|多变体执行是由异构冗余变体并行执行来检测攻击的一种技术。作为一种主动防御技术,多变体执行(multi-variant execution,MVX)通过并行运行的异构执行体之间一致性检查发现攻击行为。相较于补丁式的被动防御,MVX可在不依赖攻击特征信息的情况下防御已知漏洞乃至未知漏洞威胁,在网络安全领域具有广泛的应用前景。然而该技术在实际部署中,由于多变体执行架构的边界不清晰,将随机数、进程PID号等被动地纳入到了表决范围,从而产生误报,导致多变体执行无法兼容更多的软件系统。本文分析了多变体执行假阳问题产生的原因,提出I-MVX,一种编译支持的多变体融合执行架构,包括多变体同步编程框架和运行时同步模块。I-MVX通过添加少量编译指示,在编译阶段对程序内部引起假阳性问题的代码和变量进行插桩标识,在运行时由监视器对变体进程内部和外部的变量及资源进行同步处理,消除多变体执行中的误报。本文基于LLVM/Clang编译器和Linux内核加载模块设计实现了I-MVX的编译器和同步监视器。性能实验评估显示,I-MVX在SPEC 2006基准测试集和tinyhttpd测试程序下引入的平均开销分别为2.13%和13.2%。多变体融合执行架构能够以少量的性能损耗为代价有效解决多变体执行中的假阳问题,提升多变体执行的可用性。基于真实CVE漏洞的安全性测试表明,I-MVX在保证多变体执行安全防御有效性基础上提升了多变体执行的兼容性。
|关键词: 多变体执行 编译指示 网络空间安全
|Design and Implementation of Integrated Multi-Variant Execution Supported by Compiler
|LI Bingzheng,ZHANG Zheng,MA Bolin,XING Fukang,WU Jiangxing
|State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;National Digital Switching System Engineering & Technological R&D Center, Zhengzhou 450002, China
|Multi-variant execution (MVX) is a technique in which heterogeneous redundant variants are executed in parallel to detect attacks. As an active defenses technique, MVX can detect attacks by monitoring the consistency of heterogeneous variants with parallel execution. Compared with patch-style passive defense, MVX can defend against known and even unknown vulnerabilities without relying on attack feature information, which has broad application prospects in the field of cyberspace security. However, in the actual deployment of the MVX framework, due to the unclear boundary of multi-variant execution, random numbers, process PID numbers, etc. are passively included in the voting range, resulting in false alarms, which make some software systems cannot be compatible with the MVX framework. We analyze the causes of the false positive problem of MVX and proposes I-MVX, a MVX framework supported by compilation, including MVX synchronization programming framework and a runtime synchronization module. I-MVX framework adds a small number of pragmas to instrument code and variables that cause false positives in the program during the compilation phase. At runtime, the monitor synchronizes the variables and resources from the inside and outside of variant processes to eliminate false alarms in the MVX framework. Based on the LLVM/Clang compiler and Linux kernel loading module, we design and implement the I-MVX compiler and synchronization monitor respectively. Performance experimental evaluation indicates that the average overhead introduced by I-MVX under the SPEC 2006 benchmark and Tinyhttpd program is 2.13% and 13.2%, respectively. At the cost of a small amount of performance loss, the integrated multi-variant execution framework can effectively solve the false positive problem in the MVX framework and improve the usability of the MVX framework. The security experiments based on real CVE vulnerabilities show that I-MVX improves the compatibility of multi-variant execution on the basis of ensuring the effectiveness of multi-variant execution security defense.
|Key words: multi-variant execution compiler pragma cyberspace security