Security Through Diversity

David Evans
MIT Computer Science and Artificial Intelligence Laboratory
23 June 2005


The current computing monoculture leaves our infrastructure vulnerable to a massive, rapid attack. One technique that has been proposed to mitigate this threat is to artificially increase software diversity by transforming programs to produce diverse executables. These techniques depend on keeping a key used to control the transformation secret from potential attackers.

The first part of this talk considers the effectiveness of one proposed diversification technique, instruction set randomization (ISR). ISR defuses all standard code injection attacks by hiding the instruction set of the target machine from the attacker. A motivated attacker may be able to circumvent ISR by determining the randomization key. I will describe a remote attack for determining an ISR key using an incremental guessing strategy and present a method for injecting a worm in an ISR-protected network. The attack is plausible under realistic conditions and can infect an ISR-protected server in under 6 minutes.

In the second part of the talk, I will introduce the N-variant systems framework that uses artificial diversity to enhance security. Unlike previous approaches such as ISR, it does not rely on keeping any secrets. Instead, the framework requires an attacker to compromise one of the system variants without producing detectable behavior on another system variant processing the same input. By constructing variants with disjoint exploitation sets, we can make it impossible to successfully carry out large classes of important attacks. In this talk, I will describe our framework and a prototype implementation, identify some useful variations, and introduce a model for analyzing security properties of N-variant systems.

Note: This talk includes joint work with Ben Cox, Jack Davidson, Adrian Filipi, John Knight, Anh Nguyen-Tuong, Nathanael Paul, Jonathan Rowanhill, and Nora Sovarel. Details on our ISR cryptanalysis are available in the upcoming USENIX Security 2005 paper ( "Where's the FEEB?: The Effectiveness of Instruction Set Randomization", Nora Sovarel, David Evans and Nathanael Paul.

Bio: During his decade at MIT, David Evans completed 3 degrees, scored 2 D-league hockey goals, and sampled all the non-fishy items on Gooseberry's food truck menu. Since 1999, he has been an assistant professor at the University of Virginia, where he has learned to revere Thomas Jefferson, done research in computer security and program analysis, and developed and taught a 6.001-inspired course targeted to liberal arts students. He is a citizen member on the Virginia Joint Subcommittee on Voting Equipment Certification.

MIT Event Page

Slides: [PPT, 3MB, 58 slides]

Paper: [PDF, 16 pages] [HTML]
Genesis Project

Who can forget that stream of English undefiled, so smooth, so deep, and yet so clear,
that passed from point to point with gentle touch,
that commonly flowed along with the quiet of conscious power,
yet sometimes became tumultuous with feeling,
and then came the music of the cataract and the glory of the rainbow!
on William Barton Rogers' lecturing, Francis H. Smith, in History of the University of Virginia, 1819-1919, Vol. 2