Software diversity

From Justapedia, unleashing the power of collective wisdom
Jump to navigation Jump to search

Software diversity is a research field about the comprehension and engineering of diversity in the context of software.

Areas

The different areas of software diversity are discussed in surveys on diversity for fault-tolerance[1] or for security.[2][3] A recent survey emphasizes on the most recent advances in the field.[4]

The main areas are:

Domains

Software can be diversified in most domains:

  • in firmware of embedded systems and sensors[6]
  • in internet applications[7]
  • in mobile applications[8]
  • in browser applications, incl. those using WebAssembly.[9]

Techniques

Code transformations

It is possible to amplify software diversity through automated transformation processes that create synthetic diversity. A "multicompiler" is compiler embedding a diversification engine.[10] A multi-variant execution environment (MVEE) is responsible for selecting the variant to execute and compare the output.[11]

Fred Cohen was among the very early promoters of such an approach. He proposed a series of rewriting and code reordering transformations that aim at producing massive quantities of different versions of operating systems functions.[12] These ideas have been developed over the years and have led to the construction of integrated obfuscation schemes to protect key functions in large software systems.[13]

Another approach to increase software diversity of protection consists in adding randomness in certain core processes, such as memory loading. Randomness implies that all versions of the same program run differently from each other, which in turn creates a diversity of program behaviors. This idea was initially proposed and experimented by Stephanie Forrest and her colleagues.[14]

Recent work on automatic software diversity explores different forms of program transformations that slightly vary the behavior of programs. The goal is to evolve one program into a population of diverse programs that all provide similar services to users, but with a different code.[15][16] This diversity of code enhances the protection of users against one single attack that could crash all programs at the same time.

Transformation operators include:[17]

  • code layout randomization: reorder functions in code
  • globals layout randomization: reorder and pad globals
  • stack variable randomization: reorder variables in each stack frame
  • heap layout randomization

As exploring the space of diverse programs is computationally expensive, finding efficient strategies to conduct this exploration is important. To do so, recent work studies plastic regions in software code:[18] plastic regions are those parts is code more susceptible to be changed without disrupting the functionalities provided by the piece of software. These regions can be specifically targeted by automatic code transformation to create artificial diversity in existing software. Turning the search for software diversity into a constraint satisfaction problem is another approach to explore trade-offs between the number of program variants and the size of the code of these variants.[19] In a context where code is automatically generated from a formal specification, it is possible to turn adapt the code generator so that it generates software diversity in the form of multiple versions of the source code that are all conform to the specification.[20]

Natural software diversity

It is known that some functionalities are available in multiple interchangeable implementations, this has been called natural software diversity.[4] For example, a diversity of library that implement similar features, naturally emerges in software repositories.[21] This natural diversity can be exploited, for example it has been shown valuable to increase security in cloud systems.[22] Natural diversity can also be used to combine the strengths of different tools: for example if you combine many decompilers together, the resulting meta-decompiler is more effective.[23]

References

  1. ^ Deswarte, Y.; Kanoun, K.; Laprie, J.-C. (July 1998). Diversity against accidental and deliberate faults. Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358). IEEE Comput. Soc. pp. 171–181. CiteSeerX 10.1.1.27.9420. doi:10.1109/csda.1998.798364. ISBN 978-0769503370. S2CID 5597924.
  2. ^ Knight, John C. (2011), "Diversity", Dependable and Historic Computing, Lecture Notes in Computer Science, vol. 6875, Springer Berlin Heidelberg, pp. 298–312, doi:10.1007/978-3-642-24541-1_23, ISBN 9783642245404
  3. ^ Just, James E.; Cornwell, Mark (2004-10-29). Review and analysis of synthetic diversity for breaking monocultures. ACM. pp. 23–32. CiteSeerX 10.1.1.76.3691. doi:10.1145/1029618.1029623. ISBN 978-1581139709. S2CID 358885.
  4. ^ a b Baudry, Benoit; Monperrus, Martin (2015-09-29). "The Multiple Facets of Software Diversity: Recent Developments in Year 2000 and Beyond". ACM Computing Surveys. 48 (1): 16. arXiv:1409.7324. doi:10.1145/2807593. ISSN 0360-0300. S2CID 215812499.
  5. ^ Schaefer, Ina; Rabiser, Rick; Clarke, Dave; Bettini, Lorenzo; Benavides, David; Botterweck, Goetz; Pathak, Animesh; Trujillo, Salvador; Villela, Karina (2012-07-28). "Software diversity: state of the art and perspectives". International Journal on Software Tools for Technology Transfer. 14 (5): 477–495. CiteSeerX 10.1.1.645.1960. doi:10.1007/s10009-012-0253-y. ISSN 1433-2779. S2CID 7347285.
  6. ^ Hosseinzadeh, Shohreh; Rauti, Sampsa; Hyrynsalmi, Sami; Leppanen, Ville (December 2015). Security in the Internet of Things through obfuscation and diversification. 2015 International Conference on Computing, Communication and Security (ICCCS). pp. 1–5. doi:10.1109/cccs.2015.7374189. ISBN 978-1-4673-9354-6. S2CID 9855649.
  7. ^ Allier, Simon; Barais, Olivier; Baudry, Benoit; Bourcier, Johann; Daubert, Erwan; Fleurey, Franck; Monperrus, Martin; Song, Hui; Tricoire, Maxime (January 2015). "Multitier Diversification in Web-Based Software Applications". IEEE Software. 32 (1): 83–90. doi:10.1109/ms.2014.150. S2CID 218184081.
  8. ^ Franz, Michael (21 September 2010). "E unibus pluram". E unibus pluram: massive-scale software diversity as a defense mechanism. pp. 7–16. doi:10.1145/1900546.1900550. ISBN 9781450304153. S2CID 7248879.
  9. ^ Cabrera Arteaga, Javier; Floros, Orestis; Vera Perez, Oscar; Baudry, Benoit; Monperrus, Martin (2021). "CROW: Code Diversification for WebAssembly" (PDF). Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web. Internet Society. arXiv:2008.07185. doi:10.14722/madweb.2021.23004. ISBN 978-1-891562-67-9.
  10. ^ "Protecting Applications with Automated Software Diversity". Galois, Inc. 2018-09-10. Retrieved 2019-02-12.
  11. ^ Coppens, Bart; De Sutter, Bjorn; Volckaert, Stijn (2018-03-01), "Multi-variant execution environments", The Continuing Arms Race: Code-Reuse Attacks and Defenses, ACM, pp. 211–258, doi:10.1145/3129743.3129752, ISBN 9781970001839
  12. ^ Cohen, Frederick B. (1993). "Operating system protection through program evolution" (PDF). Computers & Security. 12 (6): 565–584. doi:10.1016/0167-4048(93)90054-9. ISSN 0167-4048.
  13. ^ Chenxi Wang; Davidson, J.; Hill, J.; Knight, J. (2001). Protection of software-based survivability mechanisms (PDF). Proceedings International Conference on Dependable Systems and Networks. IEEE Comput. Soc. pp. 193–202. CiteSeerX 10.1.1.1.7416. doi:10.1109/dsn.2001.941405. ISBN 978-0769511016. S2CID 15860593. Archived (PDF) from the original on April 30, 2017.
  14. ^ Forrest, S.; Somayaji, A.; Ackley, D.H. (1997). Building diverse computer systems (PDF). Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133). IEEE Comput. Soc. Press. pp. 67–72. CiteSeerX 10.1.1.131.3961. doi:10.1109/hotos.1997.595185. ISBN 978-0818678349. S2CID 1332487.
  15. ^ Schulte, Eric; Fry, Zachary P.; Fast, Ethan; Weimer, Westley; Forrest, Stephanie (2013-07-28). "Software mutational robustness" (PDF). Genetic Programming and Evolvable Machines. 15 (3): 281–312. arXiv:1204.4224. doi:10.1007/s10710-013-9195-8. ISSN 1389-2576. S2CID 11520214.
  16. ^ Baudry, Benoit; Allier, Simon; Monperrus, Martin (2014-07-21). "Tailored source code transformations to synthesize computationally diverse program variants". Proceedings of the 2014 International Symposium on Software Testing and Analysis - ISSTA 2014. ACM. pp. 149–159. arXiv:1401.7635. doi:10.1145/2610384.2610415. ISBN 9781450326452. S2CID 215812773 – via HAL Open Science.
  17. ^ "Automated Software Diversity: Sometimes More Isn't Merrier". Galois, Inc. 2018-09-10. Retrieved 2019-02-12.
  18. ^ Harrand, Nicolas; Allier, Simon; Rodriguez-Cancio, Marcelino; Monperrus, Martin; Baudry, Benoit (2019-06-25). "A journey among Java neutral program variants". Genetic Programming and Evolvable Machines. 20 (4): 531–580. arXiv:1901.02533. doi:10.1007/s10710-019-09355-3. ISSN 1389-2576. S2CID 57759345.
  19. ^ Tsoupidi, Rodothea Myrsini; Castañeda Lozano, Roberto; Baudry, Benoit (2020), "Constraint-Based Software Diversification for Efficient Mitigation of Code-Reuse Attacks", Principles and Practice of Constraint Programming, Springer International Publishing, pp. 791–808, doi:10.1007/978-3-030-58475-7_46, ISBN 978-3-030-58474-0, retrieved 2021-08-18
  20. ^ Morin, Brice; Høgenes, Jakob; Song, Hui; Harrand, Nicolas; Baudry, Benoit (2018-10-14). "Engineering Software Diversity: a Model-Based Approach to Systematically Diversify Communications". Proceedings of the 21th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems. Copenhagen Denmark: ACM: 155–165. doi:10.1145/3239372.3239393. ISBN 978-1-4503-4949-9.
  21. ^ Soto-Valero, Cesar; Benelallam, Amine; Harrand, Nicolas; Barais, Olivier; Baudry, Benoit (May 2019). "The Emergence of Software Diversity in Maven Central". 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). Montreal, QC, Canada: IEEE: 333–343. arXiv:1903.05394. doi:10.1109/MSR.2019.00059. ISBN 978-1-7281-3412-3.
  22. ^ Gorbenko, Anatoliy; Kharchenko, Vyacheslav; Tarasyuk, Olga; Romanovsky, Alexander (2011), "Using Diversity in Cloud-Based Deployment Environment to Avoid Intrusions", Lecture Notes in Computer Science, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 145–155, doi:10.1007/978-3-642-24124-6_14, ISBN 978-3-642-24123-9
  23. ^ Harrand, Nicolas; Soto-Valero, César; Monperrus, Martin; Baudry, Benoit (2020). "Java decompiler diversity and its application to meta-decompilation". Journal of Systems and Software. 168: 110645. arXiv:2005.11315. doi:10.1016/j.jss.2020.110645. S2CID 218870447.
Retrieved from "https://justapedia.org/index.php?title=Software_diversity&oldid=1116781753"