Building the Next Generation of Security Focused NVX Systems: Overcoming Limitations of N-Variant Execution
- Author(s): Voulimeneas, Alexios
- Advisor(s): Michael, Franz
- et al.
N-Variant Execution (NVX) systems utilize artificial diversity techniques to enhance software security. The general idea is to run multiple different variants of the same program alongside each other while monitoring their run-time behavior. If a malicious input causes the execution paths of the diversified variants to diverge, the monitor can detect divergences, e.g. at the system call level, and take defensive action.
Several NVX systems have been proposed over the last two decades, providing different security/performance characteristics. In general, security-oriented NVX systems greatly degrade performance, while high performance NVX systems have two disadvantages; they significantly increase the size of the Trusted Computing Base (TCB) or sacrifice security. In this dissertation, we want to investigate if it is possible to build an alternative NVX design that unifies the strengths of existing approaches.
Security-oriented NVX systems are considered strong defenses that protect against a variety of attacks. However, a subset of modern attacks have the potential to bypass existing NVX systems. We identify limited available diversity as the main reason for that. Existing NVX systems execute diversified program variants on a single host. This means that the level of inter-variant diversity will be limited to what a single platform can offer.
The main focus of this dissertation is to investigate the possibility of building the first distributed heterogeneous NVX system that executes program variants across multiple heterogeneous hosts. This approach can increase the level of internal diversity between the simultaneously running variants that can be supported, encompassing different instruction sets, endianness, calling conventions, system call interfaces, and differences in hardware security features. We expect that new challenges will arise from the distributed and heterogeneous nature of this design, however we believe that we will be able to provide sufficient solutions.