Presentation is loading. Please wait.

Presentation is loading. Please wait.

        Jefferson’s Polygraph

Published byMatilda Holt Modified over 5 years ago

Similar presentations

Presentation on theme: "        Jefferson’s Polygraph"— Presentation transcript:

1 Jefferson’s Polygraph Polygraphing Processes: N‑Variant Systems for Secretless Security David Evans UVa/CMU Genesis Project DARPA SRS PIs Meeting 12 July 2005 Jefferson's Polygraph (Copying Machine), courtesy the University of Virginia. Image credit: Thomas Jefferson Foundation/Edward Owen. Hoover’s Polygraph

2 Motivating Observation
Previous diversity approaches (including ours) rely on keeping secrets Keeping secrets is hard [Shacham, et al., CCS 2004] [Sovarel, et al., USENIX Security 2005] Can we use diversity effectively without needing any secrets? DARPA SRS Genesis Project

3 DARPA SRS Genesis Project
N-Variant Systems Construct a system that requires attacker to “simultaneously” compromise multiple variants Variations designed to make this impossible for certain attack classes Provides security without needing secrets Framework for proving resistance to classes of attack DARPA SRS Genesis Project

4 N-Version N-Variant Programming System
[Avizienis & Chen, 1977] Multiple teams of programmers implement same spec Voter compares results and selects most common No guarantees: teams may make same mistake Transformer automatically produces diverse variants Monitor compares results and detects attack Guarantees: variants behave differently on particular input classes DARPA SRS Genesis Project

5 DARPA SRS Genesis Project
2-Variant System Input (Possibly Malicious) Server Variant 1 Monitor Output Polygrapher DARPA SRS Genesis Project

6 DARPA SRS Genesis Project
N-Variant Framework Variant 1 Monitor Poly- grapher Polygrapher Replicate “same” input to all variants Monitor Delay effects until all variants finish successfully Detect failure of one variant: “Crash”: other variants may have been compromised Need to recover to known valid states Set of Variants Must be disjoint with respect to attack requirement An attack input that succeeds against one variant, must cause some other variant to fail detectably DARPA SRS Genesis Project

7 Establishing Disjoint Variants
Normal Equivalence Property Under normal inputs, the variants stay in equivalent states: A0(S0)  A1(S1) Detection Property Any attack that compromises one variant causes another variant to exhibit detection behavior (e.g., crash) DARPA SRS Genesis Project

8 Example: Memory Partitioning
Variation Variant 0: addresses all start with 0 Variant 1: addresses all start with 1 Normal Equivalence Map addresses to same address space Broken if code depends on absolute addresses Detection Property Any absolute load/store is invalid on one of the variants DARPA SRS Genesis Project

9 Instruction Set Partitioning
JMP JMP CALL CALL JO JO JNO JNO JB JB JNB JNB JZ JZ JNZ JNZ Variant A Variant B DARPA SRS Genesis Project

10 Instruction Set Tagging
Variation: add an extra bit to all opcodes Variation 0: tag bit is a 0 Variation 1: tag bit is a 1 At run-time check and remove tag using Strata Normal Equivalence: Remove the tag bits Detection Property Any (tagged) opcode is invalid on one variant Injected code (identical on both) cannot run on both DARPA SRS Genesis Project

11 DARPA SRS Genesis Project
Composing Variations Must preserve normal equivalence property Detect memory attack Detect direct code injection 1 Memory Space 1 1 Instruction Tags P1 P2 P3 DARPA SRS Genesis Project

12 DARPA SRS Genesis Project
Implementations Two prototypes: Linux Kernel Modification Divert Sockets Ad hoc establishment of normal equivalence Transformation used to create variants Run-time checking for equivalent behavior at security-critical events DARPA SRS Genesis Project

13 Kernel Implementation
Modify process table to record variants Create new fork routine to launch variants Intercept system calls: Check parameters match for all variants Make call once Send same result to all Low overhead, lack of isolation DARPA SRS Genesis Project

14 Divert Sockets Implementation
Process intercepts traffic (nvpd) Uses divert sockets to send copies to isolated variants (can be on different machines) Waits until all variants respond to request before returning to client Adjusts TCP sequence numbers to each variant appears to have normal connection DARPA SRS Genesis Project

15 Divert Sockets 3-Variant System
P1 Polygrapher Input from Client P2 Output to Client Monitor P3 nvpd Server DARPA SRS Genesis Project

16 DARPA SRS Genesis Project
Results Implemented 3-Variant system Address space partitioning Instruction set tagging Thwarts any attack that: Depends on referencing an absolute address Depends on executing directly injected code Latency Overhead (apache) http https 4 machines 54x (10.8 ms) 2.1x (4778 ms) 1 machine 89x (17.8 ms) 2.3x (5271 ms) DARPA SRS Genesis Project

17 DARPA SRS Genesis Project
Open Problems Non-determinism, persistent state Formally establishing normal equivalence Statically + dynamically Variations to prevent larger classes of attacks File naming, scheduling, protocol, configuration, etc. Limited by need to preserve (unspecified) application semantics DARPA SRS Genesis Project

18 N-Variant Systems Summary
Use artificial diversity in a controlled way Framework requires attacker to compromise multiple variants “simultaneously” Create variations that make this impossible (for important attack classes) Opens promise of system security proofs that do not require any assumptions about keeping secrets DARPA SRS Genesis Project

19 DARPA SRS Genesis Project
Credits Ben Cox Jack Davidson David Evans Adrian Filipi Jason Hiser Wei Hu John Knight Anh Nguyen‑Tuong Jonathan Rowanhill DARPA SRS Genesis Project

Download ppt "        Jefferson’s Polygraph"

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.

2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.
Server issues How to approach the design of servers.

Server issues How to approach the design of servers.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and Jason Flinn University of Michigan.

Operating System Support for Application-Specific Speculation Benjamin Wester Peter Chen and Jason Flinn University of Michigan.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Chapter 4 Storage Management (Memory Management).

Chapter 4 Storage Management (Memory Management).
N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans

N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans
Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.

Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, 2005 3.1 Operating System Concepts Operating Systems Lecture 6 System Calls OS System.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 6 System Calls OS System.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans

The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans
1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,

1 Redundant Computing for Security David Evans University of Virginia TRUST Seminar UC Berkeley 25 September 2008 Work with Ben Cox, Anh Nguyen-Tuong,

Similar presentations

Ads by Google