Simulation based Evaluation of a Code Diversification Strategy

Brady Tello, Michael Winterrose, George Baah, Michael Zhivich

2015

Abstract

Periodic randomization of a computer program’s binary code is an attractive technique for defending against several classes of advanced threats. In this paper we describe a model of attacker-defender interaction in which the defender employs such a technique against an attacker who is actively constructing an exploit using Return Oriented Programming (ROP). In order to successfully build a working exploit, the attacker must guess the locations of several small chunks of program code (i.e., gadgets) in the defended program’s memory space. As the attacker continually guesses, the defender periodically rotates to a newly randomized variant of the program, effectively negating any gains the attacker made since the last rotation. Although randomization makes the attacker’s task more difficult, it also incurs a cost to the defender. As such, the defender’s goal is to find an acceptable balance between utility degradation (cost) and security (benefit). One way to measure these two competing factors is the total task latency introduced by both the attacker and any defensive measures taken to thwart him. We simulated a number of diversity strategies under various threat scenarios and present the measured impact on the defender’s task.

References

  1. Abadi, M, Budiu, M, Erlingsson, U, & Ligatti, J 2005, 'Control-Flow Integrity: Principles, Implementations, and Applications', in Proceedings of the 12th ACM Conference on Computer and Communications Security. [9 Oct. 2014].
  2. Alfred, GB, & Gray, EH 1998, 'Data Farming: A metatechnique for Research in the 21st Century.78 Maneuver Warfare Science, pp. 93-99.
  3. Barry, P, & Koehler, M 2004, 'Simulation in context: using data farming for decision support", Proceedings of the 2004 Winter Simulation Conference. vol. 1. pp. 814-819. Available from: IEEE XPlore Digital Library.
  4. Bonneau, J 2012, 'The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords.78 2012 IEEE Symposium on Security and Privacy. Available from: IEEE Xplore Digital Library.
  5. Bumiller, E 2010, Army Leak Suspect Is Turned In, by ExHacker, The New York Times. Available from: <http://www.nytimes.com/2010/06/08/world/08leaks.h tml?_r=0>. [09 Oct. 2014].
  6. Corelan Team n.d, Corelan ROPdb. Available from: < https://www.corelan.be/index.php/security/corelanropdb/>. [23 Oct. 2014].
  7. Cox, B, Evans, D, Filipi, A, Rowanhill, J 2006, 'N-Variant Systems A Secretless Framework for Security through Diversity', Proceedings from the 15th Usenix Security Symposium. Available from: <http://www.cs.virginia. edu/nvariant/>.
  8. Denning, DE 1987, 'An Intrusion-Detection Model', IEEE Trans. on Software Eng., vol. SE-13, no. 2, pp. 222- 232.
  9. Franz, M 2010, 'E Unibus Pluram: Massive-scale Software Diversity as a Defense Mechanism', Proceedings of the 2010 Workshop on New Security Paradigms, pp. 7-16. Available from: ACM Portal: ACM Digital Library.
  10. Greenwald, G, MacAskill, E, & Poitras, L 2013, Edward Snowden: The Whistleblower Behind the NSA Surveillance Revalations, The Guardian. Available from: <http://www.theguardian.com/world/2013/jun/ 09/edward-snowden-nsa-whistleblower-surveillance>. [9 Oct. 2014].
  11. Homescu, A, Neisius, S, Larsen, P, Brunthaler, S & Franz, M 2013, 'Profile-guided automated software diversity', Proceedings of the 2013 International Symposium on Code Generation and Optimization, pp 204-214. Available from: IEEE Xplore Digital Library.
  12. Horne, GE, and Meyer, TE 2004, 'Data farming: Discovering surprise', Proceedings of the 36th conference on Winter simulation, pp.807-813.
  13. Kirkpatrick, S, Gelatt, CD, Vecchi, MP, 1983, 'Optimization by Simulated Annealing', Science, New Series, vol. 58, no. 2, pp. 671-680.
  14. Mark, J 2014, T.J. Maxx Theft Believed Largest Hack Ever. Available from: <http://www.msnbc.com>. [09 Oct 2014].
  15. Mitchell, M 1996, An Introduction to Genetic Algorithms, MIT Press, Cambridge.
  16. Okhravi, H, Hobson, T, Bigelow, & D, Streilein W 2014, 'Finding Focus in the Blur of Moving Target Techniques' IEEE Security and Privacy, vol. 12, no. 2, pp. 16-26.
  17. Pal, P, Schantz, R, Paulos, A, Benyo, B 2014, 'Managed Execution Environment as a Moving-Target Defense Infrastructure'. IEEE Security & Privacy, vol. 12, no. 2. pp. 51-59.
  18. Priest, B, Vuksani, E, Wagner, N, Tello, B, Carter, K, Streilein, W. 2015, 'Agent-Based Simulation in Support of Moving Target Cyber Defense Technology Development and Evaluation', Proceedings of the ACM Spring Simulation Multi-Conference (SpringSim'15).
  19. CVE-2014-0160 2014, MITRE Corporation. 2014. Available from: <https://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2014-0160>. [09 Oct. 2014].
  20. CVE-2014-7169 2014, MITRE Corporation. Sept. 2014. Available from: <https://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2014-0160>. [09 Oct. 2014].
  21. Data Breach FAQ, Target. Inc. Available from: <https://corporate.target.com/about/shoppingexperience/payment-card-issue-faq> [07 Oct 2014].
  22. Data Execution Prevention: Frequently Asked Questions n.d. Microsoft Corporation. Available from: < http://windows.microsoft.com/en-us/windowsvista/data-execution-prevention-frequently-askedquestions>. [09 Oct. 2014].
  23. The Home Depot Provides Update on Breach Investigation, The Home Depot, Inc. Available from: <https://corporate.homedepot.com/mediacenter/pages/ statement1.aspx>. [8 Sept. 2014].
Download


Paper Citation


in Harvard Style

Tello B., Winterrose M., Baah G. and Zhivich M. (2015). Simulation based Evaluation of a Code Diversification Strategy . In Proceedings of the 5th International Conference on Simulation and Modeling Methodologies, Technologies and Applications - Volume 1: SIMULTECH, ISBN 978-989-758-120-5, pages 36-43. DOI: 10.5220/0005522200360043


in Bibtex Style

@conference{simultech15,
author={Brady Tello and Michael Winterrose and George Baah and Michael Zhivich},
title={Simulation based Evaluation of a Code Diversification Strategy},
booktitle={Proceedings of the 5th International Conference on Simulation and Modeling Methodologies, Technologies and Applications - Volume 1: SIMULTECH,},
year={2015},
pages={36-43},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005522200360043},
isbn={978-989-758-120-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Conference on Simulation and Modeling Methodologies, Technologies and Applications - Volume 1: SIMULTECH,
TI - Simulation based Evaluation of a Code Diversification Strategy
SN - 978-989-758-120-5
AU - Tello B.
AU - Winterrose M.
AU - Baah G.
AU - Zhivich M.
PY - 2015
SP - 36
EP - 43
DO - 10.5220/0005522200360043