Runtime Defense against Code Injection Attacks Using Replicated Execution

The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection me...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on dependable and secure computing 2011-07, Vol.8 (4), p.588-601
Hauptverfasser:	Salamat, B, Jackson, T, Wagner, G, Wimmer, C, Franz, M
Format:	Artikel
Sprache:	eng
Schlagworte:	Analysis Computer networks Computer programming Computer programs Digital Object Identifier False alarms Intrusion Intrusion detection Intrusion detection systems Kernel Monitoring Monitors Multicore processing multivariant execution n-variant execution Network security Operating systems Processors Psychological effects Security Software Studies Synchronism Synchronization system call Writing
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	601
container_issue	4
container_start_page	588
container_title	IEEE transactions on dependable and secure computing
container_volume	8
creator	Salamat, B Jackson, T Wagner, G Wimmer, C Franz, M
description	The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.
doi_str_mv	10.1109/TDSC.2011.18
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_5714703</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5714703</ieee_id><sourcerecordid>889411387</sourcerecordid><originalsourceid>FETCH-LOGICAL-c352t-5cd296805a7f7113f9988a9effec7b0f8bdfb9ed2020f3c3ee86c8d4c53e35723</originalsourceid><addsrcrecordid>eNpd0MFLwzAUBvAiCs7pzZuX4MWLnUnTtMlxdFMHA2Fu55ClLyOzS2eTgv73pkw8eHrv8OPjvS9JbgmeEILF03r2Xk0yTMiE8LNkREROUowJP487y1nKREkukyvv9xhnORf5KFmsehfsAdAMDDgPSO2UdT6gqq0BLdwedLCtQ9MQlP7waOOt26EVHBurVYAazb9A9wO5Ti6Majzc_M5xsnmer6vXdPn2sqimy1RTloWU6ToTBcdMlaYkhBohOFcCjAFdbrHh29psBdQZzrChmgLwQvM614wCZWVGx8nDKffYtZ89-CAP1mtoGuWg7b3k8a-Yy8so7__Jfdt3Lh4neVFQQWNVET2ekO5a7zsw8tjZg-q-JcFyaFUOrcqhVUl45HcnbgHgj7KS5CWm9AdIdnKW</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>866393201</pqid></control><display><type>article</type><title>Runtime Defense against Code Injection Attacks Using Replicated Execution</title><source>IEEE Electronic Library (IEL)</source><creator>Salamat, B ; Jackson, T ; Wagner, G ; Wimmer, C ; Franz, M</creator><creatorcontrib>Salamat, B ; Jackson, T ; Wagner, G ; Wimmer, C ; Franz, M</creatorcontrib><description>The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2011.18</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Analysis ; Computer networks ; Computer programming ; Computer programs ; Digital Object Identifier ; False alarms ; Intrusion ; Intrusion detection ; Intrusion detection systems ; Kernel ; Monitoring ; Monitors ; Multicore processing ; multivariant execution ; n-variant execution ; Network security ; Operating systems ; Processors ; Psychological effects ; Security ; Software ; Studies ; Synchronism ; Synchronization ; system call ; Writing</subject><ispartof>IEEE transactions on dependable and secure computing, 2011-07, Vol.8 (4), p.588-601</ispartof><rights>Copyright IEEE Computer Society Jul-Sep 2011</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c352t-5cd296805a7f7113f9988a9effec7b0f8bdfb9ed2020f3c3ee86c8d4c53e35723</citedby><cites>FETCH-LOGICAL-c352t-5cd296805a7f7113f9988a9effec7b0f8bdfb9ed2020f3c3ee86c8d4c53e35723</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5714703$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5714703$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Salamat, B</creatorcontrib><creatorcontrib>Jackson, T</creatorcontrib><creatorcontrib>Wagner, G</creatorcontrib><creatorcontrib>Wimmer, C</creatorcontrib><creatorcontrib>Franz, M</creatorcontrib><title>Runtime Defense against Code Injection Attacks Using Replicated Execution</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.</description><subject>Analysis</subject><subject>Computer networks</subject><subject>Computer programming</subject><subject>Computer programs</subject><subject>Digital Object Identifier</subject><subject>False alarms</subject><subject>Intrusion</subject><subject>Intrusion detection</subject><subject>Intrusion detection systems</subject><subject>Kernel</subject><subject>Monitoring</subject><subject>Monitors</subject><subject>Multicore processing</subject><subject>multivariant execution</subject><subject>n-variant execution</subject><subject>Network security</subject><subject>Operating systems</subject><subject>Processors</subject><subject>Psychological effects</subject><subject>Security</subject><subject>Software</subject><subject>Studies</subject><subject>Synchronism</subject><subject>Synchronization</subject><subject>system call</subject><subject>Writing</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2011</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><recordid>eNpd0MFLwzAUBvAiCs7pzZuX4MWLnUnTtMlxdFMHA2Fu55ClLyOzS2eTgv73pkw8eHrv8OPjvS9JbgmeEILF03r2Xk0yTMiE8LNkREROUowJP487y1nKREkukyvv9xhnORf5KFmsehfsAdAMDDgPSO2UdT6gqq0BLdwedLCtQ9MQlP7waOOt26EVHBurVYAazb9A9wO5Ti6Majzc_M5xsnmer6vXdPn2sqimy1RTloWU6ToTBcdMlaYkhBohOFcCjAFdbrHh29psBdQZzrChmgLwQvM614wCZWVGx8nDKffYtZ89-CAP1mtoGuWg7b3k8a-Yy8so7__Jfdt3Lh4neVFQQWNVET2ekO5a7zsw8tjZg-q-JcFyaFUOrcqhVUl45HcnbgHgj7KS5CWm9AdIdnKW</recordid><startdate>20110701</startdate><enddate>20110701</enddate><creator>Salamat, B</creator><creator>Jackson, T</creator><creator>Wagner, G</creator><creator>Wimmer, C</creator><creator>Franz, M</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>3V.</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>87Z</scope><scope>8AL</scope><scope>8FE</scope><scope>8FG</scope><scope>8FK</scope><scope>8FL</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FRNLG</scope><scope>F~G</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K60</scope><scope>K6~</scope><scope>K7-</scope><scope>L.-</scope><scope>L6V</scope><scope>M0C</scope><scope>M0N</scope><scope>M7S</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>PYYUZ</scope><scope>Q9U</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20110701</creationdate><title>Runtime Defense against Code Injection Attacks Using Replicated Execution</title><author>Salamat, B ; Jackson, T ; Wagner, G ; Wimmer, C ; Franz, M</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c352t-5cd296805a7f7113f9988a9effec7b0f8bdfb9ed2020f3c3ee86c8d4c53e35723</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2011</creationdate><topic>Analysis</topic><topic>Computer networks</topic><topic>Computer programming</topic><topic>Computer programs</topic><topic>Digital Object Identifier</topic><topic>False alarms</topic><topic>Intrusion</topic><topic>Intrusion detection</topic><topic>Intrusion detection systems</topic><topic>Kernel</topic><topic>Monitoring</topic><topic>Monitors</topic><topic>Multicore processing</topic><topic>multivariant execution</topic><topic>n-variant execution</topic><topic>Network security</topic><topic>Operating systems</topic><topic>Processors</topic><topic>Psychological effects</topic><topic>Security</topic><topic>Software</topic><topic>Studies</topic><topic>Synchronism</topic><topic>Synchronization</topic><topic>system call</topic><topic>Writing</topic><toplevel>online_resources</toplevel><creatorcontrib>Salamat, B</creatorcontrib><creatorcontrib>Jackson, T</creatorcontrib><creatorcontrib>Wagner, G</creatorcontrib><creatorcontrib>Wimmer, C</creatorcontrib><creatorcontrib>Franz, M</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Central (Corporate)</collection><collection>Access via ABI/INFORM (ProQuest)</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>Computing Database (Alumni Edition)</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies & Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Business Premium Collection (Alumni)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>Computer Science Database</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ProQuest Engineering Collection</collection><collection>ABI/INFORM Global</collection><collection>Computing Database</collection><collection>Engineering Database</collection><collection>Advanced Technologies & Aerospace Database</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>ProQuest One Business</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>ABI/INFORM Collection China</collection><collection>ProQuest Central Basic</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><collection>Engineering Research Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Salamat, B</au><au>Jackson, T</au><au>Wagner, G</au><au>Wimmer, C</au><au>Franz, M</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Runtime Defense against Code Injection Attacks Using Replicated Execution</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2011-07-01</date><risdate>2011</risdate><volume>8</volume><issue>4</issue><spage>588</spage><epage>601</epage><pages>588-601</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multivariant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multiprocess applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multivariant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2011.18</doi><tpages>14</tpages><oa>free_for_read</oa></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 1545-5971
ispartof	IEEE transactions on dependable and secure computing, 2011-07, Vol.8 (4), p.588-601
issn	1545-5971 1941-0018
language	eng
recordid	cdi_ieee_primary_5714703
source	IEEE Electronic Library (IEL)
subjects	Analysis Computer networks Computer programming Computer programs Digital Object Identifier False alarms Intrusion Intrusion detection Intrusion detection systems Kernel Monitoring Monitors Multicore processing multivariant execution n-variant execution Network security Operating systems Processors Psychological effects Security Software Studies Synchronism Synchronization system call Writing
title	Runtime Defense against Code Injection Attacks Using Replicated Execution
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T02%3A54%3A37IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Runtime%20Defense%20against%20Code%20Injection%20Attacks%20Using%20Replicated%20Execution&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Salamat,%20B&rft.date=2011-07-01&rft.volume=8&rft.issue=4&rft.spage=588&rft.epage=601&rft.pages=588-601&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2011.18&rft_dat=%3Cproquest_RIE%3E889411387%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=866393201&rft_id=info:pmid/&rft_ieee_id=5714703&rfr_iscdi=true