The document proposes a technique called "synthetic diversity" to increase the resilience of software systems against cyber attacks by breaking vulnerability specifications (V-SPECs) that attackers rely on without affecting legitimate assumptions about program behavior. It analyzes how attackers identify and exploit specific vulnerabilities in widely used software. The approach transforms executable code in ways that alter interface conventions and make injected attack code unable to function while preserving correct program execution. This breaks the V-SPEC an attack relies on while keeping the author-intended specification (A-SPEC) intact. The goal is to induce transformations that are V-SPEC variant but A-SPEC invariant.
The document proposes a technique called "synthetic diversity" to increase the resilience of software systems against cyber attacks by breaking vulnerability specifications (V-SPECs) that attackers rely on without affecting legitimate assumptions about program behavior. It analyzes how attackers identify and exploit specific vulnerabilities in widely used software. The approach transforms executable code in ways that alter interface conventions and make injected attack code unable to function while preserving correct program execution. This breaks the V-SPEC an attack relies on while keeping the author-intended specification (A-SPEC) intact. The goal is to induce transformations that are V-SPEC variant but A-SPEC invariant.
The document proposes a technique called "synthetic diversity" to increase the resilience of software systems against cyber attacks by breaking vulnerability specifications (V-SPECs) that attackers rely on without affecting legitimate assumptions about program behavior. It analyzes how attackers identify and exploit specific vulnerabilities in widely used software. The approach transforms executable code in ways that alter interface conventions and make injected attack code unable to function while preserving correct program execution. This breaks the V-SPEC an attack relies on while keeping the author-intended specification (A-SPEC) intact. The goal is to induce transformations that are V-SPEC variant but A-SPEC invariant.
Global InfoTek, Inc. Global InfoTek, Inc. jjust@globalinfotek.com mcornwell@globalinfotek.com
Abstract viewing specifications as objects that capture
The increasing monoculture in operating systems and assumptions about software. Specifications are more key applications and the enormous expense of N-version abstract than the programs themselves, because many programming for custom applications mean that lack of different programs may implement the same diversity is a fundamental barrier to achieving specification. A tenet of software engineering is that any survivability even for high value systems that can afford program that uses another program should only uses the hot spares. We propose synthetic diversity, implemented assumptions that are allowed by the specification. at the executable code level, to reduce the common mode The author of any wide-spread attack, such as Code failure problem in COTS applications potentially by Red, must identify the specific vulnerability details in a several orders of magnitude. We analyze vulnerabilities widely deployed application and how to exploit that to identify those potentially affected by diversity and vulnerability in an attack. Details are important because examine key assumptions used in developing successful most attacks are executable code and every bit counts. attacks against those vulnerabilities. There are enough For example, the author might look for a flaw such as a techniques for producing synthetic diversity in the buffer overrun that allows one to write data into the literature that the approach is feasible. runtime stack or heap. He must then identify specific locations that are branching addresses and exploit them 1. Introduction to point to his injected code. This injected code must find and execute system calls at the binary level to access There is a great desire for affordable, robust systems system resources, talk over the network, propagate itself that respond automatically to accidental and deliberate further, and do whatever other tasks the author intends. faults. The current state of the art employs fault- These details can be viewed as a Vulnerability tolerance technologies for accidental faults and errors Specification or V-SPEC from the perspective of the and intrusion-tolerance technologies for malicious, attacker. A program that supports the assumptions of the intentional faults caused by an intelligent adversary. V-SPEC is vulnerable to that attack. Programs not Combining fault- and intrusion-tolerance technologies supporting the V-SPEC are invulnerable to that particular can produce very robust and survivable systems, but such attack. This is illustrated below. systems have an Achilles heel. Their robust performance Software
depends upon the continued existence of spare resources Current Specification
for failover. Spare resources can be depleted by a Attack Source
determined adversary simply by continued attacks until Code the system can no longer maintain critical functionality. Problem Known Executable V-Spec Code 2. Breaking Vulnerability Specifications Vu ln er Linker ab Binary code is the main integration point for software ili ty Loader
on specific operating systems (Windows/Solaris/ Linux)
and hardware architectures (Intel/Sparc). Binaries Attack Machine-level Code provide common interfaces (abstract machines) that Machine Code interpret code according to highly specific rules and Specification conventions like run-time environment management, calling library routines, or addressing in-memory tables. Our approach transforms programs in ways that break We suggest an approach to synthetic diversity that the V-SPEC, without affecting legitimate assumptions randomizes critical information in the binary to alter the about program behavior, which we refer to as the A- interface and representation conventions in such a way SPEC. It is not necessary that we know the precise A- that injected code no longer functions and existing code SPEC in order to make use of the concept. We merely is no longer reachable. Such transformations can be need confidence that, after applying transformations, the discussed in the language of software verification by runtime executable still conforms to the A-SPEC. For example, if random sized blocks of information are 10 inc ebx ; Increment by 1 11 dec ebx ; Decrement by 1 pushed onto the stack to make stack locations harder to 12 inc ebx ; Increment by 1 predict, legitimate programs be affected by such things. 13 dec ebx ; Decrement by 1 14 mov ecx, [ebp-1B4h] ; load ecx with ebp-1b4 In our terminology, ideal diversity inducing 15 mov [ebp+ecx*4-174h], eax ; load the address into transformations will have the property that they are both the ebp stack where needed V-SPEC variant and A-SPEC invariant. Once RVA techniques are used to get the address of GetProcAddress, GetProcAddress is used to get the Software Specification address of LoadLibraryA (not illustrated above). The Breaking worm uses these two functions to load kernel32.DLL, Transform infocomm.DLL and WS2_32.DLL enabling it to access the V-Spec Source Code Specifications the file system, open network sockets and send and receive network packets. The worm is making many Known Executable V-Spec Code assumptions about how to interact with the Windows Vu ln operating system and these assumptions are sensitive to er Transformer particular types of code transformations. ab Machine-level ili Machine-level Linker ty ?? Code Machine-level Machine-level Code Loader We extensively reviewed the literature for Code Machine-level Code Machine-level Machine-level Code transformations that are applicable to executable code Code Machine-level Code Machine-level Attack X Machine-level Code Code Machine-level Code Machine-level and concluded that our approach is feasible. Consider the Doesnt Match Machine-level Code Machine-levelCode Machine Code following mechanical transformations: Code Code Specification Re-arrange the run-time stack V-Spec Unknown Until Load-Time Permute the addresses in the jump table Change the machine code (table transformation) 3. Illustrative Example Change the interpretation of (encrypt) filenames Change the order of parameters for system calls Most of the recent large-scale cyber-attacks have been Encrypt file name parameters to system calls worms that relied on buffer overflow vulnerabilities in Rename ports for network connections widely deployed Windows applications. The current Windows monoculture gives even casual attackers, Put return pointers on a separate stack armed with buffer overflow attack code, the potential to Any one of these transformations could break Code break into essentially every vulnerable computer Red. For example, if we changed the order of connected to the network. This enormous reach provided parameters to GetProcAddress, the order of the push to the attacker can adversely affect the network itself, operations at lines 4 and 6 would be invalid. We would overloading links and cause routing table instabilities. have prevented Code Red from resolving the addresses it The Code Red I worm has been studied extensively. It needs to call socket, connect, send, recv, TcpSockSend, is a single http GET transaction that exploits a buffer etc. When the call at line 7 is performed, with high overflow vulnerability in the Index Server resource to probability the call would fail with an invalid opcode or execute arbitrary code. The following selection of addressing exception as it attempted to execute the disassembled code shows some of the techniques and relative virtual address table. assumptions used by the worm writer1. The technique illustrated is called RVA (Relative Virtual Address) 4. Conclusions and Next Steps lookup2. The disassembled code is on the left of the listing below and the eEye Digital Security annotations Program diversity through randomized program to each line are on the right. Lines 09 through 13 below transformation harnesses powerful theoretical techniques have no net effect and are used for padding. to introduce much needed diversity into modern 01 loc_4B4: ; CODE XREF: DO_RVA+26D j networks3. Our concept for a synthetic diversity system 02 mov esi, esp 03 mov ecx, [ebp-198h]; set ecx with the data focuses on breaking the vulnerability specifications that segment pointer successful attacks depend on. We believe the potential 04 push ecx; push data segment (pointer of function to load) for practical application of these techniques is high. 05 mov edx, [ebp-1CCh]; get current RVA base offset 06 push edx; push module handle(base loaded address) 3 07 call dword ptr [ebp-190h]; call GetProcAddress Diversity is not a panacea for cyber-attack problems. Many 08 cmp esi, esp ; Compare Two Operands vulnerabilities cannot be mitigated by diversity, e.g., weak passwords, 09 nop ; No Operation cross site scripting attacks, and denial of service. However, diversity at the level of interpreting scripting languages can be effective in 1 Excerpted from Code Red Disassembly Analysis, Ryan Permeh, analogous ways [See [Kc-03] Gaurav S. Kc, Angelos D. Keromytis, Marc Maiffret, at http://www.eeye.com/html/advisories/codered.zip. Vassilis Prevelakis, Countering Code-Injection Attacks with 2 For more details on RVA, check documentation on Portable Instruction-Set Randomization ACM Conference on Computer and Executable (PE), the executable file format for Microsoft platforms. Communications Security, October 27, 2003, Washington DC