Bunshin: Compositing Security Mechanisms through Diversification

A number of security mechanisms have been proposed to harden programs written in unsafe languages, each of which mitigates a specific type of memory error. Intuitively, enforcing multiple security mechanisms on a target program will improve its overall security. However, this is not yet a viable approach in practice because the execution slowdown caused by various security mechanisms is often non-linearly accumulated, making the combined protection prohibitively expensive; further, most security mechanisms are designed for independent or isolated uses and thus are often in conflict with each other, making it impossible to fuse them in a straightforward way. In this paper, we present BUNSHIN, an N-versionbased system that enables different and even conflicting security mechanisms to be combined to secure a program while at the same time reducing the execution slowdown. In particular, we propose an automated mechanism to distribute runtime security checks in multiple program variants in such a way that conflicts between security checks are inherently eliminated and execution slowdown is minimized with parallel execution. We also present an N-version execution engine to seamlessly synchronize these variants so that all distributed security checks work together to guarantee the security of a target program.

[1]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[2]  Stephen N. Freund,et al.  Atomizer: A dynamic atomicity checker for multithreaded programs , 2008, Sci. Comput. Program..

[3]  Per Larsen,et al.  Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , 2015, NDSS.

[4]  Samuel T. King,et al.  Using replicated execution for a more secure and reliable web browser , 2012, NDSS.

[5]  Dan Grossman,et al.  IFRit: interference-free regions for dynamic data-race detection , 2012, OOPSLA '12.

[6]  Per Larsen,et al.  Secure and Efficient Application Monitoring and Replication , 2016, USENIX Annual Technical Conference.

[7]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[8]  Herbert Bos,et al.  Memory Errors: The Past, the Present, and the Future , 2012, RAID.

[9]  Marek Olszewski,et al.  Kendo: efficient deterministic multithreading in software , 2009, ASPLOS.

[10]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[11]  Cristian Cadar,et al.  Safe software updates via multi-version execution , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[12]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[13]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Michael Franz,et al.  Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space , 2009, EuroSys '09.

[15]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[16]  Cristian Cadar,et al.  VARAN the Unbelievable: An Efficient N-version Execution Framework , 2015, ASPLOS.

[17]  Cristian Cadar,et al.  Towards deployment-time dynamic analysis of server applications , 2015, WODA@SPLASH.

[18]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[19]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[20]  Matthew Arnold,et al.  A framework for reducing the cost of instrumented code , 2001, PLDI '01.

[21]  Emery D. Berger,et al.  Dthreads: efficient deterministic multithreading , 2011, SOSP.

[22]  A. Prasad Sistla,et al.  Preventing Information Leaks through Shadow Executions , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[23]  Per Larsen,et al.  Profile-guided automated software diversity , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[24]  Per Larsen,et al.  Taming Parallelism in a Multi-Variant Execution Environment , 2017, EuroSys.

[25]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[26]  Dan Grossman,et al.  CoreDet: a compiler and runtime system for deterministic multithreaded execution , 2010, ASPLOS XV.

[27]  Satish Narayanasamy,et al.  Detecting and surviving data races using complementary schedules , 2011, SOSP.

[28]  Bart Coppens,et al.  Cloning Your Gadgets: Complete ROP Attack Immunity with Multi-Variant Execution , 2016, IEEE Transactions on Dependable and Secure Computing.

[29]  Lorenzo Cavallaro,et al.  Diversified Process Replicæ for Defeating Memory Error Exploits , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[30]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[31]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[32]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[33]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[34]  Koen Koning,et al.  Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[35]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[36]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[37]  Marc Vertes,et al.  Fault Tolerance in Multiprocessor Systems Via Application Cloning , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[38]  E. Duesterwald,et al.  Software profiling for hot path prediction: less is more , 2000, SIGP.

[39]  George Candea,et al.  High System-Code Security with Low Overhead , 2015, 2015 IEEE Symposium on Security and Privacy.