Advertisement

End-to-End Software Diversification of Internet Services

  • Mihai ChristodorescuEmail author
  • Matthew Fredrikson
  • Somesh Jha
  • Jonathon Giffin
Chapter
Part of the Advances in Information Security book series (ADIS, volume 54)

Abstract

Software diversification has been approached as a tool to provide security guarantees for programs that lack type safety (e.g., programs written in C). In this setting, diversification operates by changing the memory layout of program code or data and by changing the syntax of program code. These techniques succeed as a defense against an attacker’s use of type-safety vulnerabilities (e.g., buffer overflows) because they randomize the key elements necessary to a successful low-level intrusion (memory addresses and memory contents). This chapter proposes to extend software diversification from a point technique, applied to hand-picked aspects of a single program, to an comprehensive technique applied by default to all components of an application. Internet services is used as a focused example here.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Sql injections top attack statistics. Dark Reading: http://www.darkreading. com/database_security/security/app-security/showArticle.jhtml? articleID=223100129, February 2010.
  2. 2.
    Multiple facebook vulnerabilities reported on full-disclosure. Zero Day: http://www.zdnet.com/blog/security/ multiple-facebook-vulnerabilities-reported-on-full-disclosure/ 1414, July 2008.
  3. 3.
    PHP manual: Magic quotes. http://php.net/manual/en/security. magicquotes.php, September 2010.
  4. 4.
    The web application security consortium: Web application security statistics. http://projects.webappsec.org/Web-Application-Security-Statistics, September 2010.

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Mihai Christodorescu
    • 1
    Email author
  • Matthew Fredrikson
    • 2
  • Somesh Jha
    • 2
  • Jonathon Giffin
    • 3
  1. 1.IBM T.J. Watson Research CenterHawthorneUSA
  2. 2.University of Wisconsin, MadisonMadisonUSA
  3. 3.Georgia Institute of TechnologyAtlantaUSA

Personalised recommendations