Moving Target Defenses in the Helix Self-Regenerative Architecture

  • Claire Le GouesEmail author
  • Anh Nguyen-Tuong
  • Hao Chen
  • Jack W. Davidson
  • Stephanie Forrest
  • Jason D. Hiser
  • John C. Knight
  • Matthew Van Gundy
Conference paper
Part of the Advances in Information Security book series (ADIS, volume 100)


In this chapter we describe the design, development and application of the Helix Metamorphic Shield (HMS). The HMS: (1) continuously shifts the program’s attack surface in both the spatial and temporal dimensions, and (2), reduces the program’s attack surface by applying novel evolutionary algorithms to automatically repair vulnerabilities. The symbiotic interplay between shifting and reducing the attack surface results in the automated evolution of new program variants whose quality improves over time.


Trust Class Attack Surface Malicious Content Program Crash Server Throughput 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This research is supported by National Science Foundation (NSF) grant CNS-0716446, the Army Research Office (ARO) grant W911-10-0131, the Air Force Research Laboratory (AFRL) contract FA8650-10-C-7025, and DoD AFOSR MURI grant FA9550-07-1-0532. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF, AFRL, ARO, DoD, or the U.S. Government.


  1. 1.
  2. 2.
    Al-Ekram, R., Adma, A., Baysal, O.: diffX: an algorithm to detect changes in multi-version XML documents. In: Conference of the Centre for Advanced Studies on Collaborative research, pp. 1–11. IBM Press (2005)Google Scholar
  3. 3.
    Anvik, J., Hiew, L., Murphy, G.C.: Coping with an open bug repository. In: OOPSLA Workshop on Eclipse Technology eXchange, pp. 35–39 (2005)Google Scholar
  4. 4.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: Conference on Computer and Communications Security, pp. 281–289. ACM (2003)Google Scholar
  5. 5.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovic, D.: Randomized instruction set emulation. ACM Transactions on Information System Security. 8(1), 3–40 (2005). DOI Google Scholar
  6. 6.
    BBC News: Microsoft zune affected by ‘bug’. In: (2008)
  7. 7.
  8. 8.
    Bernstein, D.J.: Cache-timing attacks on AES (2005).
  9. 9.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2003)Google Scholar
  10. 10.
    Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. Information Systems Security pp. 163–177 (2009)Google Scholar
  11. 11.
    Co, M., Coleman, C.L., Davidson, J.W., Ghosh, S., Hiser, J.D., Knight, J.C., Nguyen-Tuong, A.: A lightweight software control system for cyber awareness and security. Resilient Control Systems pp. 19–24 (2009)Google Scholar
  12. 12.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: Formatguard: Automatic protection from printf format string vulnerabilities. In: USENIX Security Symposium, (2001)Google Scholar
  13. 13.
    Evans, D., Nguyen-Tuong, A., Knight, J.C.: Effectiveness of moving target defenses. In: S. Jajodia, A.K. Ghosh, V. Swarup, C. Wang, X.S. Wang (eds.) Moving Target Defense, Advances in Information Security, vol. 54, pp. 29–48. Springer (2011)Google Scholar
  14. 14.
    Gustafson, S., Ekart, A., Burke, E., Kendall, G.: Problem difficulty and code growth in genetic programming. Genetic Programming and Evolvable Machines pp. 271–290 (2004)Google Scholar
  15. 15.
    Hiser, J.D., Coleman, C.L., Co, M., Davidson, J.W.: Meds: The memory error detection system. In: Symposium on Engineering Secure Software and Systems, pp. 164–179 (2009)Google Scholar
  16. 16.
    Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: IEEE Symposium on Security and Privacy. IEEE (2012)Google Scholar
  17. 17.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press (2006)Google Scholar
  18. 18.
    Hu, W., Hiser, J., Williams, D., Filipi, A., Davidson, J.W., Evans, D., Knight, J.C., Nguyen-Tuong, A., Rowanhill, J.: Secure and practical defense against code-injection attacks using software dynamic translation. In: Virtual Execution Environments, pp. 2–12 (2006)Google Scholar
  19. 19.
    Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks 51(5), 1239–1255 (2007)Google Scholar
  20. 20.
    Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S. (eds.): Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats, Advances in Information Security, vol. 54. Springer (2011)Google Scholar
  21. 21.
    Jim, T., Swamy, N., Hicks, M.: Defeating Scripting Attacks with Browser-Enforced Embedded Policies. In: International World Wide Web Conference, pp. 601–610 (2007)Google Scholar
  22. 22.
    Jones, J.A., Harrold, M.J.: Empirical evaluation of the Tarantula automatic fault-localization technique. In: Automated Software Engineering, pp. 273–282 (2005)Google Scholar
  23. 23.
    Jorgensen, M., Shepperd, M.: A systematic review of software development cost estimation studies. IEEE Transactions on Software Engineering 33(1), 33–53 (2007)Google Scholar
  24. 24.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Conference on Computer and Communications Security, pp. 272–280 (2003)Google Scholar
  25. 25.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security Symposium, pp. 191–206 (2002)Google Scholar
  26. 26.
    Koza, J.R.: Genetic Programming: On the Programming of Computers by Means of Natural Selection. MIT Press (1992)Google Scholar
  27. 27.
    Lawton, K.P.: Bochs: A portable pc emulator for unix/x. Linux J. 1996(29es), 7 (1996)Google Scholar
  28. 28.
    Liblit, B., Aiken, A., Zheng, A.X., Jordan, M.I.: Bug isolation via remote program sampling. In: Programming language design and implementation, pp. 141–154 (2003)Google Scholar
  29. 29.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Programming Language Design and Implementation, pp. 190–200 (2005)Google Scholar
  30. 30.
    Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Communications of the Association for Computing Machinery 33(12), 32–44 (1990)Google Scholar
  31. 31.
    Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: USENIX Security Symposium, pp. 67–82 (2009)Google Scholar
  32. 32.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Programming Language Design and Implementation, pp. 89–100 (2007)Google Scholar
  33. 33.
    Nguyen-Tuong, A., Wang, A., Hiser, J., Knight, J., Davidson, J.: On the effectiveness of the metamorphic shield. In: European Conference on Software Architecture: Companion Volume, pp. 170–174 (2010)Google Scholar
  34. 34.
    Pigoski, T.M.: Practical Software Maintenance: Best Practices for Managing Your Software Investment. John Wiley & Sons, Inc. (1996)Google Scholar
  35. 35.
    Portokalidis, G., Keromytis, A.D.: Fast and practical instruction-set randomization for commodity systems. In: Annual Computer Security Applications Conference, pp. 41–48 (2010)Google Scholar
  36. 36.
    Rajkumar, R., Wang, A., Hiser, J.D., Nguyen-Tuong, A., Davidson, J.W., Knight, J.C.: Component-oriented monitoring of binaries for security. In: Hawaii International Conference on System Sciences, pp. 1–10 (2011)Google Scholar
  37. 37.
    Ramamoothy, C.V., Tsai, W.T.: Advances in software engineering. IEEE Computer 29(10), 47–58 (1996)Google Scholar
  38. 38.
    Rodes, B.: Stack layout transformation: Towards diversity for securing binary programs. In: Doctoral Symposium, International Conference of Software Engineering (2012)Google Scholar
  39. 39.
    Rodes, B., Nguyen-Tuong, A., Knight, J., Shepherd, J., Hiser, J.D., Co, M., Davidson, J.W.: Diversification of stack layout in binary programs using dynamic binary translation. Tech. rep. (2012)Google Scholar
  40. 40.
    RSnake: XSS (Cross Site Scripting) Cheat Sheet. (2008)
  41. 41.
    Schulte, E., Forrest, S., Weimer, W.: Automatic program repair through the evolution of assembly code. In: Automated Software Engineering, pp. 33–36 (2010)Google Scholar
  42. 42.
    Scott, K., Davidson, J.: Strata: A software dynamic translation infrastructure. In: IEEE Workshop on Binary Translation (2001)Google Scholar
  43. 43.
    Scott, K., Davidson, J.: Safe virtual execution using software dynamic translation. In: Annual Computer Security Applications Conference (2002)Google Scholar
  44. 44.
    Scott, K., Kumar, N., Velusamy, S., Childers, B.R., Davidson, J.W., Soffa, M.L.: Retargetable and reconfigurable software dynamic translation. In: International Symposium on Code Generation and Optimization, pp. 36–47 (2003)Google Scholar
  45. 45.
    Seacord, R.C., Plakosh, D., Lewis, G.A.: Modernizing Legacy Systems: Software Technologies, Engineering Process and Business Practices. Addison-Wesley Longman Publishing Co., Inc. (2003)Google Scholar
  46. 46.
    Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Computer and Communications Security, pp. 298–307 (2004)Google Scholar
  47. 47.
    Sovarel, N., Evans, D., Paul, N.: Where’s the feeb? the effectiveness of instruction set randomization. In: USENIX Security Conference (2005)Google Scholar
  48. 48.
    Sridhar, S., Shapiro, J.S., Bungale, P.P.: Hdtrans: a low-overhead dynamic translator. SIGARCH Comput. Archit. News 35(1), 135–140 (2007)Google Scholar
  49. 49.
    Sutherland, J.: Business objects in corporate information systems. ACM Comput. Surv. 27(2), 274–276 (1995)Google Scholar
  50. 50.
  51. 51.
    Thimbleby, H.: Can viruses ever be useful? Computers and Security 10(2), 111–114 (1991)Google Scholar
  52. 52.
  53. 53.
    Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks. In: Distributed System Security Symposium, pp. 55–67 (2009)Google Scholar
  54. 54.
    Weimer, W., Nguyen, T., Le Goues, C., Forrest, S.: Automatically finding patches using genetic programming. In: International Conference on Software Engineering, pp. 364–367 (2009)Google Scholar
  55. 55.
    Williams, D., Hu, W., Davidson, J.W., Hiser, J.D., Knight, J.C., Nguyen-Tuong, A.: Security through diversity: Leveraging virtual machine technology. IEEE Security and Privacy 7(1), 26–33 (2009)Google Scholar
  56. 56.
    Zeller, A., Hildebrandt, R.: Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering 28(2), 183–200 (2002)Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Claire Le Goues
    • 1
    Email author
  • Anh Nguyen-Tuong
    • 1
  • Hao Chen
    • 2
  • Jack W. Davidson
    • 1
  • Stephanie Forrest
    • 3
  • Jason D. Hiser
    • 1
  • John C. Knight
    • 1
  • Matthew Van Gundy
    • 2
  1. 1.Intelligent Automation, Inc.RockvilleUSA
  2. 2.University of CaliforniaDavisUSA
  3. 3.University of New MexicoAlbuquerqueUSA

Personalised recommendations