3
MemorySpace
InstructionTags
1 10
Detect memory attack
Detect code injection
![Page 45: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/45.jpg)
45www.cs.virginia.edu/evans/mit05
Implementation: Kernel Modification [Ben Cox]• Modify process table to record variants• Create new fork routine to launch
variants• Intercept system calls:
– Check parameters are the same for all variants
– Make call once– Send same result to all
• Low overhead, lack of isolation
![Page 46: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/46.jpg)
46www.cs.virginia.edu/evans/mit05
Implementation: Divert Sockets [Adrian Filipi]
• Process intercepts traffic (nvpd)• Uses divert sockets to send copies
to isolated variants (can be on different machines)
• Waits until all variants respond to request before returning to client
• Adjusts TCP sequence numbers to each variant appears to have normal connection
![Page 47: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/47.jpg)
47www.cs.virginia.edu/evans/mit05
3-Variant System
PP11
PP22
Server
PP33nvpd
Input from Client
Poly
gra
ph
er
Monitor
Outputto Client
![Page 48: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/48.jpg)
48www.cs.virginia.edu/evans/mit05
Results• Open problems: dealing with non-
determinism, persistent state• Cost (nvpd implementation, https)
– 4x machines– Latency multiplied by 2.3 (cf. sex)
• Security properties– Detects (and thwarts) any attack that:
• Depends on referencing an absolute address
• Depends on executing injected code
![Page 49: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/49.jpg)
49www.cs.virginia.edu/evans/mit05
Jaws
Diversitydepends on
yourperspective
Slide from my USENIX Security 2004 Talk, What Biology Can (and Can’t) Teach us about Security
![Page 50: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/50.jpg)
50www.cs.virginia.edu/evans/mit05
Summary• Producing artificial diversity is easy
– Defeats undetermined adversaries• Keeping secrets is hard
– Remote attacker can break ISR-protected server in < 6 minutes
• N-variant systems framework offers provable (but expensive) defense– Effectiveness depends on whether
variations vary things that matter to attack
![Page 51: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/51.jpg)
51www.cs.virginia.edu/evans/mit05
Pro
f. Rogers’
Pro
f. Rogers’
Teach
ing E
valu
atio
nTeach
ing E
valu
atio
n
![Page 52: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/52.jpg)
52www.cs.virginia.edu/evans/mit05
““Who can forget that stream of Who can forget that stream of English undefiled, so smooth, English undefiled, so smooth, so deep, and yet so clear, that so deep, and yet so clear, that passed from point to point with passed from point to point with gentle touch, that commonly gentle touch, that commonly flowed along with the quiet of flowed along with the quiet of conscious power, yet conscious power, yet sometimes became tumultuous sometimes became tumultuous with feeling, and then came the with feeling, and then came the music of the cataract and the music of the cataract and the glory of the rainbow!”glory of the rainbow!”
Francis H. Smith, in Francis H. Smith, in History of the History of the University of VirginiaUniversity of Virginia, 1819-1919, Vol. 2, 1819-1919, Vol. 2
Pro
f. Rogers’
Pro
f. Rogers’
Teach
ing E
valu
atio
nTeach
ing E
valu
atio
n
![Page 53: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/53.jpg)
53www.cs.virginia.edu/evans/mit05
Questions?
![Page 54: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/54.jpg)
54www.cs.virginia.edu/evans/mit05
![Page 55: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/55.jpg)
55www.cs.virginia.edu/evans/mit05
JO
JNO
JB
JNB
JZ
JNZ
JMP
CALL
…Variant A Variant B
JNO
JNB
JNZ
CALL
JO
JB
JZ
JMP
Instruction Set Partitioning
![Page 56: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/56.jpg)
56www.cs.virginia.edu/evans/mit05
Tuition Schedule, 1819
• 1 Professor $50/year• 2 Professors $70/year • 3 Professors $75/year
![Page 57: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/57.jpg)
57www.cs.virginia.edu/evans/mit05
Attempts per Byte
Drops to below
24 average attemptsper byte
~212 attempts for first 2 bytes
![Page 58: Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.](https://reader035.fdocuments.in/reader035/viewer/2022062517/56649ecf5503460f94bdd8a2/html5/thumbnails/58.jpg)
58www.cs.virginia.edu/evans/mit05
Memory Randomization Attack
• Brute force attack on memory address space randomization (Shacham et. al. [CCS 2004]): 24-bit effective key space
• Can a similar attack work against ISR?– Larger key space: must attack in
fragments– Need to tell if partial guess is correct