This Article 
 Bibliographic References 
 Add to: 
Runtime Defense against Code Injection Attacks Using Replicated Execution
July/August 2011 (vol. 8 no. 4)
pp. 588-601
Babak Salamat, University of California, Irvine, Irvine
Todd Jackson, University of California, Irvine, Irvine
Gregor Wagner, University of California, Irvine, Irvine
Christian Wimmer, University of California, Irvine, Irvine
Michael Franz, University of California, Irvine, Irvine
The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.

[1] A. Avizienis, “The N-Version Approach to Fault-Tolerant Software,” IEEE Trans. Software Eng., vol. SE-11, no. 12, pp. 1491-1501, Dec. 1985.
[2] A. Avizienis and L. Chen, “On the Implementation of N-Version Programming for Software Fault Tolerance during Execution,” Proc. Int'l Computer Software and Applications Conf., pp. 149-155, 1977.
[3] E. Barrantes, D. Ackley, T. Palmer, D. Stefanovic, and D. Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” Proc. ACM Conf. Computer and Comm. Security, pp. 281-289, 2003.
[4] E. Berger and B. Zorn, “DieHard: Probabilistic Memory Safety for Unsafe Languages,” Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, pp. 158-168, 2006.
[5] K. Birman, “Replication and Fault-Tolerance in the ISIS System,” ACM SIGOPS Operating Systems Rev., vol. 19, no. 5, pp. 79-86, 1985.
[6] D. Black, C. Low, and S.K. Shrivastava, “The Voltan Application Programming Environment for Fail-Silent Processes,” Distributed Systems Eng., vol. 5, pp. 66-77, 1998.
[7] T.C. Bressoud and F.B. Schneider, “Hypervisor-Based Fault Tolerance,” ACM Trans. Computer Systems, vol. 14, no. 1, pp. 80-107, 1996.
[8] D. Bruschi, L. Cavallaro, and A. Lanzi, “Diversified Process Replicae for Defeating Memory Error Exploits,” Proc. Int'l Workshop Information Assurance, pp. 434-441, 2007.
[9] M. Chereque, D. Powell, P. Reynier, J. Richier, and J. Voiron, “Active Replication in Delta-4,” Proc. Int'l Symp. Fault-Tolerant Computing, pp. 28-37, 1992.
[10] M. Chew and D. Song, “Mitigating Buffer Overflows by Operating System Randomization,” Technical Report CMU-CS-02-197, Dept. of Computer Science, Carnegie Mellon Univ., 2002.
[11] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” Proc. USENIX Security Symp., pp. 63-78, 1998.
[12] B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser, “N-Variant Systems: A Secretless Framework for Security through Diversity,” Proc. USENIX Security Symp., pp. 105-120, 2006.
[13] M. Dowd, “Apache Mod_Rewrite Off-by-One Buffer Overflow Vulnerability,” 2006.
[14] E. Levy (“Aleph One”), “Smashing the Stack for Fun and Profit,” Phrack, vol. 7, no. 49, 1996.
[15] C. Einstein, “Apache Mod_Include Local Buffer Overflow Vulnerability,” 2004.
[16] R. Hastings and B. Joyce, “Purify: Fast Detection of Memory Leaks and Access Errors,” Proc. Winter USENIX Conf., vol. 136, 1992.
[17] W. Hsu and A. Smith, “Characteristics of I/O Traffic in Personal Computer and Server Workloads,” IBM Systems J., vol. 42, pp. 347-372, 2003.
[18] Intel, “Paul Otellini Keynote,” Intel Developer Forum, 2006.
[19] T. Jackson, B. Salamat, G. Wagner, C. Wimmer, and M. Franz, “On the Effectiveness of Multi-Variant Program Execution for Vulnerability Detection and Prevention,” Proc. Int'l Workshop Security Measurements and Metrics (MetriSec), 2010.
[20] B. Kauer, “Oslo: Improving the Security of Trusted Computing,” Proc. USENIX Security Symp., pp. 229-237, 2007.
[21] G. Kc, A. Keromytis, and V. Prevelakis, “Countering Code-Injection Attacks with Instruction-Set Randomization,” Proc. ACM Conf. Computer and Comm. Security, pp. 272-280, 2003.
[22] J. Knight and N. Leveson, “An Experimental Evaluation of the Assumption of Independence in Multiversion Programming,” IEEE Trans. Software Eng., vol. SE-12, no. 1, pp. 96-109, Jan. 1986.
[23] K. Knowlton, “A Combination Hardware-Software Debugging System,” IEEE Trans. Computers, vol. 17, no. 1, pp. 84-86, Jan. 1968.
[24] C. Ko, G. Fink, and K. Levitt, “Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring,” Proc. Ann. Computer Security Applications Conf., pp. 134-144, 1994.
[25] A. Manion and J. Gennari, US-CERT Vulnerability Note VU#175500, US Computer Emergency Readiness Team, 2005.
[26] J. McCune, B. Parno, A. Perrig, M. Reiter, and H. Isozaki, “Flicker: An Execution Infrastructure for TCB Minimization,” Proc. European Conf. Computer Systems, pp. 315-328, 2008.
[27] N. Mehta, “Snort Back Orifice Parsing Remote Code Execution,” 2005.
[28] D. Murray, G. Milos, and S. Hand, “Improving Xen Security through Disaggregation,” Proc. Conf. Virtual Execution Environments, pp. 151-160, 2008.
[29] P. Narasimhan, L.E. Moser, and P.M. Melliar-Smith, “Enforcing Determinism for the Consistent Replication of Multithreaded Corba Applications,” SRDS '99: Proc. 18th IEEE Symp. Reliable Distributed Systems, pp. 263-273, 1999.
[30] Nat'l Inst. of Standards and Tech nologies, Nat'l Vulnerability Database, http:/, 2009.
[31] N. Nethercote and J. Seward, “Valgrind: A Program Supervision Framework,” Electronic Notes in Theoretical Computer Science, vol. 89, no. 2, pp. 44-66, 2003.
[32] C. Parampalli, R. Sekar, and R. Johnson, “A Practical Mimicry Attack against Powerful System-Call Monitors,” Proc. ACM Symp. Information, Computer, and Comm. Security, pp. 156-167, 2008.
[33] PaX Team, Address Space Layout Randomization (ASLR).
[34] J.C. Reynolds, J.E. Just, E. Lawso, L.A. Clough, R. Maglich, and K.N. Levitt, “The Design and Implementation of an Intrusion Tolerant System,” Proc. Int'l Conf. Dependable Systems and Networks, pp. 285-290, 2002.
[35] R. Rodrigues, M. Castro, and B. Liskov, “BASE: Using Abstraction to Improve Fault Tolerance,” ACM SIGOPS Operating Systems Rev., vol. 35, no. 5, pp. 15-28, 2001.
[36] B. Salamat, A. Gal, and M. Franz, “Reverse Stack Execution in a Multi-Variant Execution Environment,” Proc. Workshop Compiler and Architectural Techniques for Application Reliability and Security, 2008.
[37] B. Salamat, A. Gal, T. Jackson, K. Manivannan, G. Wagner, and M. Franz, “Multi-Variant Program Execution: Using Multi-Core Systems to Defuse Buffer-Overflow Vulnerabilities,” Proc. Int'l Conf. Complex, Intelligent, and Software Intensive Systems, pp. 843-848, Mar. 2008.
[38] B. Salamat, T. Jackson, A. Gal, and M. Franz, “Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space,” Proc. European Conf. Computer Systems, pp. 33-46, 2009.
[39] B. Salamat, C. Wimmer, and M. Franz, “Synchronous Signal Delivery in a Multi-Variant Intrusion Detection System,” technical report, School of Information and Computer Sciences, Univ. of California, 2009.
[40] S. Shrivastava, P. Ezhilchelvan, N. Speirs, S. Tao, and A. Tully, “Principal Features of the Voltan Family of Reliable Node Architectures for Distributed Systems,” IEEE Trans. Computers, vol. 41, no. 5, pp. 542-549, May 1992.
[41] C. Taschner and A. Manion, US-CERT Vulnerability Note VU#196240, US Computer Emergency Readiness Team, 2007.
[42] A. Tulley and S. Shrivastava, “Preventing State Divergence in Replicated Distributed Programs,” Proc. Symp. Reliable Distributed Systems, pp. 104-113, 1990.
[43] B. Vandiver, H. Balakrishnan, B. Liskov, and S. Madden, “Tolerating Byzantine Faults in Transaction Processing Systems Using Commit Barrier Scheduling,” Proc. Symp. Operating Systems Principles, pp. 59-72, 2007.
[44] J. Xu, Z. Kalbarczyk, and R.K. Iyer, “Transparent Runtime Randomization for Security,” Proc. Symp. Reliable Distributed System, pp. 260-269, 2003.
[45] A. Yumerefendi, B. Mickle, and L. Cox, “TightLip: Keeping Applications from Spilling the Beans,” Proc. Symp. Networked Systems Design and Implementation, pp. 159-172, 2007.

Index Terms:
Intrusion detection, multivariant execution, n-variant execution, system call.
Babak Salamat, Todd Jackson, Gregor Wagner, Christian Wimmer, Michael Franz, "Runtime Defense against Code Injection Attacks Using Replicated Execution," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 4, pp. 588-601, July-Aug. 2011, doi:10.1109/TDSC.2011.18
Usage of this product signifies your acceptance of the Terms of Use.