Proactive obfuscation

Proactive obfuscation is a new method for creating server replicas that are likely to have fewer shared vulnerabilities. It uses semantics-preserving code transformations to generate diverse executables, periodically restarting servers with these fresh versions. The periodic restarts help bound the number of compromised replicas that a service ever concurrently runs, and therefore proactive obfuscation makes an adversary's job harder. Proactive obfuscation was used in implementing two prototypes: a distributed firewall based on state-machine replication and a distributed storage service based on quorum systems. Costs intrinsic to supporting proactive obfuscation in replicated systems were evaluated by measuring the performance of these prototypes. The results show that employing proactive obfuscation adds little to the cost of replica-management protocols.

[1]  Danny Dolev,et al.  Polynomial algorithms for multiple processor agreement , 1982, STOC '82.

[2]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[3]  Jeffrey D. Case,et al.  Simple network management protocol , 1995 .

[4]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[5]  Nancy A. Lynch,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[6]  Ozalp Babaoglu,et al.  ACM Transactions on Computer Systems , 2007 .

[7]  David K. Gifford,et al.  Weighted voting for replicated data , 1979, SOSP '79.

[8]  Miguel Correia,et al.  Resilient Intrusion Tolerance through Proactive and Reactive Recovery , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[9]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[10]  Arun K. Sood,et al.  Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security , 2006, J. Networks.

[11]  Kenneth P. Birman,et al.  The Monoculture Risk Put into Context , 2009, IEEE Security & Privacy Magazine.

[12]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[13]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[14]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[15]  Jeffrey C. Mogul,et al.  Simple and Flexible Datagram Access Controls for UNIX-based Gateways , 1999 .

[16]  Robert H. Thomas,et al.  A Majority consensus approach to concurrency control for multiple copy databases , 1979, ACM Trans. Database Syst..

[17]  Kishor S. Trivedi,et al.  A comprehensive model for software rejuvenation , 2005, IEEE Transactions on Dependable and Secure Computing.

[18]  Alysson Neves Bessani,et al.  The FOREVER service for fault/intrusion removal , 2008, WRAITS '08.

[19]  Fred B. Schneider,et al.  Independence from obfuscation: a semantic framework for diversity , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[20]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[21]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[22]  Ran Canetti,et al.  Maintaining Authenticated Communication in the Presence of Break-Ins , 1997, PODC '97.

[23]  David Lie,et al.  Relaxed Determinism: Making Redundant Execution on Multiprocessors Practical , 2007, HotOS.

[24]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[25]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[26]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[27]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[28]  Paulo Sousa Proactive Resilience∗ , 2006 .

[29]  Paulo Veríssimo,et al.  Travelling through wormholes: a new look at distributed systems models , 2006, SIGA.

[30]  Arun K. Sood,et al.  Closing cluster attack windows through server redundancy and rotations , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[31]  Ruby B. Lee,et al.  National Cyber Leap Year Summit 2009 Co-Chairs ’ Report , 2009 .

[32]  Butler W. Lampson,et al.  The ABCD's of Paxos , 2001, PODC '01.

[33]  Robbert van Renesse,et al.  APSS: proactive secret sharing in asynchronous systems , 2005, TSEC.

[34]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[35]  Miguel Castro,et al.  Using abstraction to improve fault tolerance , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[36]  Miguel Castro,et al.  BASE: using abstraction to improve fault tolerance , 2001, SOSP.

[37]  Fred B. Schneider,et al.  Distributed Trust: Supporting Fault-tolerance and Attack-tolerance , 2004 .

[38]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[39]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[40]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[41]  Shivakant Mishra,et al.  Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks , 2004, International Conference on Dependable Systems and Networks, 2004.

[42]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[43]  M. Herlihy A quorum-consensus replication method for abstract data types , 1986, TOCS.

[44]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[45]  Arun K. Sood,et al.  Secure, Resilient Computing Clusters: Self-Cleansing Intrusion Tolerance with Hardware Enforced Security (SCIT/HES) , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[46]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[47]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[48]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[49]  Michael K. Reiter,et al.  Byzantine quorum systems , 1997, STOC '97.

[50]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[51]  Fred B. Schneider,et al.  Synchronization in Distributed Programs , 1982, TOPL.

[52]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[53]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[54]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1990, RFC.

[55]  Elena Gabriela Barrantes,et al.  Known/Chosen Key Attacks against Software Instruction Set Randomization , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[56]  Rida A. Bazzi,et al.  Matrix Signatures: From MACs to Digital Signatures in Distributed Systems , 2008, DISC.

[57]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[58]  Paulo Veríssimo,et al.  Proactive resilience through architectural hybridization , 2006, SAC.

[59]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[60]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[61]  Fred B. Schneider,et al.  CODEX: a robust and secure secret distribution system , 2004, IEEE Transactions on Dependable and Secure Computing.