Diversified Process Replicæ for Defeating Memory Error Exploits

An interpretation of the notion of software diversity is based on the concept of diversified process replicæ. We define pr as the replica of a process p which behaves identically to p but has some "structural" diversity from it. This makes possible to detect memory corruption attacks in a deterministic way. In our solution, p and pr differ in their address space which is properly diversified, thus defeating absolute and partial overwriting memory error exploits. We also give a characterization and a preliminary solution for shared memory management, one of the biggest practical issue introduced by this approach. Speculation on how to deal with synchronous signals delivery is faced as well. A user space proof-of-concept prototype has been implemented. Experimental results show a 68.93% throughput slowdown on a worst-case, while experiencing only a 1.20% slowdown on a best-case.

[1]  W. Richard Stevens,et al.  Unix network programming , 1990, CCRV.

[2]  Andy Oram,et al.  Understanding the Linux Kernel, Second Edition , 2002 .

[3]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[4]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[5]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[6]  D. Bruschi,et al.  Syscalls Obfuscation for Preventing Mimicry and Impossible Paths Execution Attacks , 2006 .

[7]  Fred B. Schneider,et al.  Hypervisor-based fault tolerance , 1996, TOCS.

[8]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[9]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[10]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[11]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[12]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[13]  Seung-Soon Im,et al.  Tool interface standard (TIS) executable and linking format (ELF) specification , 1995 .

[14]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[15]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[16]  Daniel R. Edelson Fault Interpretation: Fine-Grain Monitoring of Page Accesses , 1992, USENIX Winter.

[17]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[18]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[19]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[20]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[21]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.