Compiler-Generated Software Diversity
Present approaches to software security are to a large extent reactive: when vulnerabilities are discovered, developers scramble to fix the underlying error. The advantage is on the side of the attackers because they only have to find a single vulnerability to exploit all vulnerable systems, while defenders have to prevent the exploitation of all vulnerabilities. We argue that the compiler is at the heart of the solution for this problem: when the compiler is translating high-level source code to low-level machine code, it is able to automatically diversify the machine code, thus creating multiple functionally equivalent, but internally different variants of a program.We present two orthogonal compiler-based techniques.With multi-variant execution, a monitoring layer executes several diversified variants in lockstep while examining their behavior for differences that indicate attacks. With massive-scale software diversity, every user gets its own diversified variant, so that the attacker has no knowledge about the internal structure of that variant and therefore cannot construct an attack. Both techniques make it harder for an attacker to run a successful attack. We discuss variation techniques that the compiler can utilize to diversify software, and evaluate their effectiveness for our two execution models.
Unable to display preview. Download preview PDF.
- 1.Aleph One. Smashing the stack for fun and profit. Phrack Magazine, Issue 49, 1996.Google Scholar
- 2.E.D. Berger and B.G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 158–168. ACM Press, 2006.Google Scholar
- 3.S. Bhatkar, D.C. DuVarney, and R. Sekar. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105–120. USENIX Association, 2003.Google Scholar
- 4.Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine, Issue 56, 2000.Google Scholar
- 5.S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy. Return- Oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 559–72. ACM Press, October 2010.Google Scholar
- 6.M. Chew and D. Song. Mitigating Buffer Overflows by Operating System Randomization. Technical Report CMU-CS-02-197, Department of Computer Science, Carnegie Mellon University, 2002.Google Scholar
- 7.C. Cowan, C. Pu, D. Maier, J.Walpole, P. Bakke, D. Beattie, A. Grier, P.Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63–78. USENIX Association, 1998.Google Scholar
- 8.B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser. N-variant systems: A Secretless Framework for Security through Diversity. In Proceedings of the 15th USENIX Security Symposium, pages 105–120. USENIX Association, 2006.Google Scholar
- 9.M. Franz. E unibus pluram: Massive-Scale Software Diversity as a Defense Mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms, NSPW ’10, pages 7–16, New York, NY, USA, 2010. ACM.Google Scholar
- 10.Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, March 2009. 11. T. Jackson, B. Salamat, G.Wagner, C.Wimmer, and M. Franz. On the Effectiveness of Multi- Variant Program Execution for Vulnerability Detection and Prevention. In Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec ’10, pages 7:1–8, New York, NY, USA, 2010. ACM.Google Scholar
- 11.T. Jackson, C. Wimmer, and M. Franz. Multi-Variant Program Execution for Vulnerability Detection and Analysis. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW ’10, pages 38:1–4, New York, NY, USA, 2010. ACM.Google Scholar
- 12.X. Jiang, H.J. Wang, D. Xu, and Y. Wang. RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization. In Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, SRDS ’07, pages 209–218, Washington, DC, USA, 2007. IEEE Computer Society.Google Scholar
- 13.G.S. Kc, A.D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 272–280. ACM Press, 2003.Google Scholar
- 14.S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In Proceedings of the 15th USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.Google Scholar
- 15.C. Miller. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In In Sixth Workshop on the Economics of Information Security, 2007.Google Scholar
- 16.PaX. Homepage of The PaX Team, 2009. http://pax.grsecurity.net (April 2011).
- 17.B. Salamat, A. Gal, and M. Franz. Reverse Stack Execution in a Multi-Variant Execution Environment. In Workshop on Compiler and Architectural Techniques for Application Reliability and Security, 2008.Google Scholar
- 18.B. Salamat, T. Jackson, G. Wagner, C. Wimmer, and M. Franz. Run-Time Defense against Code Injection Attacks using Replicated Execution. IEEE Transactions on Dependable and Secure Computing, 2011.Google Scholar
- 19.H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 552–61. ACM Press, October 2007.Google Scholar
- 20.A. Sotirov and M. Dowd. Bypassing Browser Memory Protections. In Black Hat, 2008.Google Scholar
- 21.A.N. Sovarel, D. Evans, and N. Paul. Where’s the FEEB?: The Effectiveness of Instruction Set Randomization. In Proceedings of the 14th USENIX Security Symposium, pages 145–160. USENIX Association, 2005. Todd Jackson et al.Google Scholar