Searching Searching Architecture Architecture Models Models for - PowerPoint PPT Presentation

Searching Searching Architecture Architecture Models Models for for Proactive Software Diversification Proactive Software Diversification Benoit Baudry joint work with J. Bourcier, F. Fouquet, S. Allier, M. Monperrus 1

Early software monocultures 2

Software monoculture • Massive monoculture at the bottom of the software stack applications • operating system, web servers libraries frameworks • Emerged with the increase � virtual machines of the software market operating system HAL • personnal computers • Internet 3

Software monoculture – PC 4

Software monoculture – web servers 5

Software monoculture – routers 6

Risks very well known Inside Risks Mark Stamp • Single point of failure Risks of Monoculture T he W32/Blaster worm burst onto the Internet signature-based detection. However, because the scene in August of 2003. By exploiting a decryption routine cannot be encrypted, detection is • Cascading effects buffer overflow in Windows, the worm was still possible. Virus writers are on the verge of able to infect more than 1.4 million systems unleashing so-called metamorphic viruses, where the worldwide in less than a month. More diversity in the body of the virus itself changes each time it propa- OS market would have limited the number of suscep- gates. This results in viruses that are functionally tible systems, thereby reducing the level of infection. equivalent, with each instance of the virus containing An analogy with biological systems is irresistible. distinct software. Detection of metamorphic viruses When a disease strikes a biological system, a sig- will be extremely challenging. nificant percentage of the affected population will Is there defensive value in software diversity of the survive, largely due to its genetic diversity. This holds metamorphic type? Suppose we produce a piece of • error / virus propagation true even for previously unknown diseases. By anal- software that contains a common vulnerability, say, a ogy, diverse computing systems should weather cyber buffer overflow. If we simply clone the software—as attacks better than systems that tend toward mono- is standard practice—each copy will contain an iden- culture. But how valid is the analogy? It could be tical vulnerability, and hence an identical attack will argued that the case for computing diversity is even succeed against each clone. Instead, suppose we cre- stronger than the case for biological diversity. In bio- ate metamorphic instances, where all instances are • BOBE logical systems, attackers find their targets at random, functionally equivalent, but each contains signifi- while in computing systems, monoculture creates cantly different code. Even if each instance still con- more incentive for attack because the results will be tains the buffer overflow, an attacker will probably all the more spectacular. On the other hand, it might need to craft multiple attacks for multiple instances. be argued that cyber-monoculture has arisen via nat- The damage inflicted by any individual attack would ural selection—providers with the best security prod- thereby be reduced and the complexity of a large- ucts have survived to dominate the market. Given scale attack would be correspondingly increased. Fur- the dismal state of computer security today, this thermore, a targeted attack on any one instance argument is not particularly persuasive. would be at least as difficult as in the cloning case. • blow one, blow everything Although cyber-diversity evidently provides secu- Common protocols and standards are necessary in rity benefits, why do we live in an era of relative com- order for networked communication to succeed and, puting monoculture? The first-to-market advantage clearly, diversity cannot be applied to such areas of and the ready availability of support for popular prod- commonality. For example, diversity cannot help pre- ucts are examples of incentives that work against vent a protocol-level attack such as TCP SYN flooding. diversity. The net result is a “tragedy of the (security) But diversity can help mitigate implementation-level commons” phenomenon—the security of the Internet attacks, such as exploiting buffer overflows. As with • Massive reuse of attack as a whole could benefit from increased diversity, but many security-related issues, quantifying the potential individuals have incentives for monoculture. benefits of diversity is challenging. In addition, meta- It is unclear how proposals aimed at improving com- morphic diversity raises significant questions regarding puting security might affect cyber-diversity. For exam- software development, performance, and maintenance. ple, increased liability for software providers is often In spite of these limitations and concerns, there is con- suggested as a market-oriented approach to improved siderable interest in cyber-diversity, both within the vectors security. However, such an approach might favor those research community and in industry; for an example of with the deepest pockets, leading to less diversity. the former, see www.newswise.com/articles/view/502136/ Although some cyber-diversity is good, is more and for examples of the latter, see the Cloakware.com diversity better? Virus writers in particular have used Web site or Microsoft’s discussion of individualization in diversity to their advantage; polymorphic viruses are the Windows Media Rights Manager. c PAUL WATSON currently in vogue. Such viruses are generally Mark Stamp (stamp@cs.sjsu.edu), an assistant professor of computer encrypted with a weak cipher, using a new key science at San Jose State University, recently spent two years working on each time the virus propagates, thus confounding diverse software for MediaSnap, Inc. 120 March 2004/Vol. 47, No.3 COMMUNICATIONS OF THE ACM 7

Systems software diversification 8

Software diversity • In operating systems • Seminal papers in the 1990’s • Fred Cohen 1993 « Operating system protection through program evolution » • Stephanie Forrest 1997 « Building Diverse Computer Systems » • For security purposes • mitigate code injection, buffer overflows 9

Instruction set randomization Encryption Key Decryption Key Compile Load In memory Execution 10 Randomized instruction set emulation. EG Barrantes, DH Ackley, S Forrest, D Stefanovi ć . ACM TISSEC, 8 (1), 3-40

Software diversity • Address space layout randomization • randomize binary addresses at load time • a program’s address space is different on each machine • Deployed in all mainstream operating systems • Effective against buffer overflows 11

New software monocultures 12

Software monoculture today • Continues growing in upper levels of the software stack • libraries, frameworks, IDEs, CMS, search engine, browser, etc. applications libraries • Pushed by GOOD reasons frameworks virtual machines • software engineering practices: � operating system modularity and reuse HAL • compatibility and interoperability • maintenance and evolution costs reduction • economical motivations 13

The case of Wordpress • CMS monoculture • March 2014: more than 20% of 500000 top site use Wordpress • Plugins monoculture • 64% use the Akismet plugin • 23% use Jetpack, known to have an SQL injection vulnerability “Multi-tier diversification in Internet-based software applications”. Simon Allier, Olivier Barais, Benoit Baudry, Johann Bourcier, 14 Erwan Daubert, Franck Fleurey, Martin Monperrus, Hui Song, Maxime Tricoire. To appear in IEEE Software, Jan 2015

The case of Wordpress 110000 web sites mean of 5 plugins per site 15

JS libraries 110000 web sites 16

Cryptographic protocols 17

Cryptographic protocols 18 source: https://t37.net/4-lessons-every-startup-should-learn-from-the-heartbleed-catastrophe.html

Cryptographic protocols 19

Social networks 20 source: http://www.zdnet.com/is-the-social-networking-monoculture-ready-to-crumble-7000003329/

Knowledge 21

Software development 22 source: http://www.creativebloq.com/netmag/bacon-bad-you-dangers-dev-monoculture-21410684

Alternatives are emerging 23

Web servers 24

Cloud platforms 25

Java virtual machines 26

Apps Huge reservoir of functionally similar software solutions 27

Yet, software systems remain highly homogeneous 28

Take-away • Software monocultures exist • at a very large scale • in application level code • Software diversity exists • machine-code level • Alternative software solutions emerge • must be exploited • Next challenge: diversify applications in a proactive/automatic way 29

Our claim MDE and SBSE MDE and SBSE can can spur spur aplication aplication software software diversity diversity radiation radiation 30

Web app example 31

Server side software stack MDMS Redis DB RingoJS Rhino JVM OS 32

Server side deployment Internet http request Nginx load balancer config 0 config 0 config 0 config 0 config 0 config 0 33 Monoculture deployment of MDMS

Server side deployment Internet http request diverse diverse JS Nginx load balancer OSs interpreters config 1 config 2 config 3 config 4 config 5 config 6 diverse JVMs diverse clouds 34 Multi-diversified deployment of MDMS