On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities

  • Jin Han
  • Debin Gao
  • Robert H. Deng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5587)


Many systems have been introduced to detect software intrusions by comparing the outputs and behavior of diverse replicas when they are processing the same, potentially malicious, input. When these replicas are constructed using off-the-shelf software products, it is assumed that they are diverse and not compromised simultaneously under the same attack. In this paper, we analyze vulnerabilities published in 2007 to evaluate the extent to which this assumption is valid. We focus on vulnerabilities in application software, and show that the majority of these software products – including those providing the same service (and therefore multiple software substitutes can be used in a replicated system to detect intrusions) and those that run on multiple operating systems (and therefore the same software can be used in a replicated system with different operating systems to detect intrusions) – either do not have the same vulnerability or cannot be compromised with the same exploit. We also find evidence that indicates the use of diversity in increasing attack tolerance for other software. These results show that systems utilizing off-the-shelf software products to introduce diversity are effective in detecting intrusions.


Intrusion Detection System Software Diversity Application Software Product Attack Code Multiple Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: preventing sql injection attacks using dynamic candidate evaluations. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 12–24. ACM, New York (2007)Google Scholar
  2. 2.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 281–289. ACM, New York (2003)Google Scholar
  3. 3.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a board range of memory error exploits. In: SSYM 2003: Proceedings of the 12th conference on USENIX Security Symposium, Berkeley, CA, USA, p. 8 (2003), USENIX AssociationGoogle Scholar
  4. 4.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems – A secretless framework for security through diversity. In: Proceedings of the 15th USENIX Security Symposium (August 2006)Google Scholar
  5. 5.
    Dhamankar, R.: SANS Top-20 Security Risks (2007),
  6. 6.
    Edge, J.: Remote file inclusion vulnerabilities (Octobor 2006),
  7. 7.
    Fyodor, G.L.: Remote os detection via tcp/ip stack fingerprinting. Technical report, INSECURE.ORG (October 1998)Google Scholar
  8. 8.
    Gao, D., Reiter, M.K., Song, D.: Behavioral distance for intrusion detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 63–81. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Gao, D., Reiter, M.K., Song, D.: Behavioral distance measurement using hidden markov models. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Gao, D., Reiter, M.K., Song, D.: Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance. IEEE Transactions on Dependable and Secure Computing (TDSC) (July 2008)Google Scholar
  11. 11.
    Gashi, I., Popov, P.: Fault tolerance via diversity for off-the-shelf products: A study with sql database servers. IEEE Transactions on Dependable Secure Computing 4(4), 280–294 (2007); Member-Lorenzo StriginiCrossRefGoogle Scholar
  12. 12.
    Geer, D., Bace, R., Gutmann, P., Metzger, P., Pfleeger, C.P., Quarterman, J.S., Schneier, B.: Cyberinsecurity: The cost of monopoly. Technical report, CCIA (2003)Google Scholar
  13. 13.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery Attacks. In: IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks, Securecomm (2006)Google Scholar
  14. 14.
    Just, J.E., Reynolds, J.C., Clough, L.A., Danforth, M., Levitt, K.N., Maglich, R., Rowe, J.: Learning unknown attacks - A start. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 158–176. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 272–280. ACM Press, New York (2003)Google Scholar
  16. 16.
    Linger, R.C.: Systematic generation of stochastic diversity as an intrusion barrier in survivable systems software. In: HICSS 1999: Proceedings of the Thirty-Second Annual Hawaii International Conference on System Sciences, Washington, DC, USA, 1999, vol. 3, p. 3062. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  17. 17.
    O’Donnell, A.J., Sethu, H.: On achieving software diversity for improved network security using distributed coloring algorithms. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 121–131. ACM, New York (2004)Google Scholar
  18. 18.
    Reynolds, J., Just, J., Lawson, E., Clough, L., Maglich, R.: The design and implementation of an intrusion tolerant system. In: Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN 2002) (2002)Google Scholar
  19. 19.
    Salton, G., Wong, A., Yang, C.S.: A vector space model for automatic indexing. Communications of the ACM 18(11), 613–620 (1975)CrossRefzbMATHGoogle Scholar
  20. 20.
    Singh, A.: Mac OS X Internals: A Systems Approach. Addison-Wesley, Reading (2006)Google Scholar
  21. 21.
    Stamp, M.: Risks of monoculture. Communications of the ACM 47(3), 120 (2004)CrossRefGoogle Scholar
  22. 22.
    Totel, E., Majorczyk, F., Mé, L.: COTS diversity based intrusion detection and application to web servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Trowbridge, C.: An overview of remote operating system fingerprinting. Technical report, The SANS Institute (July 2003)Google Scholar
  24. 24.
    Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and Distributed System Security Symposium (NDSS) (February 2007)Google Scholar
  25. 25.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE 2008: Proceedings of the 30th international conference on Software engineering, pp. 171–180. ACM, New York (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jin Han
    • 1
  • Debin Gao
    • 1
  • Robert H. Deng
    • 1
  1. 1.School of Information SystemsSingapore Management UniversitySingapore

Personalised recommendations