Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization

Koning, Koen; Bos, Herbert; Giuffrida, Cristiano

doi:10.1109/dsn.2016.46

Cited by 41 publications

(72 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The architecture of FreeDA, shown in Figure 1, is similar to stateof-the-art second-generation MVE systems [28,29,44]. FreeDA executes several versions in the same MVE deployment, each in its own process: a fast native version, with which the users interact directly; and a DA version for each dynamic analysis.…”

Section: Designmentioning

confidence: 99%

“…FreeDA leverages Multi-Version Execution (MVE) [17,19,20,23,27,29,31,37,44,46,47] to run the native application concurrently with several DA versions (e.g., in parallel with Valgrind and compilersanitized versions), each in their own process. FreeDA leverages the record-replay strategy used in the second-generation of multiversion execution systems [28,29,44,46], by recording the results of system calls issued by the native version into an in-memory system-call buffer, while each DA version reads the results of its system calls from this buffer. This separation allows FreeDA to run the native version at full speed (minus the small time needed to write the results of system calls into a buffer), while each DA version operates at a lower speed in the background.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Proceedings of the 15th ACM International Conference on Computing Frontiers

2018

View full text Add to dashboard Cite

Dynamic analyses such as those implemented by compiler sanitizers and Valgrind are effective at finding and diagnosing challenging bugs and security vulnerabilities. However, most analyses cannot be combined on the same program execution, and they incur a high overhead, which typically prevents them from being used in production. This paper addresses the ambitious goal of running concurrently multiple incompatible stock dynamic analysis tools in production, without requiring any modifications to the tools themselves or adding significant runtime overhead to the deployed system. This is accomplished using multi-version execution, in which the dynamic analyses are run concurrently with the native version, all on the same program execution. We implement our approach in a system called FreeDA and show that it is applicable to several common scenarios, involving network servers and interactive applications. In particular, we show how incompatible stock dynamic analyses implemented by Clang's sanitizers and Valgrind can be used to check high-performance servers such as Memcached, Nginx and Redis, and interactive applications such as Git, HTop and OpenSSH. CCS CONCEPTS • Computer systems organization → Reliability; • Software and its engineering → Runtime environments; Software testing and debugging;

show abstract

Section: Designmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Proceedings of the 15th ACM International Conference on Computing Frontiers

2018

View full text Add to dashboard Cite

show abstract

“…As Table 2 shows, dedup executes over 134K system calls 1.02M sync ops per second, whereas barnes and radiosity execute more than 19K and 33K system calls per second and 5.12M and 18.25M sync ops per second resp. Each of the system calls invokes the MVEE monitor, which constitutes a performance bottleneck even in the most efficient security-oriented MVEEs [21,45].…”

Section: Correctness and Performance Evaluationmentioning

confidence: 99%

“…Multi-Variant Execution Environments (MVEEs) have become a hot research topic due to their potential to break the seemingly endless cycle of new mitigations being bypassed by new exploits which are then addressed by yet more mitigations [13,19,21,30,37,44,45]. The fundamental idea is to execute two or more functionally equivalent programs (variants) in lockstep and monitor their behavior at the level of system calls.…”

Section: Introductionmentioning

confidence: 99%

“…In both cases, the monitor executed in a different context than the variants [12,13,18,30,37,43]. More recent work has explored decentralized monitors that run in the same execution context as the variants to some degree [19,21,45]. In the decentralized designs, the monitor can intercept system calls directly, whereas the external monitor designs require context switching to invoke the monitor.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Taming Parallelism in a Multi-Variant Execution Environment

Volckaert

Coppens

Sutter

et al. 2017

Proceedings of the Twelfth European Conference on Computer Systems

View full text Add to dashboard Cite

Exploit mitigations, by themselves, do not stop determined and well-resourced adversaries from compromising vulnerable software through memory corruption. Multivariant execution environments (MVEEs) add additional assurance by executing multiple, diversified copies (variants) of the same program in lockstep while monitoring their behavior for signs of attacks (divergence). While executing multiple copies of the same program requires additional computational resources, modern MVEEs run many workloads at near-native speed and can detect adversaries before they leak secrets or achieve persistence on the host system.Multi-threaded programs are challenging to execute in lockstep by an MVEE. If the threads in a set of variants are not scheduled in the exact same order, the variants will diverge from each other in terms of the system calls they make. While benign, such divergence undermines the MVEEs ability detect divergence caused by malicious program inputs. To address this problem, we developed an MVEE-specific synchronization scheme that lets us execute a set of multithreaded variants in lockstep without causing benign divergence. Our fully-fledged MVEE runs the PARSEC 2.1 and SPLASH-2x parallel benchmarks (with four worker threads per variant) with a slowdown of less than 15% relative to unprotected execution. Addressing this longstanding compatibility issue makes MVEEs a viable defense for a far greater range of realistic workloads.

show abstract

Distributed Heterogeneous N-Variant Execution

Voulimeneas

Song

Parzefall

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

N-Variant Execution (NVX) systems utilize artificial diversity techniques to enhance software security. The general idea is to run multiple different variants of the same program alongside each other while monitoring their diverging behavior on a malicious input. Existing NVX systems execute diversified program variants on a single host. This means the level of inter-variant diversity will be limited to what a single platform can offer, without costly emulation. This paper presents DMON, a novel distributed NVX design that executes native program variants across multiple heterogeneous hosts. Our approach greatly increases the level of diversity between the simultaneously running variants that can be supported, encompassing different ISAs and ABIs. Our evaluation shows that DMON can provide comparable performance to traditional, nondistributed NVX systems, while enhancing security.

show abstract

Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization

Cited by 41 publications

References 39 publications

Proceedings of the 15th ACM International Conference on Computing Frontiers

Proceedings of the 15th ACM International Conference on Computing Frontiers

Taming Parallelism in a Multi-Variant Execution Environment

Distributed Heterogeneous N-Variant Execution

Contact Info

Product

Resources

About