Abstract
Proactive obfuscation is a new method for creating server replicas that are likely to have fewer shared vulnerabilities. It uses semantics-preserving code transformations to generate diverse executables, periodically restarting servers with these fresh versions. The periodic restarts help bound the number of compromised replicas that a service ever concurrently runs, and therefore proactive obfuscation makes an adversary's job harder. Proactive obfuscation was used in implementing two prototypes: a distributed firewall based on state-machine replication and a distributed storage service based on quorum systems. Costs intrinsic to supporting proactive obfuscation in replicated systems were evaluated by measuring the performance of these prototypes. The results show that employing proactive obfuscation adds little to the cost of replica-management protocols.
- Arsenault, D., Sood, A., and Huang, Y. 2007. Secure, resilient computing clusters: Self-cleansing intrusion tolerance with hardware enforced security (SCIT/HES). In Proceedings of the 2nd International Conference on Availability, Reliability and Security. IEEE Computer Society Press, Los Alamitos, CA, 343--350. Google Scholar
Digital Library
- Avizienis, A. 1985. The N-version approach to fault-tolerant software. IEEE Trans. Softw. Eng. 11, 12, 1491--1501. Google Scholar
Digital Library
- Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T. L., Ho, A., Neugebauer, R., Pratt, I., and Warfield, A. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. ACM, New York, 164--177. Google Scholar
Digital Library
- Barrantes, E. G., Ackley, D. H., Forrest, S., Palmer, T. S., Stefanović, D., and Zovi, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 281--289. Google Scholar
Digital Library
- Barrantes, E. G., Ackley, D. H., Forrest, S., and Stefanović, D. 2005. Randomized instruction set emulation. ACM Trans. Inf. Syst. Secur. 8, 1, 3--40. Google Scholar
Digital Library
- Berger, E. D. and Zorn, B. 2006. Diehard: Probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, New York, 158--168. Google Scholar
Digital Library
- Bhatkar, S., DuVarney, D. C., and Sekar, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google Scholar
Digital Library
- Cadar, C., Akritidis, P., Costa, M., Martin, J.-P., and Castro, M. 2008. Data randomization. Tech. rep., Microsoft Research. MSR-TR-2008-120.Google Scholar
- Candea, G., Kawamoto, S., Fujiki, Y., Friedman, G., and Fox, A. 2004. Microreboot—A technique for cheap recovery. In Proceedings of the 16th Symposium on Operating Systems Design and Implementation. USENIX, Berkeley, CA, 31--44. Google Scholar
Digital Library
- Canetti, R., Halevi, S., and Herzberg, A. 1997. Maintaining authenticated communication in the presence of break-ins. In Proceedings of the 16th Annual ACM Symposium on Principles of Distributed Computing. ACM, New York, 15--24. Google Scholar
Digital Library
- Case, J., Fedor, M., Schoffstall, M., and Davin, J. 1990. A simple network management protocol. RFC 1157. Google Scholar
Digital Library
- Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., and Black, R. 2009. Fast byte-granularity software fault isolation. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles. ACM, New York, 45--58. Google Scholar
Digital Library
- Castro, M. and Liskov, B. 1999. Practical Byzantine fault tolerance. In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX, Berkeley, CA, 173--186. Google Scholar
Digital Library
- Castro, M. and Liskov, B. 2005. Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20, 4 (Nov.), 398--461. Google Scholar
Digital Library
- Chew, M. and Song, D. 2002. Mitigating buffer overflows by operating system randomization. Tech. rep., School of Computer Science, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Nguyen-Tuong, A., and Hiser, J. 2006. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th USENIX Security Symposium. USENIX, Berkeley, CA, 105--120. Google Scholar
Digital Library
- Deng, J., Han, R., and Mishra, S. 2004. Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'04). IEEE Computer Society Press, Los Alamitos, CA, 637--650. Google Scholar
Digital Library
- Desmedt, Y. and Frankel, Y. 1990. Threshold cryptosystems. In Proceedings of the Advances in Cryptology (CRYPTO'90). Lecture Notes in Computer Science, vol. 435. Springer-Verlag, Berlin, Germany, 307--315. Google Scholar
Digital Library
- Dwork, C., Lynch, N., and Stockmeyer, L. 1988. Consensus in the presence of partial synchrony. J. ACM 35, 2, 288--323. Google Scholar
Digital Library
- Etoh, H. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp.Google Scholar
- Forrest, S., Somayaji, A., and Ackley, D. H. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. IEEE Computer Society Press, Los Alamitos, CA, 67--72. Google Scholar
Digital Library
- Ghosh, A. K., Pendarakis, D., and Sanders, W. H. 2009. National cyber leap year summit 2009 co-chairs report (section 4). http://www.nitrd.gov/NCLYSummit.aspx.Google Scholar
- Gifford, D. K. 1979. Weighted voting for replicated data. In Proceedings of the 7th Symposium on Operating System Principles. ACM, New York, 150--162. Google Scholar
Digital Library
- Herlihy, M. 1986. A quorum-consensus replication method for abstract data types. ACM Trans. Comput. Syst. 4, 1, 32--53. Google Scholar
Digital Library
- Herzberg, A., Jarecki, S., Krawczyk, H., and Yung, M. 1995. Proactive secret sharing or: How to cope with perpetual leakage. In Proceedings of the Advances in Cryptology (CRYPTO'95). Lecture Notes in Computer Science, vol. 963. Springer-Verlag, Berlin, Germany, 339--352. Google Scholar
Digital Library
- Huang, Y., Arsenault, D., and Sood, A. 2006a. Closing cluster attack windows through server redundancy and rotations. In Proceedings of the 6th IEEE International Symposium on Cluster Computing and the Grid. IEEE Computer Society Press, Los Alamitos, CA, 21. Google Scholar
Digital Library
- Huang, Y., Arsenault, D., and Sood, A. 2006b. Incorruptible self-cleansing intrusion tolerance and its application to DNS security. J. Netw. 1, 5, 21--30.Google Scholar
- Huang, Y., Kintala, C., Kolettis, N., and Fulton, N. D. 1995. Software rejuvenation: Analysis, module and applications. In Proceedings of the 25th International Symposium on Fault-Tolerant Computing. IEEE Computer Society Press, Los Alamitos, CA, 381--390. Google Scholar
Digital Library
- Intel Corporation. 1999. Preboot execution environment (PXE) specification. Version 2.1. http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf.Google Scholar
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM, New York, 272--280. Google Scholar
Digital Library
- Lamport, L. 1978. Time, clocks, and the ordering of events in a distributed system. Commun. ACM 21, 7, 558--565. Google Scholar
Digital Library
- Lamport, L. Shostak, R. and Pease, M. 1982. The Byzantine generals problem. ACM Trans. Prog. Lang. Syst. 4, 3 (July), 382--401. Google Scholar
Digital Library
- Malkhi, D. and Reiter, M. 1998. Byzantine quorum systems. Distrib. Comput. 11, 4, 203--213. Google Scholar
Digital Library
- Marsh, M., and Schneider, F. B. 2004. CODEX: A robust and secure secret distribution system. IEEE Trans. Depend. Secure Comput. 1, 1 (Jan.-Mar.), 34--47. Google Scholar
Digital Library
- Mogul, J. C. 1989. Simple and flexible datagram access controls for UNIX-based gateways. In Proceedings of the Usenix Summer Technical Conference. USENIX, Berkeley, CA, 203--222.Google Scholar
- Netfilter. http://www.netfilter.org.Google Scholar
- OpenBSD. http://www.openbsd.org.Google Scholar
- OpenBSD. PF: Firewall redundancy with CARP and pfsync. http://www.openbsd.org/faq/pf/carp.html.Google Scholar
- OpenBSD. PF: The OpenBSD packet filter. http://www.openbsd.org/faq/pf.Google Scholar
- OpenSSL. http://www.openssl.org.Google Scholar
- Pool, J., Wong, I. S. K., and Lie, D. 2007. Relaxed determinism: Making redundant execution on multiprocessors practical. In Proceedings of the 11th Workshop on Hot Topics on Operating Systems. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Pucella, R. and Schneider, F. B. 2006. Independence from obfuscation: A semantic framework for diversity. In Proceedings of the 19th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos, CA, 230--241. Google Scholar
Digital Library
- Rivest, R. L., Shamir, A., and Adelman, L. M. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commu. ACM 21, 2, 120--126. Google Scholar
Digital Library
- Rodrigues, R., Castro, M., and Liskov, B. 2001. BASE: Using abstraction to improve fault tolerance. In Proceedings of the 18th Symposium on Operating Systems Principles. ACM, New York, 15--28. Google Scholar
Digital Library
- Schneider, F. B. 1990. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Comput. Surv. 22, 4, 299--319. Google Scholar
Digital Library
- Schneider, F. B. and Zhou, L. 2004. Distributed trust: Supporting fault-tolerance and attack-tolerance. Tech. rep., Cornell Univeristy.Google Scholar
- Shacham, H. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 552--561. Google Scholar
Digital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). ACM, New York, 298--307. Google Scholar
Digital Library
- Shamir, A. 1979. How to share a secret. Comm. ACM 22, 11, 612--613. Google Scholar
Digital Library
- Sousa, P. 2006. Proactive resilience. In Proceedings of the 6th European Dependable Computing Conference Supplemental Volume. IEEE Computer Society Press, Los Alamitos, CA, 27--32.Google Scholar
- Sousa, P., Bessani, A., and Obelheiro, R. R. 2008. The FOREVER service for fault/intrusion removal. In Proceedings of the 2nd Workshop on Recent Advances on Intrusion-Tolerant Systems. ACM, New York, Article No. 5. Google Scholar
Digital Library
- Sousa, P., Bessani, A. N., Correia, M., Neves, N. F., and Verissimo, P. 2007. Resilient intrusion tolerance through proactive and reactive recovery. In Proceedings of the 13th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'07). IEEE Computer Society Press, Los Alamitos, CA, 373--380. Google Scholar
Digital Library
- Sousa, P., Neves, N. F., and Verissimo, P. 2006. Proactive resilience through architectural hybridization. In Proceedings of the ACM Symposium on Applied Computing. ACM, New York, 686--690. Google Scholar
Digital Library
- Sovarel, A. N., Evans, D., and Paul, N. 2005. Where's the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. USENIX, Berkeley, CA, USA, 145--160. Google Scholar
Digital Library
- Thomas, R. H. 1979. A majority consensus approach to concurrency control for multiple copy databases. ACM Trans. Datab. Syst. 4, 2, 180--209. Google Scholar
Digital Library
- Trusted Computing Group. http://www.trustedcomputinggroup.org.Google Scholar
- Vaidyanathan, K. and Trivedi, K. S. 2005. A comprehensive model for software rejuvenation. IEEE Trans. Depend. Secure Comput. 2, 2, 124--137. Google Scholar
Digital Library
- Verissimo, P. 2006. Travelling through wormholes: A new look at distributed systems models. ACM SIGACT News 37, 1, 66--81. Google Scholar
Digital Library
- Weiss, Y. and Barrantes, E. G. 2006. Known/chosen key attacks against software instruction set randomization. In Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society Press, Los Alamitos, CA, 349--360. Google Scholar
Digital Library
- Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the IEEE Symposium on Reliable Distributed Systems. IEEE Computer Society Press, Los Alamitos, CA, 260--269.Google Scholar
- Yumerefendi, A. R., Mickle, B., and Cox, L. P. 2007. TightLip: Keeping applications from spilling the beans. In Proceedings of the 4th Symposium on Networked Systems Design and Implementation. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Zero-Day Initiative. http://www.zerodayinitiative.com.Google Scholar
- Zhou, L., Schneider, F. B., and van Renesse, R. 2005. APSS: Proactive secret sharing in asynchronous systems. ACM Trans. Inform. Syst. Secur. 8, 3, 259--286. Google Scholar
Digital Library
Index Terms
Proactive obfuscation
Recommendations
Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery
In the past, some research has been done on how to use proactive recovery to build intrusion-tolerant replicated systems that are resilient to any number of faults, as long as recoveries are faster than an upper bound on fault production assumed at ...
Generalized Grid Quorum Consensus for Replica Control Protocol
CICN '11: Proceedings of the 2011 International Conference on Computational Intelligence and Communication NetworksIn distributed systems it is often necessary to provide coordination among the multiple concurrent processes to tolerate the contention, periods of asynchrony and a number of failures. Quorum systems provide a decentralized approach for such ...
Proactive Recovery in Intrusion-Tolerant System Based on TTCB
ICCECT '12: Proceedings of the 2012 International Conference on Control Engineering and Communication TechnologyThis paper proposes two proactive recovery mechanisms, i.e., periodic grouped proactive recovery and annular proactive recovery. The periodic grouped proactive recovery divides the replicas into groups and each group recover periodically in round. The ...






Comments