As an active defenses technique,multivariant execution(MVX)can detect attacks by monitoring the consistency of heterogeneous variants with parallel execution.Compared with patch-style passive defense,MVX can defend ag...As an active defenses technique,multivariant execution(MVX)can detect attacks by monitoring the consistency of heterogeneous variants with parallel execution.Compared with patch-style passive defense,MVX can defend against known and even unknown vulnerability-based attacks without relying on attack feature information.However,variants generated with software diversity technologies will introduce new vulnerabilities when they execute in parallel.First,we analyze the security of MVX theory from the perspective of formal description.Then we summarize the general forms and techniques for attacks against MVX,and analyze the new vulnerabilities arising from the combination of variant generation technologies.We propose SecMVX,a secure MVX architecture and variant generation technology.Experimental evaluations based on CVEs and SPEC 2006 benchmark show that SecMVX introduces 11.29%of the average time overhead,and avoids vulnerabilities caused by the improper combination of variant generation technologies while keeping the defensive ability of MVX.展开更多
Users usually focus on the application-level requirements which are quite friendly and direct to them.However,there are no existing tools automating the application-level requirements to infrastructure provisioning an...Users usually focus on the application-level requirements which are quite friendly and direct to them.However,there are no existing tools automating the application-level requirements to infrastructure provisioning and application deployment.Although some security issues have been solved during the development phase,the undiscovered vulnerabilities remain hidden threats to the application’s security.Cyberspace mimic defense(CMD)technologies can help to enhance the application’s security despite the existence of the vulnerability.In this paper,the concept of SECurity-as-a-Service(SECaaS)is proposed with CMD technologies in cloud environments.The experiment on it was implemented.It is found that the application’s security is greatly improved to meet the user’s security and performance requirements within budgets through SECaaS.The experimental results show that SECaaS can help the users to focus on application-level requirements(monetary costs,required security level,etc.)and automate the process of application orchestration.展开更多
基金National Key Research and Development Program of China(Grant No.2018YF0804003)the National Key Research and Development Program of China under Grant No.2017YFB0803204.
文摘As an active defenses technique,multivariant execution(MVX)can detect attacks by monitoring the consistency of heterogeneous variants with parallel execution.Compared with patch-style passive defense,MVX can defend against known and even unknown vulnerability-based attacks without relying on attack feature information.However,variants generated with software diversity technologies will introduce new vulnerabilities when they execute in parallel.First,we analyze the security of MVX theory from the perspective of formal description.Then we summarize the general forms and techniques for attacks against MVX,and analyze the new vulnerabilities arising from the combination of variant generation technologies.We propose SecMVX,a secure MVX architecture and variant generation technology.Experimental evaluations based on CVEs and SPEC 2006 benchmark show that SecMVX introduces 11.29%of the average time overhead,and avoids vulnerabilities caused by the improper combination of variant generation technologies while keeping the defensive ability of MVX.
基金National Key Research and Development Program of China(2017YFB0803202)Major Scientific Research Project of Zhejiang Lab(No.2018FD0ZX01)+1 种基金National Core Electronic Devices,High-end Generic Chips and Basic Software Major Projects(2017ZX01030301)the National Natural Science Foundation of China(No.61309020)and the National Natural Science Fund for Creative Research Groups Project(No.61521003).
文摘Users usually focus on the application-level requirements which are quite friendly and direct to them.However,there are no existing tools automating the application-level requirements to infrastructure provisioning and application deployment.Although some security issues have been solved during the development phase,the undiscovered vulnerabilities remain hidden threats to the application’s security.Cyberspace mimic defense(CMD)technologies can help to enhance the application’s security despite the existence of the vulnerability.In this paper,the concept of SECurity-as-a-Service(SECaaS)is proposed with CMD technologies in cloud environments.The experiment on it was implemented.It is found that the application’s security is greatly improved to meet the user’s security and performance requirements within budgets through SECaaS.The experimental results show that SECaaS can help the users to focus on application-level requirements(monetary costs,required security level,etc.)and automate the process of application orchestration.
