Security through Diversity: Are We There Yet?

Because most software attacks rely on predictable behavior on the target platform, mass distribution of identical software facilitates mass exploitation. Countermeasures include moving-target defenses in general and biologically inspired artificial software diversity in particular. Although the concept of software diversity has interested researchers for more than 20 years, technical obstacles prevented its widespread adoption until now. Massive-scale software diversity has become practical due to the Internet (enabling distribution of individualized software) and cloud computing (enabling the computational power to perform diversification). In this article, the authors take stock of the current state of software diversity research. The potential showstopper issues are mostly solved; the authors describe the remaining issues and point to a realistic adoption path.

[1]  Koen De Bosschere,et al.  Protecting Your Software Updates , 2013, IEEE Security & Privacy.

[2]  Jack W. Davidson,et al.  Security through Diversity: Leveraging Virtual Machine Technology , 2009, IEEE Security & Privacy.

[3]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Christian S. Collberg,et al.  Distributed application tamper detection via continuous software updates , 2012, ACSAC '12.

[5]  Rajeev Barua,et al.  A compiler-level intermediate representation based binary analysis and rewriting system , 2013, EuroSys '13.

[6]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[7]  Michael Franz,et al.  E unibus pluram: massive-scale software diversity as a defense mechanism , 2010, NSPW '10.

[8]  Per Larsen,et al.  Librando: transparent code randomization for just-in-time compilers , 2013, CCS.

[9]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[11]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[13]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.