Image credit: Thomas Jefferson Foundation

The N-Variant Framework
A System Structure for Secretless Security

Papers -  People -  Talks -  News

Research Summary

Poster for CyberTrust PIs Meeting
28 September 2005
We propose a new approach to software service protection that is based on software system structures which combine monitoring software and tailored program diversity. The resulting systems have two valuable properties that cannot be achieved with previous vulnerability-masking approaches:
  1. their effectivesness does not depend on keeping secrets from adversaries
  2. we can construct proofs that a system cannot be compromised by a class of attacks, no matter what vulnerabilities exist in the server program.

The first property means that adversaries can have complete knowledge about the structure and software of our systems without compromising their security. Thus, insider snooping cannot defeat our vulnerability protection against outsider initiated attacks, and probing or guessing attacks that have been shown effective against previously proposed diversity techniques pose no threat to our system.

The second property means that there can be a high level of assurance in the coverage of vulnerabilities in the system based on formal arguments and depend only on clearly stated assumptions about components of our system structure, but place no constraints on properties of the protected software service.

N-Variant Systems

An instantiation of our idea is the N-Variant System Framework, which provides a general mechanism for detecting and preventing classes of attacks on vulnerable servers. The framework consists of:

The variant processes all implement the same service but are constructed to be artificially different in ways that detect attacks. The system runs the variants in parallel, giving each variant identical inputs and checks that they behave similarly before forwarding the output to the user. Consequently, any attack unable to simultaneously compromise all the variants in the framework will be detected and stopped before secret information is divulged or damage is done to the server. Other defense mechanisms rely on keeping a secret (e.g. randomization key) from the attacker. Our approach provides provable security that does not rely on secrets.


Principal Investigators:
John C. Knight
Jack W. Davidson
David Evans
Anh Nguyen-Tuong
Jonathan Rowanhill

Adrian Filipi

Graduate Students
Benjamin Cox
Michael Crane
Wei Hu
Dan Williams

Undergraduate Researchers
Sean Talts


Security through Redundant Data Diversity
Anh Nguyen-Tuong, David Evans, John C. Knight, Benjamin Cox, Jack W. Davidson. 38th IEEE/IFPF International Conference on Dependable Systems and Networks, Anchorage, Alaska, June 2008. (PDF, 10 pages)

N-Variant Systems: A Secretless Framework for Security through Diversity
Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser. 15th USENIX Security Symposium, Vancouver, BC, August 2006. (PDF, 16 pages; HTML)
Talk slides: [PPT], PDF]


Redundant Computing for Security [PDF], [PPT, 12MB] (David Evans). TRUST Seminar, Berkeley, CA, 25 September 2008.

N-Variant Systems: A Secretless Framework for Security through Diversity [PPT], PDF] (Benjamin Cox). USENIX Security Symposium, Vancouver, BC, 3 August 2006.

N-Variant Systems: A Secretless Framework for Security through Diversity [PPT, PDF] (David Evans). Seminar talk at Beijing Institute of Technology, 30 May 2006.

N-Variant Systems: A Secretless Framework for Security through Diversity [PPT, PDF] (David Evans). Seminar talk at Institute of Software, Chinese Academy of Sciences, Beijing, 29 May 2006.

Promising Breaks and Breaking Promises: Program Analysis in Theory and Practice [PPT, PDF] (David Evans). 90-minute class at SDWest 2006, 17 March 2006. Incoporates slides from a talk by Jinlin Yang.

The N-Variant Systems Framework: Polygraphing Processes for Secretless Security [PPT, PDF] (David Evans). Colloquim at University of Texas at San Antonio, 4 October 2005.

Polygraphing Processes: N-Variant Systems for Secretless Security [PPT] (David Evans). DARPA SRS PIs Meeting, Alexandria, VA. 12 July 2005.

Stealing Secrets and Secretless Security Structures [PPT] (David Evans). Colloquium at Harvard University. 27 June 2005.

Security Through Diversity [PPT] (David Evans). Colloquim at MIT CSAIL. 23 June 2005.


Unnatural selection in the cyber world, New Sceintist, 22 July 2006. [Subscription Required]
An excerpt is available on Bruce Schneier's blog: Security and Monoculture

Related Projects by the PIs

Genesis: Security through Diversity
Dependability Research Group
IPA — Inexpensive Program Analysis
PhysiCrypt — Physical Cryptography and Security Group
Swarm Computing

University of Virginia
Department of Computer Science
Dependability Research Group
Supported by the Cyber Trust program Anh Nguyen-Tuong