Runtime Defense against Code Injection Attacks Using Replicated Execution

The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[3]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[4]  Michael Franz,et al.  Multi-variant Program Execution: Using Multi-core Systems to Defuse Buffer-Overflow Vulnerabilities , 2008, 2008 International Conference on Complex, Intelligent and Software Intensive Systems.

[5]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[6]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[7]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[8]  Kenneth P. Birman,et al.  Replication and fault-tolerance in the ISIS system , 1985, SOSP '85.

[9]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[10]  Bernhard Kauer OSLO: Improving the Security of Trusted Computing , 2007, USENIX Security Symposium.

[11]  Kenneth C. Knowlton,et al.  A Combination Hardware-Software Debugging System , 1968, IEEE Transactions on Computers.

[12]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[13]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[14]  Santosh K. Shrivastava,et al.  Preventing state divergence in replicated distributed programs , 1990, Proceedings Ninth Symposium on Reliable Distributed Systems.

[15]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[16]  Priya Narasimhan,et al.  Enforcing determinism for the consistent replication of multithreaded CORBA applications , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[17]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[18]  Michael Franz,et al.  On the effectiveness of multi-variant program execution for vulnerability detection and prevention , 2010, MetriSec '10.

[19]  Michael Franz,et al.  Reverse Stack Execution in a MultiVariant Execution Environment , 2012 .

[20]  Lorenzo Cavallaro,et al.  Diversified Process Replicæ for Defeating Memory Error Exploits , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[21]  P. Reynier,et al.  Active replication in Delta-4 , 1992, [1992] Digest of Papers. FTCS-22: The Twenty-Second International Symposium on Fault-Tolerant Computing.

[22]  Michael Franz,et al.  Synchronous Signal Delivery in a Multi-Variant Intrusion Detection System , 2009 .

[23]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[24]  R. Sekar,et al.  A practical mimicry attack against powerful system-call monitors , 2008, ASIACCS '08.

[25]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[26]  Michael Franz,et al.  Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space , 2009, EuroSys '09.

[27]  Santosh K. Shrivastava,et al.  The Voltan application programming environment for fail-silent processes , 1998, Distributed Syst. Eng..

[28]  Fred B. Schneider,et al.  Hypervisor-based fault tolerance , 1996, TOCS.

[29]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[30]  Karl N. Levitt,et al.  The design and implementation of an intrusion tolerant system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[31]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[32]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[33]  Paul D. Ezhilchelvan,et al.  Principal Features of the VOLTAN Family of Reliable Node Architectures for Distributed Systems , 1992, IEEE Trans. Computers.

[34]  Hari Balakrishnan,et al.  Tolerating byzantine faults in transaction processing systems using commit barrier scheduling , 2007, SOSP.

[35]  Alan Jay Smith,et al.  Characteristics of I/O traffic in personal computer and server workloads , 2002, IBM Syst. J..

[36]  Miguel Castro,et al.  Using abstraction to improve fault tolerance , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[37]  Miguel Castro,et al.  BASE: using abstraction to improve fault tolerance , 2001, SOSP.