Polygraphing
Processes:
N-Variant Systems
for Secretless
Security
David Evans
UVa/CMU Genesis Project
DARPA SRS PIs Meeting
12 July 2005
Jefferson’s
Polygraph
Hoover’s Polygraph
Motivating Observation
• Previous diversity approaches (including
ours) rely on keeping secrets
• Keeping secrets is hard
– [Shacham, et al., CCS 2004]
– [Sovarel, et al., USENIX Security 2005]
Can we use diversity effectively without needing any secrets?
DARPA SRS Genesis Project
2
N-Variant Systems
• Construct a system that requires attacker to
“simultaneously” compromise multiple
variants
• Variations designed to make this impossible
for certain attack classes
• Provides security without needing secrets
– Framework for proving resistance to classes of
attack
DARPA SRS Genesis Project
3
N-Version
Programming
N-Variant
System
[Avizienis & Chen, 1977]
• Multiple teams of
programmers
implement same spec
• Voter compares
results and selects
most common
• No guarantees: teams
may make same
mistake
DARPA SRS Genesis Project
• Transformer
automatically produces
diverse variants
• Monitor compares
results and detects
attack
• Guarantees: variants
behave differently on
particular input classes
4
2-Variant System
Polygrapher
Input
(Possibly
Malicious)
DARPA SRS Genesis Project
Server
Variant
0
Monitor
Server
Variant
1
5
Output
N-Variant
Framework
Variant
Polygrapher
0
Variant
Monitor
1
• Polygrapher
– Replicate “same” input to all variants
• Monitor
– Delay effects until all variants finish successfully
– Detect failure of one variant:
• “Crash”: other variants may have been compromised
• Need to recover to known valid states
• Set of Variants
– Must be disjoint with respect to attack requirement
– An attack input that succeeds against one variant,
must cause some other variant to fail detectably
DARPA SRS Genesis Project
6
Establishing Disjoint Variants
• Normal Equivalence Property
– Under normal inputs, the variants stay in
equivalent states:
A0(S0)  A1(S1)
• Detection Property
– Any attack that compromises one variant
causes another variant to exhibit detection
behavior (e.g., crash)
DARPA SRS Genesis Project
7
Example: Memory Partitioning
• Variation
– Variant 0: addresses all start with 0
– Variant 1: addresses all start with 1
• Normal Equivalence
– Map addresses to same address space
• Broken if code depends on absolute addresses
• Detection Property
– Any absolute load/store is invalid on one of the
variants
DARPA SRS Genesis Project
8
Instruction Set Partitioning
JMP
CALL
JO
JNO
JB
JNB
JZ
JNZ
Variant A
DARPA SRS Genesis Project
…
Variant B
9
Instruction Set Tagging
• Variation: add an extra bit to all opcodes
– Variation 0: tag bit is a 0
– Variation 1: tag bit is a 1
– At run-time check and remove tag using Strata
• Normal Equivalence: Remove the tag bits
• Detection Property
– Any (tagged) opcode is invalid on one variant
– Injected code (identical on both) cannot run on
both
DARPA SRS Genesis Project
10
Composing Variations
Must preserve normal equivalence property
Detect memory attack
Detect direct code injection
Memory
Space
0
0
1
Instruction
Tags
0
1
1
P1
P2
P3
DARPA SRS Genesis Project
11
Implementations
• Two prototypes:
– Linux Kernel Modification
– Divert Sockets
• Ad hoc establishment of normal
equivalence
– Transformation used to create variants
– Run-time checking for equivalent behavior
at security-critical events
DARPA SRS Genesis Project
12
Kernel Implementation
• Modify process table to record variants
• Create new fork routine to launch variants
• Intercept system calls:
– Check parameters match for all variants
– Make call once
– Send same result to all
• Low overhead, lack of isolation
DARPA SRS Genesis Project
13
Divert Sockets Implementation
• Process intercepts traffic (nvpd)
• Uses divert sockets to send copies to
isolated variants (can be on different
machines)
• Waits until all variants respond to request
before returning to client
• Adjusts TCP sequence numbers to each
variant appears to have normal
connection
DARPA SRS Genesis Project
14
Divert Sockets 3-Variant System
Polygrapher
P1
Input
from Client
Output
to Client
P2
P3
Monitor
nvpd
Server
DARPA SRS Genesis Project
15
Results
• Implemented 3-Variant system
– Address space partitioning
– Instruction set tagging
• Thwarts any attack that:
– Depends on referencing an absolute address
– Depends on executing directly injected code
• Latency Overhead (apache)
http
https
4 machines
54x (10.8 ms)
2.1x (4778 ms)
1 machine
89x (17.8 ms)
2.3x (5271 ms)
DARPA SRS Genesis Project
16
Open Problems
• Non-determinism, persistent state
• Formally establishing normal equivalence
– Statically + dynamically
• Variations to prevent larger classes of
attacks
– File naming, scheduling, protocol,
configuration, etc.
– Limited by need to preserve (unspecified)
application semantics
DARPA SRS Genesis Project
17
N-Variant Systems Summary
• Use artificial diversity in a controlled way
• Framework requires attacker to
compromise multiple variants
“simultaneously”
– Create variations that make this impossible
(for important attack classes)
• Opens promise of system security proofs
that do not require any assumptions about
keeping secrets
DARPA SRS Genesis Project
18
Credits
Ben Cox
Jack Davidson
David Evans
Adrian Filipi
Jason Hiser
Wei Hu
John Knight
Anh Nguyen-Tuong
Jonathan Rowanhill
DARPA SRS Genesis Project
19