Orchestra

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space

Full text

Pdf (621 KB)

Source

European Conference on Computer Systems archive
Proceedings of the 4th ACM European conference on Computer systems table of contents

Nuremberg, Germany

SESSION: Defending against bad things table of contents

Pages 33-46

Year of Publication: 2009

ISBN:978-1-60558-482-9

Authors

Babak Salamat	University of California, Irvine, Irvine, CA, USA
Todd Jackson	University of California, Irvine, Irvine, CA, USA
Andreas Gal	University of California, Irvine, Irvine, CA, USA
Michael Franz	University of California, Irvine, Irvine, CA, USA

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 28, Downloads (12 Months): 171, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1519065.1519071 What is a DOI?

ABSTRACT

In a Multi-Variant Execution Environment (MVEE), several slightly different versions of the same program are executed in lockstep. While this is done, a monitor compares the behavior of the versions at certain synchronization points with the aim of detecting discrepancies which may indicate attacks.

As we show, the monitor can be implemented entirely in user space, eliminating the need for kernel modifications. As a result, the monitor is not a part of the trusted code base.

We have built a fully functioning MVEE, named Orchestra, and evaluated its effectiveness. We obtained benchmark results on a quad-core system, using two variants which grow the stack in opposite directions. The results show that the overall penalty of simultaneous execution and monitoring of two variants on a multi-core system averages about 15% relative to unprotected conventional execution

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Aleph One. Smashing the stack for fun and profit. Phrack, 7 (2), 1996.
	2	Apache Software Foundation. ab -- Apache HTTP Server Benchmarking Tool.
	3	J. Avariento. Exploit for Apache mod_rewrite off-by-one, 2006. URL http://ciberjacobo.com/sec/mod_rewrite.html.
	4	A. Avizienis and L. Chen. On the implementation of n-version programming for software fault tolerance during execution. In IEEE International Computer Software and Applications Conference (COMPSAC), volume 77, pages 149--155, 1977.
	5	Elena Gabriela Barrantes , David H. Ackley , Trek S. Palmer , Darko Stefanovic , Dino Dai Zovi, Randomized instruction set emulation to disrupt binary code injection attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948147]
	6	Emery D. Berger , Benjamin G. Zorn, DieHard: probabilistic memory safety for unsafe languages, Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, June 11-14, 2006, Ottawa, Ontario, Canada
	7	Sandeep Bhatkar , Daniel C. DuVarney , R. Sekar, Address obfuscation: an efficient approach to combat a board range of memory error exploits, Proceedings of the 12th conference on USENIX Security Symposium, p.8-8, August 04-08, 2003, Washington, DC
	8	Sandeep Bhatkar , R. Sekar , Daniel C. DuVarney, Efficient techniques for comprehensive protection from memory error exploits, Proceedings of the 14th conference on USENIX Security Symposium, p.17-17, July 31-August 05, 2005, Baltimore, MD
	9	M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Department of Computer Science, Carnegie Mellon University, 2002.
	10	Frederick B. Cohen, Operating system protection through program evolution, Computers and Security, v.12 n.6, p.565-584, Oct. 1993 [doi>10.1016/0167-4048(93)90054-9]
	11	Crispin Cowan , Calton Pu , Dave Maier , Heather Hintony , Jonathan Walpole , Peat Bakke , Steve Beattie , Aaron Grier , Perry Wagle , Qian Zhang, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks, Proceedings of the 7th conference on USENIX Security Symposium, p.5-5, January 26-29, 1998, San Antonio, Texas
	12	Benjamin Cox , David Evans , Adrian Filipi , Jonathan Rowanhill , Wei Hu , Jack Davidson , John Knight , Anh Nguyen-Tuong , Jason Hiser, N-variant systems: a secretless framework for security through diversity, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
	13	Diet libc. URL http://www.fefe.de/dietlibc/.
	14	M. Dowd. Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability, 2006. URL http://www.securityfocus.com/archive/1/441487/30/0/threaded.
	15	Crazy Einstein. Apache mod_include Local Buffer Overflow Vulnerability, 2004. URL http://www.securityfocus.com/bid/11471.
	16	Crazy Einstein. Apache łeq 1.3.31 mod_include Local Buffer Overflow Exploit, 2006. URL http://milw0rm.com/exploits/587.
	17	S. Forrest , A. Somayaji , D. Ackley, Building Diverse Computer Systems, Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), p.67, May 05-06, 1997
	18	GNU. GNU Compiler Collection (GCC). URL http://gcc.gnu.org.
	19	R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, volume 136, 1992.
	20	W. Hsu , A. J. Smith, Characteristics of I/O traffic in personal computer and server workloads, IBM Systems Journal, v.42 n.2, p.347-372, April 2003
	21	Intel. Paul Otellini Keynote. Intel Developer Forum, September 2006.
	22	M.K. Joseph and Avizienis. A. A fault tolerance approach to computer viruses. In 1988 IEEE Symposium on Security and Privacy, pages 52--58, 1988.
	23	Bernhard Kauer, OSLO: improving the security of trusted computing, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-9, August 06-10, 2007, Boston, MA
	24	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948146]
	25	Benjamin A. Kuperman , Carla E. Brodley , Hilmi Ozdoganoglu , T. N. Vijaykumar , Ankit Jalote, Detection and prevention of stack buffer overflow attacks, Communications of the ACM, v.48 n.11, p.50-56, November 2005 [doi>10.1145/1096000.1096004]
	26	A. Manion and J. Gennari. US-CERT Vulnerability Note VU #175500, October 2005. URL http://www.kb.cert.org/vuls/id/175500.
	27	Jonathan M. McCune , Bryan J. Parno , Adrian Perrig , Michael K. Reiter , Hiroshi Isozaki, Flicker: an execution infrastructure for tcb minimization, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, April 01-04, 2008, Glasgow, Scotland UK
	28	J. McDermott , R. Gelinas , S. Ornstein, Doc, Wyatt, and Virgil: prototyping storage jamming defenses, Proceedings of the 13th Annual Computer Security Applications Conference, p.265, December 08-12, 1997
	29	N. Mehta. Snort Back Orifice Parsing Remote Code Execution, 2005.
	30	Derek Gordon Murray , Grzegorz Milos , Steven Hand, Improving Xen security through disaggregation, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA [doi>10.1145/1346256.1346278]
	31	Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack, 2001.
	32	N. Nethercote and J. Seward. Valgrind: A Program Supervision Framework. Electronic Notes in Theoretical Computer Science, 2003.
	33	T. Oh. Advanced Buffer Overflow Exploit, 2000. URL http://www.windowsecurity.com/uplarticle/1/advanced.txt.
	34	Chetan Parampalli , R. Sekar , Rob Johnson, A practical mimicry attack against powerful system-call monitors, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan [doi>10.1145/1368310.1368334]
	35	PaX. URL http://pax.grsecurity.net.
	36	Jonathan Pincus , Brandon Baker, Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, IEEE Security and Privacy, v.2 n.4, p.20-27, July 2004 [doi>10.1109/MSP.2004.36]
	37	E. Pinheiro, R. Bianchini, E.V. Carrera, and T. Heath. Load balancing and unbalancing for power and performance in cluster-based systems. In Workshop on Compilers and Operating Systems for Low Power, pages 182--195, 2001.
	38	C. Pu, A. Black, C. Cowan, and J. Walpole. A specialization toolkit to increase the diversity of operating systems. In ICMAS Workshop on Immunity-Based Systems, 1996.
	39	rd. THCsnortbo 0.3 -- Snort BackOrifice PING exploit, October 2005. URL http://milw0rm.com/exploits/1272.
	40	B. Salamat, A. Gal, and M. Franz. Reverse stack execution in a multi-variant execution environment. In Workshop on Compiler and Architectural Techniques for Application Reliability and Security (CATARS), 2008.
	41	Babak Salamat , Andreas Gal , Todd Jackson , Karthikeyan Manivannan , Gregor Wagner , Michael Franz, Multi-variant Program Execution: Using Multi-core Systems to Defuse Buffer-Overflow Vulnerabilities, Proceedings of the 2008 International Conference on Complex, Intelligent and Software Intensive Systems, p.843-848, March 04-07, 2008 [doi>10.1109/CISIS.2008.136]
	42	Solar Designer. Non-executable user stack. URL http://www.openwall.com.
	43	Standard Performance Evaluation Corporation (SPEC). URL http://www.spec.org.
	44	C. Taschner and A. Manion. US-CERT Vulnerability Note VU #196240, February 2007. URL http://www.kb.cert.org/vuls/id/196240.
	45	J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Annual Symposium On Network And Distributed System Security, 2003.