Runtime Defense against Code Injection Attacks Using Replicated Execution


The number and complexity of attacks on computer systems are increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems play an important role in detecting and disrupting attacks before they can compromise software. Multi variant execution is an intrusion detection mechanism that executes several slightly different versions, called variants, of the same program in lockstep. The variants are built to have identical behavior under normal execution conditions. However, when the variants are under attack, there are detectable differences in their execution behavior. At runtime, a monitor compares the behavior of the variants at certain synchronization points and raises an alarm when a discrepancy is detected. We present a monitoring mechanism that does not need any kernel privileges to supervise the variants. Many sources of inconsistencies, including asynchronous signals and scheduling of multithreaded or multi process applications, can cause divergence in behavior of variants. These divergences cause false alarms. We provide solutions to remove these false alarms. Our experiments show that the multi variant execution technique is effective in detecting and preventing code injection attacks. The empirical results demonstrate that dual-variant execution has on average 17 percent performance overhead when deployed on multicore processors.


Existing System

Many techniques have been developed to eliminate vulnerabilities, but none of them provides a complete solution. Multivariant code execution is a runtime monitoring technique that prevents system damage resulting from malicious code execution and addresses the above problems with dynamic detection tools. Multivariant execution protects against malicious code execution attacks by running two or more slightly different versions of the same program, called variants, in lockstep. At defined synchronization points, the variants’ behavior is compared against each other. Divergence among the behavior is an indication of an anomaly and raises an alarm.



v  An obvious drawback of multivariant execution is the extra processing overhead, since at least two variants of the same program must be executed in lockstep to provide the benefits mentioned above.

v  Modern static analysis tools are capable of finding many varieties of programming errors, but a lack of runtime information limits their abilities. Some also have a relatively high false positive rate, making them expensive to use in practice.

v  Dynamic and runtime tools are often not effective because they lack a baseline to use for detection. Also, the performance overhead of sophisticated algorithms used by such runtime tools is often prohibitively high in some production systems.


Proposed system

Our proposed architecture allows running conventional applications without engaging the (Multivariant Execution Environment) MVEE. Thus, normal applications can run conventionally on the system and in parallel with security sensitive applications that are executed on top of the MVEE. Multivariant execution is a monitoring mechanism that controls the states of the variants being executed and verifies that the variants are complying with defined rules. A monitoring agent, or monitor, is responsible for performing the checks and ensuring that no program instance has been corrupted.


v  A major advantage of this approach is that it enables us to detect and prevent a wide range of threats.

v  Multivariant execution is effective even against sophisticated polymorphic and metamorphic viruses and worms.

v  Using this technique, we prevent exploitation of vulnerabilities at runtime.

Tags :
Your rating: None Average: 4.5 (2 votes)