Jefferson’s Polygraph

Slides:

Advertisements

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Advertisements

Remote Procedure Call (RPC)

Moving Target Defense in Cyber Security

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.

Server issues How to approach the design of servers.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and Jason Flinn University of Michigan.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Chapter 4 Storage Management (Memory Management).

N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans

Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 6 System Calls OS System.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans

1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,

Byzantine fault tolerance

IM NTU Distributed Information Systems 2004 Replication Management -- 1 Replication Management Yih-Kuen Tsay Dept. of Information Management National Taiwan.

Where’s the FEEB? Effectiveness of Instruction Set Randomization CERIAS Security Seminar Purdue University 9 March 2005 David Evans University of Virginia.

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

Manish Kumar,MSRITSoftware Architecture1 Remote procedure call Client/server architecture.

G ENESIS: Security Through Software Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie.

Threads. Readings r Silberschatz et al : Chapter 4.

N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,

1 Redundant Computing for Security David Evans University of Virginia Yahoo! Tech Talk 16 October 2008 Work with Ben Cox, Anh Nguyen-Tuong, Jonathan Rowanhill,

R Some of these slides are from Prof Frank Lin SJSU. r Minor modifications are made. 1.

DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)

Week#3 Software Quality Engineering.

Object Interaction: RMI and RPC 1. Overview 2 Distributed applications programming - distributed objects model - RMI, invocation semantics - RPC Products.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

1 Remote Installation Service Windows 2003 Server Prof. Abdul Hameed.

SDN and Security Security as a service in the cloud

Remix: On-demand Live Randomization

Last Class: Introduction

Memory Hierarchy Ideal memory is fast, large, and inexpensive

Intrusion Tolerant Architectures

Presented by: Daniel Taylor

/50 /60 /40 /30 A Tale of Two Clients

Credits: 3 CIE: 50 Marks SEE:100 Marks Lab: Embedded and IOT Lab

03 – Remote invoaction Request-reply RPC RMI Coulouris 5

Boots Cassel Villanova University

John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins

University of Virginia

Chapter 19: Architecture, Implementation, and Testing

Real-time Software Design

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

The Effectiveness of Instruction Set Randomization

View Change Protocols and Reconfiguration

Providing Secure Storage on the Internet

Chap 10 Malicious Software.

Loaders and Linkers: Features

Machine Independent Features

Stealing Secrets and Secretless Security Structures

IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS

Light-weight Contexts: An OS Abstraction for Safety and Performance

Operating Systems.

Chapter 5 Exploiting Memory Hierarchy : Cache Memory in CMP

Outline Announcements Lab2 Distributed File Systems 1/17/2019 COP5611.

Prof. Leonardo Mostarda University of Camerino

Chap 10 Malicious Software.

Distributed Systems CS

View Change Protocols and Reconfiguration

Outline Review of Quiz #1 Distributed File Systems 4/20/2019 COP5611.

John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins

Presentation transcript:

Jefferson’s Polygraph Polygraphing Processes: N‑Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Meeting 12 July 2005 Jefferson's Polygraph (Copying Machine), courtesy the University of Virginia. Image credit: Thomas Jefferson Foundation/Edward Owen. http://www.monticello.org/gallery/innovations/polygraph.html Hoover’s Polygraph

Motivating Observation Previous diversity approaches (including ours) rely on keeping secrets Keeping secrets is hard [Shacham, et al., CCS 2004] [Sovarel, et al., USENIX Security 2005] Can we use diversity effectively without needing any secrets? DARPA SRS Genesis Project

DARPA SRS Genesis Project N-Variant Systems Construct a system that requires attacker to “simultaneously” compromise multiple variants Variations designed to make this impossible for certain attack classes Provides security without needing secrets Framework for proving resistance to classes of attack DARPA SRS Genesis Project

N-Version N-Variant Programming System [Avizienis & Chen, 1977] Multiple teams of programmers implement same spec Voter compares results and selects most common No guarantees: teams may make same mistake Transformer automatically produces diverse variants Monitor compares results and detects attack Guarantees: variants behave differently on particular input classes DARPA SRS Genesis Project

DARPA SRS Genesis Project 2-Variant System Input (Possibly Malicious) Server Variant 1 Monitor Output Polygrapher DARPA SRS Genesis Project

DARPA SRS Genesis Project N-Variant Framework Variant 1 Monitor Poly- grapher Polygrapher Replicate “same” input to all variants Monitor Delay effects until all variants finish successfully Detect failure of one variant: “Crash”: other variants may have been compromised Need to recover to known valid states Set of Variants Must be disjoint with respect to attack requirement An attack input that succeeds against one variant, must cause some other variant to fail detectably DARPA SRS Genesis Project

Establishing Disjoint Variants Normal Equivalence Property Under normal inputs, the variants stay in equivalent states: A0(S0)  A1(S1) Detection Property Any attack that compromises one variant causes another variant to exhibit detection behavior (e.g., crash) DARPA SRS Genesis Project

Example: Memory Partitioning Variation Variant 0: addresses all start with 0 Variant 1: addresses all start with 1 Normal Equivalence Map addresses to same address space Broken if code depends on absolute addresses Detection Property Any absolute load/store is invalid on one of the variants DARPA SRS Genesis Project

Instruction Set Partitioning JMP JMP CALL CALL JO JO JNO JNO JB JB JNB JNB JZ JZ JNZ JNZ … Variant A Variant B DARPA SRS Genesis Project

Instruction Set Tagging Variation: add an extra bit to all opcodes Variation 0: tag bit is a 0 Variation 1: tag bit is a 1 At run-time check and remove tag using Strata Normal Equivalence: Remove the tag bits Detection Property Any (tagged) opcode is invalid on one variant Injected code (identical on both) cannot run on both DARPA SRS Genesis Project

DARPA SRS Genesis Project Composing Variations Must preserve normal equivalence property Detect memory attack Detect direct code injection 1 Memory Space 1 1 Instruction Tags P1 P2 P3 DARPA SRS Genesis Project

DARPA SRS Genesis Project Implementations Two prototypes: Linux Kernel Modification Divert Sockets Ad hoc establishment of normal equivalence Transformation used to create variants Run-time checking for equivalent behavior at security-critical events DARPA SRS Genesis Project

Kernel Implementation Modify process table to record variants Create new fork routine to launch variants Intercept system calls: Check parameters match for all variants Make call once Send same result to all Low overhead, lack of isolation DARPA SRS Genesis Project

Divert Sockets Implementation Process intercepts traffic (nvpd) Uses divert sockets to send copies to isolated variants (can be on different machines) Waits until all variants respond to request before returning to client Adjusts TCP sequence numbers to each variant appears to have normal connection DARPA SRS Genesis Project

Divert Sockets 3-Variant System P1 Polygrapher Input from Client P2 Output to Client Monitor P3 nvpd Server DARPA SRS Genesis Project

DARPA SRS Genesis Project Results Implemented 3-Variant system Address space partitioning Instruction set tagging Thwarts any attack that: Depends on referencing an absolute address Depends on executing directly injected code Latency Overhead (apache) http https 4 machines 54x (10.8 ms) 2.1x (4778 ms) 1 machine 89x (17.8 ms) 2.3x (5271 ms) DARPA SRS Genesis Project

DARPA SRS Genesis Project Open Problems Non-determinism, persistent state Formally establishing normal equivalence Statically + dynamically Variations to prevent larger classes of attacks File naming, scheduling, protocol, configuration, etc. Limited by need to preserve (unspecified) application semantics DARPA SRS Genesis Project

N-Variant Systems Summary Use artificial diversity in a controlled way Framework requires attacker to compromise multiple variants “simultaneously” Create variations that make this impossible (for important attack classes) Opens promise of system security proofs that do not require any assumptions about keeping secrets DARPA SRS Genesis Project

DARPA SRS Genesis Project Credits Ben Cox Jack Davidson David Evans Adrian Filipi Jason Hiser Wei Hu John Knight Anh Nguyen‑Tuong Jonathan Rowanhill DARPA SRS Genesis Project