Login
Login

software diversity

Software diversity is a research field about the comprehension and engineering of diversity in the context of software.

Areas

The different areas of software diversity are discussed in surveys on diversity for fault-tolerance{{Cite book|last1=Deswarte|first1=Y.|last2=Kanoun|first2=K.|last3=Laprie|first3=J.-C.|title=Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358) |chapter=Diversity against accidental and deliberate faults |pages=171–181|language=en-US|publisher=IEEE Comput. Soc|doi=10.1109/csda.1998.798364|isbn=978-0769503370|date=July 1998|citeseerx=10.1.1.27.9420|s2cid=5597924}} or for security.{{Citation|last=Knight|first=John C.|date=2011|pages=298–312|publisher=Springer Berlin Heidelberg|language=en|doi=10.1007/978-3-642-24541-1_23|isbn=9783642245404|title=Dependable and Historic Computing|volume=6875|series=Lecture Notes in Computer Science|chapter=Diversity}}{{Cite book|last1=Just|first1=James E.|last2=Cornwell|first2=Mark|title=Proceedings of the 2004 ACM workshop on Rapid malcode |chapter=Review and analysis of synthetic diversity for breaking monocultures |date=2004-10-29|publisher=ACM|pages=23–32|doi=10.1145/1029618.1029623|isbn=978-1581139709|citeseerx=10.1.1.76.3691|s2cid=358885}}

The main areas are:

  • design diversity, n-version programming, data diversity for fault tolerance
  • randomization
  • software variability{{Cite journal|last1=Schaefer|first1=Ina|last2=Rabiser|first2=Rick|last3=Clarke|first3=Dave|last4=Bettini|first4=Lorenzo|last5=Benavides|first5=David|last6=Botterweck|first6=Goetz|last7=Pathak|first7=Animesh|last8=Trujillo|first8=Salvador|last9=Villela|first9=Karina|date=2012-07-28|title=Software diversity: state of the art and perspectives|journal=International Journal on Software Tools for Technology Transfer|language=en|volume=14|issue=5|pages=477–495|doi=10.1007/s10009-012-0253-y|issn=1433-2779|citeseerx=10.1.1.645.1960|s2cid=7347285}}

Techniques

= Code transformations =

It is possible to amplify software diversity through automated transformation processes that create synthetic diversity. A "multicompiler" is compiler embedding a diversification engine.{{Cite web|url=https://galois.com/blog/2018/09/protecting-applications-with-automated-software-diversity/|title=Protecting Applications with Automated Software Diversity|date=2018-09-10|website=Galois, Inc.|access-date=2019-02-12}} A multi-variant execution environment (MVEE) is responsible for selecting the variant to execute and compare the output.{{Citation|last1=Coppens|first1=Bart|title=Multi-variant execution environments|date=2018-03-01|work=The Continuing Arms Race: Code-Reuse Attacks and Defenses|pages=211–258|publisher=ACM|isbn=9781970001839|last2=De Sutter|first2=Bjorn|last3=Volckaert|first3=Stijn|doi=10.1145/3129743.3129752|s2cid=189007860 }}

Fred Cohen was among the very early promoters of such an approach. He proposed a series of rewriting and code reordering transformations that aim at producing massive quantities of different versions of operating systems functions.{{Cite journal|last=Cohen|first=Frederick B.|date=1993|title=Operating system protection through program evolution|url=http://all.net/books/tech/evolve.pdf|journal=Computers & Security|volume=12|issue=6|pages=565–584|doi=10.1016/0167-4048(93)90054-9|issn=0167-4048}} These ideas have been developed over the years and have led to the construction of integrated obfuscation schemes to protect key functions in large software systems.{{Cite book|last1=Chenxi Wang|last2=Davidson|first2=J.|last3=Hill|first3=J.|last4=Knight|first4=J.|title=Proceedings International Conference on Dependable Systems and Networks |chapter=Protection of software-based survivability mechanisms |url=http://apps.dtic.mil/dtic/tr/fulltext/u2/a466288.pdf|archive-url=https://web.archive.org/web/20170430174552/http://www.dtic.mil/dtic/tr/fulltext/u2/a466288.pdf|url-status=live|archive-date=April 30, 2017|language=en-US|publisher=IEEE Comput. Soc|pages=193–202|doi=10.1109/dsn.2001.941405|isbn=978-0769511016|year=2001|citeseerx=10.1.1.1.7416|s2cid=15860593}}

Another approach to increase software diversity of protection consists in adding randomness in certain core processes, such as memory loading. Randomness implies that all versions of the same program run differently from each other, which in turn creates a diversity of program behaviors. This idea was initially proposed and experimented by Stephanie Forrest and her colleagues.{{Cite book|last1=Forrest|first1=S.|last2=Somayaji|first2=A.|last3=Ackley|first3=D.H.|title=Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133) |chapter=Building diverse computer systems |url=https://www.cs.unm.edu/~forrest/publications/old-hotos-97.pdf|language=en-US|publisher=IEEE Comput. Soc. Press|pages=67–72|doi=10.1109/hotos.1997.595185|isbn=978-0818678349|year=1997|citeseerx=10.1.1.131.3961|s2cid=1332487}}

Recent work on automatic software diversity explores different forms of program transformations that slightly vary the behavior of programs. The goal is to evolve one program into a population of diverse programs that all provide similar services to users, but with a different code.{{Cite journal|last1=Schulte|first1=Eric|last2=Fry|first2=Zachary P.|last3=Fast|first3=Ethan|last4=Weimer|first4=Westley|last5=Forrest|first5=Stephanie|date=2013-07-28|title=Software mutational robustness|url=http://www.cs.virginia.edu/~zpf5a/papers/Schulte_mutation.pdf|journal=Genetic Programming and Evolvable Machines|language=en|volume=15|issue=3|pages=281–312|doi=10.1007/s10710-013-9195-8|issn=1389-2576|arxiv=1204.4224|s2cid=11520214}} This diversity of code enhances the protection of users against one single attack that could crash all programs at the same time.

Transformation operators include:{{Cite web|url=https://galois.com/blog/2018/09/automated-software-diversity-sometimes-more-isnt-merrier/|title=Automated Software Diversity: Sometimes More Isn't Merrier|date=2018-09-10|website=Galois, Inc.|access-date=2019-02-12}}

  • code layout randomization: reorder functions in code
  • globals layout randomization: reorder and pad globals
  • stack variable randomization: reorder variables in each stack frame
  • heap layout randomization

= Natural software diversity =

It is known that some functionalities are available in multiple interchangeable implementations. This natural diversity can be exploited, for example it has been shown valuable to increase security in cloud systems.{{Citation|last1=Gorbenko|first1=Anatoliy|title=Using Diversity in Cloud-Based Deployment Environment to Avoid Intrusions|date=2011|pages=145–155|place=Berlin, Heidelberg|publisher=Springer Berlin Heidelberg|isbn=978-3-642-24123-9|last2=Kharchenko|first2=Vyacheslav|last3=Tarasyuk|first3=Olga|last4=Romanovsky|first4=Alexander|series=Lecture Notes in Computer Science |volume=6968 |doi=10.1007/978-3-642-24124-6_14}}

References

Category:Software engineering