CON-MVX:一种基于容器技术的多变体执行系统

CON-MVX:A Multi-Variant Execution System Based on Container Technology

多变体执行是一种网络安全防御技术,其利用软件多样性生成等价异构的执行体,将程序输入分发至多个执行体并行执行,通过监控和比较执行体的状态来达到攻击检测的目的。相较于传统的补丁式被动防御技术,多变体执行不依赖于具体的攻击威胁特征进行分析,而是通过构建系统的内生安全能力来对大多数已知、甚至未知的漏洞做出有效防御。近年来,多变体执行技术在不断改进和完善,但是误报问题是制约其发展的主要因素。本文针对多变体执行产生误报的原因进行了详细分析,并在此基础上提出利用容器技术实现多变体执行系统在解决误报问题上的优势。为提升多变体执行技术的可用性,本文设计并实现了一种基于容器技术的多变体执行系统CON-MVX,有效解决传统多变体执行系统的误报问题。CON-MVX利用多个经过运行时随机化技术构建的异构容器作为执行体,使用可重构的模块化组件和独立的容器管理工具对容器执行体进行编排管理,建立进程间监控器CGMon,在内核层级实现对多个执行体的输入同步和输出裁决。同时,为满足与客户端良好交互性,建立中继端口策略,保证系统运行状态的正常反馈。实验结果表明, CON-MVX在保证安全能力的前提下,能有效降低多变体执行系统的误报率,在双冗余度执行条件下使用SPEC CPU 2006测试集测试时,系统带来的平均额外性能损耗不超过15%。

Multi-variant execution(MVX)is a network security defense technology.It uses software diversity to generate equivalent heterogeneous variants,distributes input to several variants for parallel execution,and achieves the purpose of attack detection by monitoring and comparing the states of variants.Compared with traditional patch-type passive defense technology,MVX does not depend on analysis of specific attack threat characteristics,but can effectively defend against most known or even unknown vulnerabilities by establishing the endogenous security capability of the system.In recent years,the MVX technology has been improved and perfected a lot,but the false positive problem is the main factor re-stricting its development.We analyze the causes of the false positive problem of MVX technology in detail,on this basis,we propose the advantages of using container technology to build MVX system in solving the false positive problem.To improve the availability of MVX,we design and implement a container-based MVX system which is called CON-MVX to effectively address the false positive problem of traditional MVX systems.CON-MVX uses multiple heterogeneous con-tainers constructed by runtime randomization as variants,uses reconfigurable modular components and independent con-tainer management tools to arrange and manage container variants,establishes the cross-process monitor which is called CGMon to synchronize the input and verdict the output of several variants at the kernel level.At the same time,a trunk port policy is established to ensure the normal feedback of the system running state in order to meet the favorable interac-tivity with the client.The experimental results show that CON-MVX can effectively reduce the false positive rate of the MVX system under the premise of ensuring the security capability,and the average extra performance loss of the system is less than 15%in our test with SPEC CPU 2006 under the dual redundancy execution condition.