Moving Target Defense II

A software system’s attack surface is the set of ways in which the system can be attacked. In our prior work, we introduced an attack surface measurement and reduction method to mitigate a software system’s security risk (Manadhata, An attack surface metric, Ph.D. thesis, Carnegie Mellon University, 2008; Manadhata andWing, IEEE Trans. Softw. Eng. 37:371–386, 2011). In this paper, we explore the use of attack surface shifting in the moving target defense approach. We formalize the notion of shifting the attack surface and introduce a method to quantify the shift. We cast the moving target defense approach as a security-usability trade-off and introduce a two-player stochastic game model to determine an optimal moving target defense strategy. A system’s defender can use our game theoretic approach to optimally shift and reduce the system’s attack surface.

[1]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[2]  Harold W. Thimbleby Can viruses ever be useful? , 1991, Comput. Secur..

[3]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[4]  Mary Jean Harrold,et al.  Empirical evaluation of the tarantula automatic fault-localization technique , 2005, ASE.

[5]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[6]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[7]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[8]  Andrew Wang,et al.  On the effectiveness of the metamorphic shield , 2010, ECSA '10.

[9]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[10]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[11]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[12]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[13]  Westley Weimer,et al.  Automated program repair through the evolution of assembly code , 2010, ASE.

[14]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[15]  Doron Rotem,et al.  An Algorithm to Generate all Topological Sorting Arrangements , 1981, Computer/law journal.

[16]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[17]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[18]  John R. Koza,et al.  Genetic programming - on the programming of computers by means of natural selection , 1993, Complex adaptive systems.

[19]  Jack W. Davidson,et al.  Security through Diversity: Leveraging Virtual Machine Technology , 2009, IEEE Security & Privacy.

[20]  Graham Kendall,et al.  Problem Difficulty and Code Growth in Genetic Programming , 2004, Genetic Programming and Evolvable Machines.

[21]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Barton P. Miller,et al.  Practical analysis of stripped binary code , 2005, CARN.

[23]  Grace A. Lewis,et al.  Modernizing Legacy Systems - Software Technologies, Engineering Processes, and Business Practices , 2003, SEI series in software engineering.

[24]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[25]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[26]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[27]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[28]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[29]  R. Sekar,et al.  Efficient fine-grained binary instrumentationwith applications to taint-tracking , 2008, CGO '08.

[30]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[31]  William J. Lynn,et al.  Defending a New Domain , 2010 .

[32]  Mary Lou Soffa,et al.  Retargetable and reconfigurable software dynamic translation , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[33]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[34]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[35]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[36]  Magne Jørgensen,et al.  A Systematic Review of Software Development Cost Estimation Studies , 2007, IEEE Transactions on Software Engineering.

[37]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[38]  Angelos D. Keromytis,et al.  Hydan: Hiding Information in Program Binaries , 2004, ICICS.

[39]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[40]  C.V. Ramamoorthy,et al.  Advances in Software Engineering , 1996, Computer.

[41]  R. Barua,et al.  Binary Rewriting without Relocation Information , 2010 .

[42]  Angelos D. Keromytis,et al.  Fast and practical instruction-set randomization for commodity systems , 2010, ACSAC '10.

[43]  Jonathan S. Shapiro,et al.  HDTrans: a low-overhead dynamic translator , 2007, CARN.

[44]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[45]  Michael I. Jordan,et al.  Bug isolation via remote program sampling , 2003, PLDI '03.

[46]  Jack W. Davidson,et al.  Diversification of Stack Layout in Binary Programs Using Dynamic Binary Translation , 2013 .

[47]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[48]  Stephanie Forrest,et al.  Learning DFA representations of HTTP for protecting web applications , 2007, Comput. Networks.

[49]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[50]  Jack W. Davidson,et al.  Secure and practical defense against code-injection attacks using software dynamic translation , 2006, VEE '06.

[51]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[52]  Ralf-Philipp Weinmann,et al.  A Framework for Automated Architecture-Independent Gadget Search , 2010, WOOT.

[53]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[54]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[55]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[56]  Timothy D. Morgan IPv6 Address Cookies , 2006 .

[57]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[58]  Jack W. Davidson,et al.  Strata: A Software Dynamic Translation Infrastructure , 2001 .

[59]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[60]  Sandeep K. S. Gupta,et al.  Vulnerabilities of PKI based Smartcards , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[61]  Jeff Sutherland,et al.  Business objects in corporate information systems , 1995, CSUR.

[62]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[63]  Jack W. Davidson,et al.  MEDS: The Memory Error Detection System , 2009, ESSoS.

[64]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[65]  Name M. Lastname Automatically Finding Patches Using Genetic Programming , 2013 .

[66]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[67]  Benjamin Rodes Stack layout transformation: Towards diversity for securing binary programs , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[68]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[69]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[70]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[71]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[72]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[73]  Peng Xie,et al.  A Self-shielding Dynamic Network Architecture , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[74]  Thomas M. Pigoski Practical Software Maintenance: Best Practices for Managing Your Software Investment , 1996 .

[75]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[76]  Thomas Narten,et al.  IPv6 Address Assignment to End Sites , 2011, RFC.

[77]  Jack W. Davidson,et al.  Component-Oriented Monitoring of Binaries for Security , 2011, 2011 44th Hawaii International Conference on System Sciences.