22-08-2012, 10:16 AM
Runtime Defense against Code Injection Attacks Using Replicated Execution
Runtime Defense against Code Injection.doc (Size: 155.5 KB / Downloads: 76)
Abstract
The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.
EXISTING SYSTEM:
• A solution to the problem of preventing false positives caused by inconsistent scheduling of threads and processes in multithreaded and multiprocessor applications.
• In the existing system, we have the problem of preventing false positives caused by asynchronous signal delivery.
• Dynamic and runtime tools are often not effective because they lack a baseline to use for detection.
• The problem with this Synchronous Signal Delivery, however, is that CPU-intensive applications may not invoke any system call for a long period of time.
DISADVANTAGES:
The disadvantages of this paper, they only monitor standard I/O and they do not mention the problem of asynchronous signal delivery.
Our algorithm solves the signal delivery problem without introducing wait times for a system call.
PROPOSED SYSTEM:
• A novel technique to build a user-space multivariant monitor that does not need any operating system (OS) kernel modification.
• Our monitor supervises the execution of parallel instances of the subject application using the debugging facilities of a standard Linux kernel.
• Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise Software.
• Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep.
• The performance overhead of sophisticated algorithms used by such runtime tools is often prohibitively high in some production systems.
ADVANTAGES:
A major advantage of this approach is that it enables us to detect and prevent a wide range of threats, including “zero-day” attacks.
Multivariant execution is effective even against sophisticated polymorphic and metamorphic viruses and worms.
The large amount of parallelism that inherently exists in multivariant execution helps it take advantage of multicore processors.
System call:
The monitor lets them run the system call and open the file. The monitor replicates the file descriptor and assigns a new file descriptor to all the variants. Assume that the replicated file descriptor is five. Later, the variants try to open b.txt with read/write permission. The monitor intercepts the system call and opens the file itself. Assume that the file descriptor assigned to the monitor by the kernel is also five.
Multi variant Execution:
Performing file operations is one of the tasks that should be synchronized and arbitrated in multi variant execution. Particularly, writing to files needs to be arbitrated as we cannot let the variants write to the same file more than once.
Time can be another source of inconsistency in multi variant execution. When the variants invoke a system call that reads the system time, e.g., get ime of day, the monitor invokes the same system call only once and sends the result to all
the variants.
Performance:
As the number of variants increases, the performance penalty of multi variant execution increases. There are two main reasons for this: first, the monitor has to compare the data flowing out of a larger number of variants and also copy results of system calls to them. The comparison and copying overhead increase with the number of variants. Second, the overhead of synchronizing a larger number of variants is higher.
Overview of the project:
Multi variant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multi process applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multi variant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multi core processors.