Скачать презентацию GENESIS A Framework For Achieving Component Diversity John Скачать презентацию GENESIS A Framework For Achieving Component Diversity John

d3c351ed120396e8dd4a79b29a347f4b.ppt

  • Количество слайдов: 32

GENESIS: A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David GENESIS: A Framework For Achieving Component Diversity John C. Knight, Jack W. Davidson, David Evans, Anh Nguyen-Tuong University of Virginia Chenxi Wang Carnegie Mellon University DARPA SRS Kickoff

Nice Meeting Facility! DARPA SRS Kickoff 2 Nice Meeting Facility! DARPA SRS Kickoff 2

What Is The Problem? n n Many machines with the same vulnerability What is What Is The Problem? n n Many machines with the same vulnerability What is a vulnerability? n n A vulnerability is a fault in the classic sense of dependability theory Fault types: n n n Degradation Design something breaks in one copy flaw in design affects all copies Software faults are design faults DARPA SRS Kickoff 3

Redundancy & Degradation Faults Identical Computers Computer 1 Inputs Computer 2 Damage Assessment Error Redundancy & Degradation Faults Identical Computers Computer 1 Inputs Computer 2 Damage Assessment Error Detection Voter Outputs State Restoration Continued Service Computer. N N Modular Redundant (NMR) System DARPA SRS Kickoff 4

Redundancy & Design Faults n n Redundancy is diversity Works well for degradation faults: Redundancy & Design Faults n n Redundancy is diversity Works well for degradation faults: n n n Faults have predictable statistical behavior Effective mathematical models available What about design faults? Simple replication doesn’t work, obviously Requires different (diverse) designs to be effective DARPA SRS Kickoff 5

Multiple Systems Vulnerabilities Linux Windows OS/2 Specification DARPA SRS Kickoff 6 Multiple Systems Vulnerabilities Linux Windows OS/2 Specification DARPA SRS Kickoff 6

Design Diversity Development Interaction Barriers Technology Restrictions Version Development 1 Version Development 2 Component Design Diversity Development Interaction Barriers Technology Restrictions Version Development 1 Version Development 2 Component Specification System Assembly Version Development N Goal: Different Faults Because Of Independent Development DARPA SRS Kickoff 7

Design Diverse System How “Different”? Version 1 Inputs Version 2 N Version System Voter Design Diverse System How “Different”? Version 1 Inputs Version 2 N Version System Voter Outputs Version. N Assumption: Different Faults Because Of Independent Development DARPA SRS Kickoff 8

Design Diversity n Does not work well for design faults n n n No Design Diversity n Does not work well for design faults n n n No No upper bound on failure probability practical statistical models definition of “design diversity” procedure for achieving it Linux vs. Windows is, however, worse—it is purely ad hoc But, what else is there? DARPA SRS Kickoff 9

DARPA SRS Kickoff 10 DARPA SRS Kickoff 10

Data Diversity n Heisenbug (Jim Gray): n n n Program fails Sometimes if you Data Diversity n Heisenbug (Jim Gray): n n n Program fails Sometimes if you rerun the program, it works Applied to Tandem operating system We all do this in daily operation Several variants of approach developed Comprehensive, general approach developed: n Data diversity DARPA SRS Kickoff 11

Data Diverse System N Copy Architecture Same Software Data Reexpression Inputs Copy 1 Reverse Data Diverse System N Copy Architecture Same Software Data Reexpression Inputs Copy 1 Reverse Data Reexpression Copy 2 Reverse Data Reexpression Copy. N Reverse Data Reexpression DARPA SRS Kickoff Voter 12

Data Diversity n n n Low cost—software is copied Unknown performance for design faults Data Diversity n n n Low cost—software is copied Unknown performance for design faults Experimental evidence that it works well Can be very powerful: sin(x)= sin(a + b) = sin(a)cos(b) + cos(a)sin(b) = sin(a)sin(90 -b) + sin(90 -a)sin(b) Choose a and b, repeat, vote DARPA SRS Kickoff 13

The Vision n n Automated production of design-diverse, functionally-equivalent software Automatic production of data-diverse, The Vision n n Automated production of design-diverse, functionally-equivalent software Automatic production of data-diverse, functionally-equivalent software It might work… DARPA SRS Kickoff 14

Overall Approach n n Analysis of the diversity space Automated production of functionally-equivalent software Overall Approach n n Analysis of the diversity space Automated production of functionally-equivalent software and data: n Compiler and meta-compiler technology: n n Virtual Machine Technology n n Source-level transformations Compiler transformations Data stream rewriting Run-time software translation techniques Rationale that diversity is an effective defense mechanism: n n n Experimental evaluation Modeling of effects of diversity on known vulnerabilities Application to COTS software DARPA SRS Kickoff 15

Hierarchic Design Diversity Run-time Transformations DARPA SRS Kickoff 16 Hierarchic Design Diversity Run-time Transformations DARPA SRS Kickoff 16

Source to Source Transformations n Underlying model of tasks: n n Process interaction: n Source to Source Transformations n Underlying model of tasks: n n Process interaction: n n e. g. low-level semaphores vs. higher-level monitors Fundamental libraries: n n e. g. fork/execs vs. threads e. g. libc, sockets, etc… Diversity achieved by component combinations DARPA SRS Kickoff 17

Compiler Transformations n n Generate N compilers that target different architectures Manipulate formal description Compiler Transformations n n Generate N compilers that target different architectures Manipulate formal description of target architecture —Computer Systems Description Language (CSDL): n n n Instruction Set Architecture (ISA) specification Calling convention specification Example diversity techniques: n n Different calling conventions ISA subsets created, enforced dynamically Memory layouts—code and data Implement the above within the same program DARPA SRS Kickoff 18

Run-time Transformations n n Software Dynamic Translation STRATA system: n n n Layer between Run-time Transformations n n Software Dynamic Translation STRATA system: n n n Layer between hardware and application Designed to be easily retargeted Virtual machine provides: Underlying target n Supplementary rules on use of target Software Dynamic Translation systems: n FX 32 n Dynamo n Transmeta n n DARPA SRS Kickoff 19

STRATA—Basic Operation Enforce Desired Policies DARPA SRS Kickoff 20 STRATA—Basic Operation Enforce Desired Policies DARPA SRS Kickoff 20

Example STRATA Policies n Apply compile-time transformations dynamically: n n Dynamic injection and enforcement Example STRATA Policies n Apply compile-time transformations dynamically: n n Dynamic injection and enforcement of behavioral policies n n Rearrangement basic blocks, calling sequence transformations, etc… E. g. resource usage (files, sockets, tasks) Language diversity: dialects n n Only allow subsets of original instruction set Vary subsets dynamically DARPA SRS Kickoff 21

STRATA System Architecture Machine Independent Components DARPA SRS Kickoff 22 STRATA System Architecture Machine Independent Components DARPA SRS Kickoff 22

Data Diversity n n Diversity in the data space can avoid sequences of events Data Diversity n n Diversity in the data space can avoid sequences of events that lead to failure Diversity space offers large range of data re-expression options n n n Precision (Exact, Approximate) Locality (Internal, External) Sequence (inorder-ontime, inorder-offtime, outoforderontime, outoforder-offtime) DARPA SRS Kickoff 23

Data Re-expression Examples n Change floating point values: n n Data sequences: n n Data Re-expression Examples n Change floating point values: n n Data sequences: n n n n Lose precision Translate Rotate Reorder data Change timing of data Memory layout (code and data) Reorder transactions Reorder data in activation records SQL Rewriting …many more examples… DARPA SRS Kickoff 24

Data Re-expression Space n n n These examples are ad hoc Proposals in literature Data Re-expression Space n n n These examples are ad hoc Proposals in literature ad hoc So: Use data re-expression space categorization to drive exploration of diversity techniques (instead of point solutions) DARPA SRS Kickoff 25

Evaluation n Theoretical: n Modeling of effects of diversity on network vulnerabilities n n Evaluation n Theoretical: n Modeling of effects of diversity on network vulnerabilities n n Understand limits of diversity Categorization of “diversity space” Identify unnecessary homogeneity in software n n E. g. , WORM propagation Not just code but also environment, configuration, etc… Experimental: n Directed fault seeding: n n Apply known exploits to target system Apply all Genesis techniques Evaluate variants’ resistance to attack Automated fault seeding DARPA SRS Kickoff 26

Automatic Fault Seeding n n Need test cases Need typical vulnerabilities, i. e. , Automatic Fault Seeding n n Need test cases Need typical vulnerabilities, i. e. , bugs Can typical bugs be synthesized? Prior work on syntactic transformations: n n Simple mutations Wide variety of resilience Defects created with excellent statistical properties Plan to try this route DARPA SRS Kickoff 27

Automated Fault Seeding Target Software System Target Software Target System Software Error Target Acceptance Automated Fault Seeding Target Software System Target Software Target System Software Error Target Acceptance Software Target System Seeding Software Target Tests System Software System Genesis Transformations Vulnerability Assessment Target Software Target System Software System DARPA SRS Kickoff Target Software Target System Software System 28

State Of The Implementation n Exists, ready to use: n n n CSDL Calling State Of The Implementation n Exists, ready to use: n n n CSDL Calling convention spec STRATA DARPA SRS Kickoff 29

Specific Questions Posed n What you are trying to do (the problem you are Specific Questions Posed n What you are trying to do (the problem you are addressing)? n How will you show that you were successful? n What are the implications of successful results (or less than successful results)? n What is your technical approach? n What is new, or hasn’t been attempted? n What significant problems do you anticipate, what makes your project difficult and how do you plan to approach the difficulties? n If successful, what have you thought about regarding transitioning the technology? n If successful, what would be next? DARPA SRS Kickoff 30

Practical Problem n If this works: n n n Building a system will require Practical Problem n If this works: n n n Building a system will require lots of computer time Lots of systems will require LOTS of computer time But it is just computer time Will not be able to just press CDs Will require a substantial engineering investment DARPA SRS Kickoff 31

Summary n Automatic application of design diversity: n n Systematic application of data diversity: Summary n Automatic application of design diversity: n n Systematic application of data diversity: n n n Macro, midi, micro Internal, external, all dimensions Seamless integration of the two Evaluation and assessment: n n Directed fault seeding Automated fault seeding Questions? DARPA SRS Kickoff 32