Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2016-09-29 DOI:10.1109/DSN.2016.46

Koen Koning, H. Bos, Cristiano Giuffrida

{"title":"Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization","authors":"Koen Koning, H. Bos, Cristiano Giuffrida","doi":"10.1109/DSN.2016.46","DOIUrl":null,"url":null,"abstract":"Memory error exploits rank among the most serious security threats. Of the plethora of memory error containment solutions proposed over the years, most have proven to be too weak in practice. Multi-Variant eXecution (MVX) solutions can potentially detect arbitrary memory error exploits via divergent behavior observed in diversified program variants running in parallel. However, none have found practical applicability in security due to their non-trivial performance limitations. In this paper, we present MvArmor, an MVX system that uses hardware-assisted process virtualization to monitor variants for divergent behavior in an efficient yet secure way. To provide comprehensive protection against memory error exploits, MvArmor relies on a new MVX-aware variant generation strategy. The system supports user-configurable security policies to tune the performance-security trade-off. Our analysis shows that MvArmor can counter many classes of modern attacks at the cost of modest performance overhead, even with conservative detection policies.","PeriodicalId":102292,"journal":{"name":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"59 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"63","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2016.46","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 63

Abstract

Memory error exploits rank among the most serious security threats. Of the plethora of memory error containment solutions proposed over the years, most have proven to be too weak in practice. Multi-Variant eXecution (MVX) solutions can potentially detect arbitrary memory error exploits via divergent behavior observed in diversified program variants running in parallel. However, none have found practical applicability in security due to their non-trivial performance limitations. In this paper, we present MvArmor, an MVX system that uses hardware-assisted process virtualization to monitor variants for divergent behavior in an efficient yet secure way. To provide comprehensive protection against memory error exploits, MvArmor relies on a new MVX-aware variant generation strategy. The system supports user-configurable security policies to tune the performance-security trade-off. Our analysis shows that MvArmor can counter many classes of modern attacks at the cost of modest performance overhead, even with conservative detection policies.

查看原文本刊更多论文

使用硬件辅助过程虚拟化的安全高效的多变量执行

内存错误利用是最严重的安全威胁之一。在多年来提出的大量内存错误遏制解决方案中，大多数在实践中都被证明过于薄弱。多变量执行(MVX)解决方案可以通过在并行运行的多种程序变体中观察到的不同行为来潜在地检测任意内存错误。然而，由于它们的性能限制，它们都没有在安全性中找到实际的适用性。在本文中，我们介绍了MvArmor，这是一个MVX系统，它使用硬件辅助的过程虚拟化以有效而安全的方式监控不同行为的变体。为了提供针对内存错误利用的全面保护，MvArmor依赖于一种新的mvx感知变体生成策略。系统支持用户可配置的安全策略，以优化性能安全权衡。我们的分析表明，即使使用保守的检测策略，MvArmor也可以以适度的性能开销为代价对抗许多类型的现代攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量