N-Variant Systems Framework

From Dependability

A System Structure for Secretless Security

Contents 1 Research Summary 2 N-Variant Systems 3 People 3.1 Principal Investigators 3.2 Students 3.3 Alumni 4 Papers 5 Talks 6 Download Code 7 Related Projects by the PIs

Research Summary

We propose a new approach to software service protection that is based on software system structures which combine monitoring software and tailored program diversity. The resulting systems have two valuable properties that cannot be achieved with previous vulnerability-masking approaches:

1. their effectiveness does not depend on keeping secrets from adversaries
2. we can construct proofs that a system cannot be compromised by a class of attacks, no matter what vulnerabilities exist in the server program.

The first property means that adversaries can have complete knowledge about the structure and software of our systems without compromising their security. Thus, insider snooping cannot defeat our vulnerability protection against outsider initiated attacks, and probing or guessing attacks : that have been shown effective against previously proposed diversity techniques pose no threat to our system.

The second property means that there can be a high level of assurance in the coverage of vulnerabilities in the system based on formal arguments and depend only on clearly stated assumptions about components of our system structure, but place no constraints on properties of the protected software service.

N-Variant Systems

An instantiation of our idea is the N-Variant System Framework, which provides a general mechanism for detecting and preventing classes of attacks on vulnerable servers. The framework consists of:

• A polygrapher that replicates input to multiple processes
• A set of N variant processes
• A monitor that observes the variants and their outputs.

The variant processes all implement the same service but are constructed to be artificially different in ways that detect attacks. The system runs the variants in parallel, giving each variant identical inputs and checks that they behave similarly before forwarding the output to the user. Consequently, any attack unable to simultaneously compromise all the variants in the framework will be detected and stopped before secret information is divulged or damage is done to the server. Other defense mechanisms rely on keeping a secret (e.g. randomization key) from the attacker. Our approach provides provable security that does not rely on secrets.

People

Principal Investigators

• John C. Knight
• Jack W. Davidson
• David Evans
• Anh Nguyen-Tuong
• Jonathan Rowanhill

Students

• Benjamin Cox
• Wei Hu
• Nathanael Paul
• Nora Sovarel
• Dan Williams

Alumni

• Michael Crane
• Adrian Filipi

Papers

• Anh Nguyen-Tuong, David Evans, John C. Knight, Benjamin Cox, Jack W. Davidson

Security through Redundant Data Diversity

Dependable Systems Network (DSN 2008), June 2008 (PDF)

• Benjamin Cox, David Evans, Adrian Filipi, Jonathan Rowanhill, Wei Hu, Jack Davidson, John Knight, Anh Nguyen-Tuong, and Jason Hiser

N-Variant Systems: A Secretless Framework for Security through Diversity

15th USENIX Security Symposium, Vancouver, BC, August 2006 (PDF)

Talks

• Polygraphing Processes: N-Variant Systems for Secretless Security (PPT)

(David Evans). DARPA SRS PIs Meeting, Alexandria, VA. 12 July 2005.

• Stealing Secrets and Secretless Security Structures (PPT)

(David Evans). Colloquium at Harvard University. 27 June 2005.

Download Code

• Download N-variant framework

Related Projects by the PIs

• Genesis: Security through Diversity
• IPA — Inexpensive Program Analysis
• Physicrypt — Physical Cryptography and Security Group
• Swarm Computing