Detecting Attacks Using Program Alternatives and ELKVM
Marta Tasic
TU Dresden
Verteidigung der Master-Arbeit
Buffer overflow is known to be the most common form of vulnerability in software that
allows attackers to hijack a system by feeding a specially crafted input to a vulnerable
application running on it. Many techniques have been developed to prevent an intrusion,
but none of them provide an ultimate solution. Multi-variant execution involves running
several slightly different versions of a program in parallel. Discrepancies in execution of
the variants indicate an attack. I develop a multi-variant execution environment with the
help of ELKVM library. I implement a multi-variant execution monitor which produces
variants for a given application using custom program diversification techniques and
runs them while comparing their behavior. The monitor runs as a Linux user-space
application. It provides security to the application against many buffer overflow based
attacks with the geometric-mean performance degradation of 18.2%, commonly affordable
to security sensitive applications.