research-article

Proactive obfuscation

Authors:
Tom Roeder

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

,
Fred B. Schneider

Cornell University, Ithaca, NY

Cornell University, Ithaca, NY
View Profile

Authors Info & Claims

ACM Transactions on Computer Systems Volume 28 Issue 2Article No.: 4pp 1–54https://doi.org/10.1145/1813654.1813655

Published:26 July 2010Publication History

ACM Transactions on Computer Systems

Abstract

Proactive obfuscation is a new method for creating server replicas that are likely to have fewer shared vulnerabilities. It uses semantics-preserving code transformations to generate diverse executables, periodically restarting servers with these fresh versions. The periodic restarts help bound the number of compromised replicas that a service ever concurrently runs, and therefore proactive obfuscation makes an adversary's job harder. Proactive obfuscation was used in implementing two prototypes: a distributed firewall based on state-machine replication and a distributed storage service based on quorum systems. Costs intrinsic to supporting proactive obfuscation in replicated systems were evaluated by measuring the performance of these prototypes. The results show that employing proactive obfuscation adds little to the cost of replica-management protocols.

References

Arsenault, D., Sood, A., and Huang, Y. 2007. Secure, resilient computing clusters: Self-cleansing intrusion tolerance with hardware enforced security (SCIT/HES). In Proceedings of the 2nd International Conference on Availability, Reliability and Security. IEEE Computer Society Press, Los Alamitos, CA, 343--350. Google ScholarDigital Library
Avizienis, A. 1985. The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. 11, 12, 1491--1501. Google ScholarDigital Library
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T. L., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. ACM, New York, 164--177. Google ScholarDigital Library
Barrantes, E. G., Ackley, D. H., Forrest, S., Palmer, T. S., Stefanović, D., and Zovi, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 281--289. Google ScholarDigital Library
Barrantes, E. G., Ackley, D. H., Forrest, S., and Stefanović, D. 2005. Randomized instruction set emulation. ACM Trans. Inf. Syst. Secur. 8, 1, 3--40. Google ScholarDigital Library
Berger, E. D. and Zorn, B. 2006. Diehard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York, 158--168. Google ScholarDigital Library
Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google ScholarDigital Library
Cadar, C., Akritidis, P., Costa, M., Martin, J.-P., and Castro, M. 2008. Data randomization. Tech. rep., Microsoft Research. MSR-TR-2008-120.Google Scholar
Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G., and Fox, A. 2004. Microreboot—A technique for cheap recovery. In Proceedings of the 16th Symposium on Operating Systems Design and Implementation. USENIX, Berkeley, CA, 31--44. Google ScholarDigital Library
Canetti, R., Halevi, S., and Herzberg, A. 1997. Maintaining authenticated communication in the presence of break-ins. In Proceedings of the 16th Annual ACM Symposium on Principles of Distributed Computing. ACM, New York, 15--24. Google ScholarDigital Library
Case, J., Fedor, M., Schoffstall, M., and Davin, J. 1990. A simple network management protocol. RFC 1157. Google ScholarDigital Library
Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., and Black, R. 2009. Fast byte-granularity software fault isolation. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles. ACM, New York, 45--58. Google ScholarDigital Library
Castro, M. and Liskov, B. 1999. Practical Byzantine fault tolerance. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX, Berkeley, CA, 173--186. Google ScholarDigital Library
Castro, M. and Liskov, B. 2005. Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20, 4 (Nov.), 398--461. Google ScholarDigital Library
Chew, M. and Song, D. 2002. Mitigating buffer overflows by operating system randomization. Tech. rep., School of Computer Science, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Nguyen-Tuong, A., and Hiser, J. 2006. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google ScholarDigital Library
Deng, J., Han, R., and Mishra, S. 2004. Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'04). IEEE Computer Society Press, Los Alamitos, CA, 637--650. Google ScholarDigital Library
Desmedt, Y. and Frankel, Y. 1990. Threshold cryptosystems. In Proceedings of the Advances in Cryptology (CRYPTO'90). Lecture Notes in Computer Science, vol. 435. Springer-Verlag, Berlin, Germany, 307--315. Google ScholarDigital Library
Dwork, C., Lynch, N., and Stockmeyer, L. 1988. Consensus in the presence of partial synchrony. J. ACM 35, 2, 288--323. Google ScholarDigital Library
Etoh, H. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp.Google Scholar
Forrest, S., Somayaji, A., and Ackley, D. H. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. IEEE Computer Society Press, Los Alamitos, CA, 67--72. Google ScholarDigital Library
Ghosh, A. K., Pendarakis, D., and Sanders, W. H. 2009. National cyber leap year summit 2009 co-chairs report (section 4). http://www.nitrd.gov/NCLYSummit.aspx.Google Scholar
Gifford, D. K. 1979. Weighted voting for replicated data. In Proceedings of the 7th Symposium on Operating System Principles. ACM, New York, 150--162. Google ScholarDigital Library
Herlihy, M. 1986. A quorum-consensus replication method for abstract data types. ACM Trans. Comput. Syst. 4, 1, 32--53. Google ScholarDigital Library
Herzberg, A., Jarecki, S., Krawczyk, H., and Yung, M. 1995. Proactive secret sharing or: How to cope with perpetual leakage. In Proceedings of the Advances in Cryptology (CRYPTO'95). Lecture Notes in Computer Science, vol. 963. Springer-Verlag, Berlin, Germany, 339--352. Google ScholarDigital Library
Huang, Y., Arsenault, D., and Sood, A. 2006a. Closing cluster attack windows through server redundancy and rotations. In Proceedings of the 6th IEEE International Symposium on Cluster Computing and the Grid. IEEE Computer Society Press, Los Alamitos, CA, 21. Google ScholarDigital Library
Huang, Y., Arsenault, D., and Sood, A. 2006b. Incorruptible self-cleansing intrusion tolerance and its application to DNS security. J. Netw. 1, 5, 21--30.Google Scholar
Huang, Y., Kintala, C., Kolettis, N., and Fulton, N. D. 1995. Software rejuvenation: Analysis, module and applications. In Proceedings of the 25th International Symposium on Fault-Tolerant Computing. IEEE Computer Society Press, Los Alamitos, CA, 381--390. Google ScholarDigital Library
Intel Corporation. 1999. Preboot execution environment (PXE) specification. Version 2.1. http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf.Google Scholar
Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 272--280. Google ScholarDigital Library
Lamport, L. 1978. Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 7, 558--565. Google ScholarDigital Library
Lamport, L. Shostak, R. and Pease, M. 1982. The Byzantine generals problem. ACM Trans. Prog. Lang. Syst. 4, 3 (July), 382--401. Google ScholarDigital Library
Malkhi, D. and Reiter, M. 1998. Byzantine quorum systems. Distrib. Comput. 11, 4, 203--213. Google ScholarDigital Library
Marsh, M., and Schneider, F. B. 2004. CODEX: A robust and secure secret distribution system. IEEE Trans. Depend. Secure Comput. 1, 1 (Jan.-Mar.), 34--47. Google ScholarDigital Library
Mogul, J. C. 1989. Simple and flexible datagram access controls for UNIX-based gateways. In Proceedings of the Usenix Summer Technical Conference. USENIX, Berkeley, CA, 203--222.Google Scholar
Netfilter. http://www.netfilter.org.Google Scholar
OpenBSD. http://www.openbsd.org.Google Scholar
OpenBSD. PF: Firewall redundancy with CARP and pfsync. http://www.openbsd.org/faq/pf/carp.html.Google Scholar
OpenBSD. PF: The OpenBSD packet filter. http://www.openbsd.org/faq/pf.Google Scholar
OpenSSL. http://www.openssl.org.Google Scholar
Pool, J., Wong, I. S. K., and Lie, D. 2007. Relaxed determinism: Making redundant execution on multiprocessors practical. In Proceedings of the 11th Workshop on Hot Topics on Operating Systems. USENIX, Berkeley, CA. Google ScholarDigital Library
Pucella, R. and Schneider, F. B. 2006. Independence from obfuscation: A semantic framework for diversity. In Proceedings of the 19th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 230--241. Google ScholarDigital Library
Rivest, R. L., Shamir, A., and Adelman, L. M. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commu. ACM 21, 2, 120--126. Google ScholarDigital Library
Rodrigues, R., Castro, M., and Liskov, B. 2001. BASE: Using abstraction to improve fault tolerance. In Proceedings of the 18th Symposium on Operating Systems Principles. ACM, New York, 15--28. Google ScholarDigital Library
Schneider, F. B. 1990. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Comput. Surv. 22, 4, 299--319. Google ScholarDigital Library
Schneider, F. B. and Zhou, L. 2004. Distributed trust: Supporting fault-tolerance and attack-tolerance. Tech. rep., Cornell Univeristy.Google Scholar
Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 552--561. Google ScholarDigital Library
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). ACM, New York, 298--307. Google ScholarDigital Library
Shamir, A. 1979. How to share a secret. Comm. ACM 22, 11, 612--613. Google ScholarDigital Library
Sousa, P. 2006. Proactive resilience. In Proceedings of the 6th European Dependable Computing Conference Supplemental Volume. IEEE Computer Society Press, Los Alamitos, CA, 27--32.Google Scholar
Sousa, P., Bessani, A., and Obelheiro, R. R. 2008. The FOREVER service for fault/intrusion removal. In Proceedings of the 2nd Workshop on Recent Advances on Intrusion-Tolerant Systems. ACM, New York, Article No. 5. Google ScholarDigital Library
Sousa, P., Bessani, A. N., Correia, M., Neves, N. F., and Verissimo, P. 2007. Resilient intrusion tolerance through proactive and reactive recovery. In Proceedings of the 13th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'07). IEEE Computer Society Press, Los Alamitos, CA, 373--380. Google ScholarDigital Library
Sousa, P., Neves, N. F., and Verissimo, P. 2006. Proactive resilience through architectural hybridization. In Proceedings of the ACM Symposium on Applied Computing. ACM, New York, 686--690. Google ScholarDigital Library
Sovarel, A. N., Evans, D., and Paul, N. 2005. Where's the FEEB&quest; The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. USENIX, Berkeley, CA, USA, 145--160. Google ScholarDigital Library
Thomas, R. H. 1979. A majority consensus approach to concurrency control for multiple copy databases. ACM Trans. Datab. Syst. 4, 2, 180--209. Google ScholarDigital Library
Trusted Computing Group. http://www.trustedcomputinggroup.org.Google Scholar
Vaidyanathan, K. and Trivedi, K. S. 2005. A comprehensive model for software rejuvenation. IEEE Trans. Depend. Secure Comput. 2, 2, 124--137. Google ScholarDigital Library
Verissimo, P. 2006. Travelling through wormholes: A new look at distributed systems models. ACM SIGACT News 37, 1, 66--81. Google ScholarDigital Library
Weiss, Y. and Barrantes, E. G. 2006. Known/chosen key attacks against software instruction set randomization. In Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society Press, Los Alamitos, CA, 349--360. Google ScholarDigital Library
Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliable Distributed Systems. IEEE Computer Society Press, Los Alamitos, CA, 260--269.Google Scholar
Yumerefendi, A. R., Mickle, B., and Cox, L. P. 2007. TightLip: Keeping applications from spilling the beans. In Proceedings of the 4th Symposium on Networked Systems Design and Implementation. USENIX, Berkeley, CA. Google ScholarDigital Library
Zero-Day Initiative. http://www.zerodayinitiative.com.Google Scholar
Zhou, L., Schneider, F. B., and van Renesse, R. 2005. APSS: Proactive secret sharing in asynchronous systems. ACM Trans. Inform. Syst. Secur. 8, 3, 259--286. Google ScholarDigital Library

Index Terms

Proactive obfuscation

Recommendations

BASE: Using abstraction to improve fault tolerance

Software errors are a major cause of outages and they are increasingly exploited in malicious attacks. Byzantine fault tolerance allows replicated systems to mask some software errors but it is expensive to deploy. This paper describes a replication ...
Read More
Practical byzantine fault tolerance and proactive recovery

Our growing reliance on online services accessible on the Internet demands highly available systems that provide correct service without interruptions. Software bugs, operator mistakes, and malicious attacks are a major cause of service interruptions ...
Read More
Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery

In the past, some research has been done on how to use proactive recovery to build intrusion-tolerant replicated systems that are resilient to any number of faults, as long as recoveries are faster than an upper bound on fault production assumed at ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Transactions on Computer Systems Volume 28, Issue 2
July 2010
86 pages
ISSN:0734-2071
EISSN:1557-7333
DOI:10.1145/1813654
Issue’s Table of Contents

Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 July 2010
- Accepted: 1 April 2010
- Revised: 1 February 2010
- Received: 1 March 2009
Published in tocs Volume 28, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Byzantine fault tolerance
distributed systems
proactive recovery
quorum systems
state machine approach
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 49
  Total Citations
  View Citations
- 1,004
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Proactive obfuscation

ACM Transactions on Computer Systems

Abstract

References

Cited By

Index Terms

Recommendations

BASE: Using abstraction to improve fault tolerance

Practical byzantine fault tolerance and proactive recovery

Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Proactive obfuscation

ACM Transactions on Computer Systems

Abstract

References

Cited By

Index Terms

Recommendations

BASE: Using abstraction to improve fault tolerance

Practical byzantine fault tolerance and proactive recovery

Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media