SoK: Automated Software Diversity

2014 IEEE Symposium on Security and Privacy Pub Date : 2014-05-18 DOI:10.1109/SP.2014.25

Per Larsen, Andrei Homescu, Stefan Brunthaler, M. Franz

{"title":"SoK: Automated Software Diversity","authors":"Per Larsen, Andrei Homescu, Stefan Brunthaler, M. Franz","doi":"10.1109/SP.2014.25","DOIUrl":null,"url":null,"abstract":"The idea of automatic software diversity is at least two decades old. The deficiencies of currently deployed defenses and the transition to online software distribution (the \"App store\" model) for traditional and mobile computers has revived the interest in automatic software diversity. Consequently, the literature on diversity grew by more than two dozen papers since 2008. Diversity offers several unique properties. Unlike other defenses, it introduces uncertainty in the target. Precise knowledge of the target software provides the underpinning for a wide range of attacks. This makes diversity a broad rather than narrowly focused defense mechanism. Second, diversity offers probabilistic protection similar to cryptography-attacks may succeed by chance so implementations must offer high entropy. Finally, the design space of diversifying program transformations is large. As a result, researchers have proposed multiple approaches to software diversity that vary with respect to threat models, security, performance, and practicality. In this paper, we systematically study the state-of-the-art in software diversity and highlight fundamental trade-offs between fully automated approaches. We also point to open areas and unresolved challenges. These include \"hybrid solutions\", error reporting, patching, and implementation disclosure attacks on diversified software.","PeriodicalId":196038,"journal":{"name":"2014 IEEE Symposium on Security and Privacy","volume":"9 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"337","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2014.25","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 337

Abstract

The idea of automatic software diversity is at least two decades old. The deficiencies of currently deployed defenses and the transition to online software distribution (the "App store" model) for traditional and mobile computers has revived the interest in automatic software diversity. Consequently, the literature on diversity grew by more than two dozen papers since 2008. Diversity offers several unique properties. Unlike other defenses, it introduces uncertainty in the target. Precise knowledge of the target software provides the underpinning for a wide range of attacks. This makes diversity a broad rather than narrowly focused defense mechanism. Second, diversity offers probabilistic protection similar to cryptography-attacks may succeed by chance so implementations must offer high entropy. Finally, the design space of diversifying program transformations is large. As a result, researchers have proposed multiple approaches to software diversity that vary with respect to threat models, security, performance, and practicality. In this paper, we systematically study the state-of-the-art in software diversity and highlight fundamental trade-offs between fully automated approaches. We also point to open areas and unresolved challenges. These include "hybrid solutions", error reporting, patching, and implementation disclosure attacks on diversified software.

查看原文本刊更多论文

SoK:自动化软件多样性

自动软件多样性的想法至少有20年的历史了。目前部署的防御措施的不足，以及向传统和移动计算机的在线软件分发(“应用商店”模式)的过渡，重新唤起了人们对自动软件多样性的兴趣。因此，自2008年以来，关于多样性的文献增加了20多篇。多样性提供了几个独特的属性。与其他防御不同，它在目标中引入了不确定性。对目标软件的精确了解为广泛的攻击提供了基础。这使得多样性成为一种广泛而非狭隘的防御机制。其次，多样性提供了类似于密码学的概率保护——攻击可能偶然成功，因此实现必须提供高熵。最后，多样化的程序转换设计空间大。因此，研究人员提出了多种软件多样性的方法，这些方法在威胁模型、安全性、性能和实用性方面有所不同。在本文中，我们系统地研究了软件多样性的最新技术，并强调了完全自动化方法之间的基本权衡。我们还指出了一些开放的领域和尚未解决的挑战。这些方法包括“混合解决方案”、错误报告、打补丁，以及针对多种软件的实施披露攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE Symposium on Security and Privacy

自引率

0.00%

发文量