Abstract
Proactive obfuscation is a new method for creating server replicas that are likely to have fewer shared vulnerabilities. It uses semantics-preserving code transformations to generate diverse executables, periodically restarting servers with these fresh versions. The periodic restarts help bound the number of compromised replicas that a service ever concurrently runs, and therefore proactive obfuscation makes an adversary's job harder. Proactive obfuscation was used in implementing two prototypes: a distributed firewall based on state-machine replication and a distributed storage service based on quorum systems. Costs intrinsic to supporting proactive obfuscation in replicated systems were evaluated by measuring the performance of these prototypes. The results show that employing proactive obfuscation adds little to the cost of replica-management protocols.
- Arsenault, D., Sood, A., and Huang, Y. 2007. Secure, resilient computing clusters: Self-cleansing intrusion tolerance with hardware enforced security (SCIT/HES). In Proceedings of the 2nd International Conference on Availability, Reliability and Security. IEEE Computer Society Press, Los Alamitos, CA, 343--350. Google ScholarDigital Library
- Avizienis, A. 1985. The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. 11, 12, 1491--1501. Google ScholarDigital Library
- Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T. L., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. ACM, New York, 164--177. Google ScholarDigital Library
- Barrantes, E. G., Ackley, D. H., Forrest, S., Palmer, T. S., Stefanović, D., and Zovi, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 281--289. Google ScholarDigital Library
- Barrantes, E. G., Ackley, D. H., Forrest, S., and Stefanović, D. 2005. Randomized instruction set emulation. ACM Trans. Inf. Syst. Secur. 8, 1, 3--40. Google ScholarDigital Library
- Berger, E. D. and Zorn, B. 2006. Diehard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York, 158--168. Google ScholarDigital Library
- Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google ScholarDigital Library
- Cadar, C., Akritidis, P., Costa, M., Martin, J.-P., and Castro, M. 2008. Data randomization. Tech. rep., Microsoft Research. MSR-TR-2008-120.Google Scholar
- Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G., and Fox, A. 2004. Microreboot—A technique for cheap recovery. In Proceedings of the 16th Symposium on Operating Systems Design and Implementation. USENIX, Berkeley, CA, 31--44. Google ScholarDigital Library
- Canetti, R., Halevi, S., and Herzberg, A. 1997. Maintaining authenticated communication in the presence of break-ins. In Proceedings of the 16th Annual ACM Symposium on Principles of Distributed Computing. ACM, New York, 15--24. Google ScholarDigital Library
- Case, J., Fedor, M., Schoffstall, M., and Davin, J. 1990. A simple network management protocol. RFC 1157. Google ScholarDigital Library
- Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., and Black, R. 2009. Fast byte-granularity software fault isolation. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles. ACM, New York, 45--58. Google ScholarDigital Library
- Castro, M. and Liskov, B. 1999. Practical Byzantine fault tolerance. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX, Berkeley, CA, 173--186. Google ScholarDigital Library
- Castro, M. and Liskov, B. 2005. Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20, 4 (Nov.), 398--461. Google ScholarDigital Library
- Chew, M. and Song, D. 2002. Mitigating buffer overflows by operating system randomization. Tech. rep., School of Computer Science, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Nguyen-Tuong, A., and Hiser, J. 2006. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google ScholarDigital Library
- Deng, J., Han, R., and Mishra, S. 2004. Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'04). IEEE Computer Society Press, Los Alamitos, CA, 637--650. Google ScholarDigital Library
- Desmedt, Y. and Frankel, Y. 1990. Threshold cryptosystems. In Proceedings of the Advances in Cryptology (CRYPTO'90). Lecture Notes in Computer Science, vol. 435. Springer-Verlag, Berlin, Germany, 307--315. Google ScholarDigital Library
- Dwork, C., Lynch, N., and Stockmeyer, L. 1988. Consensus in the presence of partial synchrony. J. ACM 35, 2, 288--323. Google ScholarDigital Library
- Etoh, H. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp.Google Scholar
- Forrest, S., Somayaji, A., and Ackley, D. H. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. IEEE Computer Society Press, Los Alamitos, CA, 67--72. Google ScholarDigital Library
- Ghosh, A. K., Pendarakis, D., and Sanders, W. H. 2009. National cyber leap year summit 2009 co-chairs report (section 4). http://www.nitrd.gov/NCLYSummit.aspx.Google Scholar
- Gifford, D. K. 1979. Weighted voting for replicated data. In Proceedings of the 7th Symposium on Operating System Principles. ACM, New York, 150--162. Google ScholarDigital Library
- Herlihy, M. 1986. A quorum-consensus replication method for abstract data types. ACM Trans. Comput. Syst. 4, 1, 32--53. Google ScholarDigital Library
- Herzberg, A., Jarecki, S., Krawczyk, H., and Yung, M. 1995. Proactive secret sharing or: How to cope with perpetual leakage. In Proceedings of the Advances in Cryptology (CRYPTO'95). Lecture Notes in Computer Science, vol. 963. Springer-Verlag, Berlin, Germany, 339--352. Google ScholarDigital Library
- Huang, Y., Arsenault, D., and Sood, A. 2006a. Closing cluster attack windows through server redundancy and rotations. In Proceedings of the 6th IEEE International Symposium on Cluster Computing and the Grid. IEEE Computer Society Press, Los Alamitos, CA, 21. Google ScholarDigital Library
- Huang, Y., Arsenault, D., and Sood, A. 2006b. Incorruptible self-cleansing intrusion tolerance and its application to DNS security. J. Netw. 1, 5, 21--30.Google Scholar
- Huang, Y., Kintala, C., Kolettis, N., and Fulton, N. D. 1995. Software rejuvenation: Analysis, module and applications. In Proceedings of the 25th International Symposium on Fault-Tolerant Computing. IEEE Computer Society Press, Los Alamitos, CA, 381--390. Google ScholarDigital Library
- Intel Corporation. 1999. Preboot execution environment (PXE) specification. Version 2.1. http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf.Google Scholar
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 272--280. Google ScholarDigital Library
- Lamport, L. 1978. Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 7, 558--565. Google ScholarDigital Library
- Lamport, L. Shostak, R. and Pease, M. 1982. The Byzantine generals problem. ACM Trans. Prog. Lang. Syst. 4, 3 (July), 382--401. Google ScholarDigital Library
- Malkhi, D. and Reiter, M. 1998. Byzantine quorum systems. Distrib. Comput. 11, 4, 203--213. Google ScholarDigital Library
- Marsh, M., and Schneider, F. B. 2004. CODEX: A robust and secure secret distribution system. IEEE Trans. Depend. Secure Comput. 1, 1 (Jan.-Mar.), 34--47. Google ScholarDigital Library
- Mogul, J. C. 1989. Simple and flexible datagram access controls for UNIX-based gateways. In Proceedings of the Usenix Summer Technical Conference. USENIX, Berkeley, CA, 203--222.Google Scholar
- Netfilter. http://www.netfilter.org.Google Scholar
- OpenBSD. http://www.openbsd.org.Google Scholar
- OpenBSD. PF: Firewall redundancy with CARP and pfsync. http://www.openbsd.org/faq/pf/carp.html.Google Scholar
- OpenBSD. PF: The OpenBSD packet filter. http://www.openbsd.org/faq/pf.Google Scholar
- OpenSSL. http://www.openssl.org.Google Scholar
- Pool, J., Wong, I. S. K., and Lie, D. 2007. Relaxed determinism: Making redundant execution on multiprocessors practical. In Proceedings of the 11th Workshop on Hot Topics on Operating Systems. USENIX, Berkeley, CA. Google ScholarDigital Library
- Pucella, R. and Schneider, F. B. 2006. Independence from obfuscation: A semantic framework for diversity. In Proceedings of the 19th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 230--241. Google ScholarDigital Library
- Rivest, R. L., Shamir, A., and Adelman, L. M. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commu. ACM 21, 2, 120--126. Google ScholarDigital Library
- Rodrigues, R., Castro, M., and Liskov, B. 2001. BASE: Using abstraction to improve fault tolerance. In Proceedings of the 18th Symposium on Operating Systems Principles. ACM, New York, 15--28. Google ScholarDigital Library
- Schneider, F. B. 1990. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Comput. Surv. 22, 4, 299--319. Google ScholarDigital Library
- Schneider, F. B. and Zhou, L. 2004. Distributed trust: Supporting fault-tolerance and attack-tolerance. Tech. rep., Cornell Univeristy.Google Scholar
- Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 552--561. Google ScholarDigital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). ACM, New York, 298--307. Google ScholarDigital Library
- Shamir, A. 1979. How to share a secret. Comm. ACM 22, 11, 612--613. Google ScholarDigital Library
- Sousa, P. 2006. Proactive resilience. In Proceedings of the 6th European Dependable Computing Conference Supplemental Volume. IEEE Computer Society Press, Los Alamitos, CA, 27--32.Google Scholar
- Sousa, P., Bessani, A., and Obelheiro, R. R. 2008. The FOREVER service for fault/intrusion removal. In Proceedings of the 2nd Workshop on Recent Advances on Intrusion-Tolerant Systems. ACM, New York, Article No. 5. Google ScholarDigital Library
- Sousa, P., Bessani, A. N., Correia, M., Neves, N. F., and Verissimo, P. 2007. Resilient intrusion tolerance through proactive and reactive recovery. In Proceedings of the 13th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'07). IEEE Computer Society Press, Los Alamitos, CA, 373--380. Google ScholarDigital Library
- Sousa, P., Neves, N. F., and Verissimo, P. 2006. Proactive resilience through architectural hybridization. In Proceedings of the ACM Symposium on Applied Computing. ACM, New York, 686--690. Google ScholarDigital Library
- Sovarel, A. N., Evans, D., and Paul, N. 2005. Where's the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. USENIX, Berkeley, CA, USA, 145--160. Google ScholarDigital Library
- Thomas, R. H. 1979. A majority consensus approach to concurrency control for multiple copy databases. ACM Trans. Datab. Syst. 4, 2, 180--209. Google ScholarDigital Library
- Trusted Computing Group. http://www.trustedcomputinggroup.org.Google Scholar
- Vaidyanathan, K. and Trivedi, K. S. 2005. A comprehensive model for software rejuvenation. IEEE Trans. Depend. Secure Comput. 2, 2, 124--137. Google ScholarDigital Library
- Verissimo, P. 2006. Travelling through wormholes: A new look at distributed systems models. ACM SIGACT News 37, 1, 66--81. Google ScholarDigital Library
- Weiss, Y. and Barrantes, E. G. 2006. Known/chosen key attacks against software instruction set randomization. In Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society Press, Los Alamitos, CA, 349--360. Google ScholarDigital Library
- Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliable Distributed Systems. IEEE Computer Society Press, Los Alamitos, CA, 260--269.Google Scholar
- Yumerefendi, A. R., Mickle, B., and Cox, L. P. 2007. TightLip: Keeping applications from spilling the beans. In Proceedings of the 4th Symposium on Networked Systems Design and Implementation. USENIX, Berkeley, CA. Google ScholarDigital Library
- Zero-Day Initiative. http://www.zerodayinitiative.com.Google Scholar
- Zhou, L., Schneider, F. B., and van Renesse, R. 2005. APSS: Proactive secret sharing in asynchronous systems. ACM Trans. Inform. Syst. Secur. 8, 3, 259--286. Google ScholarDigital Library
Index Terms
- Proactive obfuscation
Recommendations
BASE: Using abstraction to improve fault tolerance
Software errors are a major cause of outages and they are increasingly exploited in malicious attacks. Byzantine fault tolerance allows replicated systems to mask some software errors but it is expensive to deploy. This paper describes a replication ...
Practical byzantine fault tolerance and proactive recovery
Our growing reliance on online services accessible on the Internet demands highly available systems that provide correct service without interruptions. Software bugs, operator mistakes, and malicious attacks are a major cause of service interruptions ...
Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery
In the past, some research has been done on how to use proactive recovery to build intrusion-tolerant replicated systems that are resilient to any number of faults, as long as recoveries are faster than an upper bound on fault production assumed at ...
Comments