G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.

Slides:



Advertisements
Similar presentations
Computer Systems & Architecture Lesson 2 4. Achieving Qualities.
Advertisements

Configuration management
Configuration management
Design of Experiments Lecture I
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.
The Architecture Design Process
CS189A/172 - Winter 2008 Lecture 7: Software Specification, Architecture Specification.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Zephyr By Shannon Poskus. What is Zephyr? Zephyr is one of two components of the National Compiler Infrastructure (NCI) project Co-funded by DARPA and.
Architectural Design Principles. Outline  Architectural level of design The design of the system in terms of components and connectors and their arrangements.
Developing Dependable Systems CIS 376 Bruce R. Maxim UM-Dearborn.
Chapter 10 Application Development. Chapter Goals Describe the application development process and the role of methodologies, models and tools Compare.
Educational Computer Architecture Experimentation Tool Dr. Abdelhafid Bouhraoua.
March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
This chapter is extracted from Sommerville’s slides. Text book chapter
Language Evaluation Criteria
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.
Software Testing. Definition To test a program is to try to make it fail.
High level & Low level language High level programming languages are more structured, are closer to spoken language and are more intuitive than low level.
University of Coimbra, DEI-CISUC
An Introduction to Programming and Object-Oriented Design Using Java By Jaime Niño and Fred Hosch Slides by Darwin Baines and Robert Burton.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
CSE 303 – Software Design and Architecture
OHTO -99 SOFTWARE ENGINEERING “SOFTWARE PRODUCT QUALITY” Today: - Software quality - Quality Components - ”Good” software properties.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Cluster Reliability Project ISIS Vanderbilt University.
Evaluating Resilience Strategies Based on an Evolutionary Multi agent System Kazuhiro Minami, Tomoya Tanjo, and Hiroshi Maruyama Institute of Statistical.
The Data Grid: Towards an Architecture for the Distributed Management and Analysis of Large Scientific Dataset Caitlin Minteer & Kelly Clynes.
These slides are designed to accompany Software Engineering: A Practitioner’s Approach, 7/e (McGraw-Hill 2009). Slides copyright 2009 by Roger Pressman.1.
Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.
Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.
Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
Quality Assurance.
CprE 458/558: Real-Time Systems
Approved for Public Release, Distribution Unlimited G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans,
G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi.
CS 360 Lecture 17.  Software reliability:  The probability that a given system will operate without failure under given environmental conditions for.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
1 Chapter 12 Configuration management This chapter is extracted from Sommerville’s slides. Text book chapter 29 1.
G ENESIS: Security Through Software Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie.
Computer and Programming. Computer Basics: Outline Hardware and Memory Programs Programming Languages and Compilers.
N-Variant Systems A Secretless Framework for Security through Diversity Benjamin Cox David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson,
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler.
Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Software Connectors. What is a Software Connector? 2 What is Connector? – Architectural element that models Interactions among components Rules that govern.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Week#3 Software Quality Engineering.
Software Testing.
CSCI-235 Micro-Computer Applications
University of Virginia
        Jefferson’s Polygraph
Presented By: Darlene Banta
Introduction to Virtual Machines
Introduction to Virtual Machines
Presentation transcript:

G ENESIS : A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie Mellon University

DARPA SRS Kickoff2 Nice Meeting Facility!

DARPA SRS Kickoff3 What Is The Problem? Many machines with the same vulnerability What is a vulnerability? A vulnerability is a fault in the classic sense of dependability theory Fault types: Degradationsomething breaks in one copy Designflaw in design affects all copies Software faults are design faults

DARPA SRS Kickoff4 Redundancy & Degradation Faults Computer 1 Computer 2 Computer N InputsVoterOutputs Damage Assessment State Restoration Error Detection Continued Service N Modular Redundant (NMR) System Identical Computers

DARPA SRS Kickoff5 Redundancy & Design Faults Redundancy is diversity Works well for degradation faults: Faults have predictable statistical behavior Effective mathematical models available What about design faults? Simple replication doesn’t work, obviously Requires different (diverse) designs to be effective

DARPA SRS Kickoff6 Multiple Systems LinuxWindowsOS/2 Specification Vulnerabilities

DARPA SRS Kickoff7 Design Diversity Development Version Development 1 System Assembly Component Specification Version Development 2 Version Development N Interaction Barriers Goal: Different Faults Because Of Independent Development Technology Restrictions

DARPA SRS Kickoff8 Design Diverse System Version 1 Version 2 Version N InputsVoterOutputs N Version System How “Different”? Assumption: Different Faults Because Of Independent Development

DARPA SRS Kickoff9 Design Diversity Does not work well for design faults No upper bound on failure probability No practical statistical models No definition of “design diversity” No procedure for achieving it Linux vs. Windows is, however, worse—it is purely ad hoc But, what else is there?

DARPA SRS Kickoff10

DARPA SRS Kickoff11 Data Diversity Heisenbug (Jim Gray): Program fails Sometimes if you rerun the program, it works Applied to Tandem operating system We all do this in daily operation Several variants of approach developed Comprehensive, general approach developed: Data diversity

DARPA SRS Kickoff12 Data Diverse System Copy 1 Copy 2 Copy N InputsVoter N Copy Architecture Data Reexpression Reverse Data Reexpression Same Software Reverse Data Reexpression

DARPA SRS Kickoff13 Data Diversity Low cost—software is copied Unknown performance for design faults Experimental evidence that it works well Can be very powerful: sin(x)=sin(a + b) =sin(a)cos(b) + cos(a)sin(b) =sin(a)sin(90-b) + sin(90-a)sin(b) Choose a and b, repeat, vote

DARPA SRS Kickoff14 The Vision Automated production of design-diverse, functionally-equivalent software Automatic production of data-diverse, functionally-equivalent software It might work…

DARPA SRS Kickoff15 Overall Approach Analysis of the diversity space Automated production of functionally-equivalent software and data: Compiler and meta-compiler technology: Source-level transformations Compiler transformations Data stream rewriting Virtual Machine Technology Run-time software translation techniques Rationale that diversity is an effective defense mechanism: Experimental evaluation Modeling of effects of diversity on known vulnerabilities Application to COTS software

DARPA SRS Kickoff16 Hierarchic Design Diversity Run-time Transformations

DARPA SRS Kickoff17 Source to Source Transformations Underlying model of tasks: e.g. fork/execs vs. threads Process interaction: e.g. low-level semaphores vs. higher-level monitors Fundamental libraries: e.g. libc, sockets, etc… Diversity achieved by component combinations

DARPA SRS Kickoff18 Compiler Transformations Generate N compilers that target different architectures Manipulate formal description of target architecture—Computer Systems Description Language (CSDL): Instruction Set Architecture (ISA) specification Calling convention specification Example diversity techniques: Different calling conventions ISA subsets created, enforced dynamically Memory layouts—code and data Implement the above within the same program

DARPA SRS Kickoff19 Run-time Transformations Software Dynamic Translation STRATA system: Layer between hardware and application Designed to be easily retargeted Virtual machine provides: Underlying target Supplementary rules on use of target Software Dynamic Translation systems : FX 32 Dynamo Transmeta

DARPA SRS Kickoff20 STRATA—Basic Operation Enforce Desired Policies

DARPA SRS Kickoff21 Example STRATA Policies Apply compile-time transformations dynamically: Rearrangement basic blocks, calling sequence transformations, etc… Dynamic injection and enforcement of behavioral policies E.g. resource usage (files, sockets, tasks) Language diversity: dialects Only allow subsets of original instruction set Vary subsets dynamically

DARPA SRS Kickoff22 STRATA System Architecture Machine Independent Components

DARPA SRS Kickoff23 Data Diversity Diversity in the data space can avoid sequences of events that lead to failure Diversity space offers large range of data re-expression options Precision (Exact, Approximate) Locality (Internal, External) Sequence (inorder-ontime, inorder-offtime, outoforder- ontime, outoforder-offtime)

DARPA SRS Kickoff24 Data Re-expression Examples Change floating point values: Lose precision Translate Rotate Data sequences: Reorder data Change timing of data Memory layout (code and data) Reorder transactions Reorder data in activation records SQL Rewriting …many more examples…

DARPA SRS Kickoff25 Data Re-expression Space These examples are ad hoc Proposals in literature are ad hoc So: Use data re-expression space categorization to drive exploration of diversity techniques (instead of point solutions)

DARPA SRS Kickoff26 Evaluation Theoretical: Modeling of effects of diversity on network vulnerabilities E.g., WORM propagation Understand limits of diversity Categorization of “diversity space” Identify unnecessary homogeneity in software Not just code but also environment, configuration, etc… Experimental: Directed fault seeding: Apply known exploits to target system Apply all Genesis techniques Evaluate variants’ resistance to attack Automated fault seeding

DARPA SRS Kickoff27 Automatic Fault Seeding Need test cases Need typical vulnerabilities, i.e., bugs Can typical bugs be synthesized? Prior work on syntactic transformations: Simple mutations Wide variety of resilience Defects created with excellent statistical properties Plan to try this route

DARPA SRS Kickoff28 Automated Fault Seeding Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Acceptance Tests Error Seeding Genesis Transformations Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Target Software System Vulnerability Assessment

DARPA SRS Kickoff29 State Of The Implementation Exists, ready to use: CSDL Calling convention spec STRATA

DARPA SRS Kickoff30 Specific Questions Posed What you are trying to do (the problem you are addressing)? How will you show that you were successful? What are the implications of successful results (or less than successful results)? What is your technical approach? What is new, or hasn’t been attempted? What significant problems do you anticipate, what makes your project difficult and how do you plan to approach the difficulties? If successful, what have you thought about regarding transitioning the technology? If successful, what would be next?

DARPA SRS Kickoff31 Practical Problem If this works: Building a system will require lots of computer time Lots of systems will require LOTS of computer time But it is just computer time Will not be able to just press CDs Will require a substantial engineering investment

DARPA SRS Kickoff32 Summary Automatic application of design diversity: Macro, midi, micro Systematic application of data diversity: Internal, external, all dimensions Seamless integration of the two Evaluation and assessment: Directed fault seeding Automated fault seeding Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.