通信学报 ›› 2021, Vol. 42 ›› Issue (9): 1-11.doi: 10.11959/j.issn.1000-436x.2021176
• 学术论文 • 下一篇
马博林1, 张铮1, 任权1, 张高斐2, 邬江兴1
修回日期:
2021-06-20
出版日期:
2021-09-25
发布日期:
2021-09-01
作者简介:
马博林(1993− ),男,河北吴桥人,信息工程大学博士生,主要研究方向为网络空间安全基金资助:
Bolin MA1, Zheng ZHANG1, Quan REN1, Gaofei ZHANG2, Jiangxing WU1
Revised:
2021-06-20
Online:
2021-09-25
Published:
2021-09-01
Supported by:
摘要:
软件冗余执行(SRE)基于故障随机发生的性质,实现对软硬件故障的容错处理,是常见的容错设计方法。软件异构冗余执行(SHRE)则在SRE的基础上利用软件多样化特征,通过冗余执行相同功能的异构软件副本,表决执行结果来抵御软件漏洞和同质化威胁。基于此,提出了SHRE系统的分类方法,引入了SHRE系统的安全能力概念,考虑N模冗余、I/O操作模式以及受攻击软件副本的恢复能力,分析了不同结构SHRE系统的安全性。分析结果显示,SHRE系统在三模冗余且受攻击软件副本具备恢复能力的情况下安全能力表现最好,缩短受攻击软件副本的恢复时间能够提高系统安全性。
中图分类号:
马博林, 张铮, 任权, 张高斐, 邬江兴. 软件异构冗余执行系统的安全能力分析[J]. 通信学报, 2021, 42(9): 1-11.
Bolin MA, Zheng ZHANG, Quan REN, Gaofei ZHANG, Jiangxing WU. Security capability analysis of software-based heterogeneous redundant execution system[J]. Journal on Communications, 2021, 42(9): 1-11.
[1] | ZHANG Y G , VIN H , ALVISI L ,et al. Heterogeneous networking:a new survivability paradigm[C]// Proceedings of The 2001 Workshop on New Security Paradigms. New York:ACM Press, 2001: 33-39. |
[2] | STAMP M . Risks of monoculture[J]. Communications of the ACM, 2004,47(3): 120. |
[3] | CHEN Y S , CHEN P S . A software-based redundant execution programming model for transient fault detection and correction[C]// 2016 45th International Conference on Parallel Processing Workshops (ICPPW). Piscataway:IEEE Press, 2016: 66-71. |
[4] | 吴斌, 高珑 . 软件双冗余容错系统的容错能力和性能分析[J]. 计算机研究与发展, 2009,46(z2): 129-136. |
WU B , GAO L . Fault tolerance and performance analysis of software double redundant implemented hardware fault tolerance[J]. Journal of Computer Research and Development, 2009,46(z2): 129-136. | |
[5] | JUST J E , CORNWELL M . Review and analysis of synthetic diversity for breaking monocultures[C]// Proceedings of the 2004 ACM Workshop on Rapid Malcode. New York:ACM Press, 2004: 23-32. |
[6] | KOREN I , SU S . Reliability analysis of N-modular redundancy systems with intermittent and permanent faults[J]. IEEE Transactions on Computers, 1979,28(7): 514-520. |
[7] | JEON H , ANNAVARAM M . Warped-DMR:light-weight error detection for GPGPU[C]// 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture. Piscataway:IEEE Press, 2012: 37-47. |
[8] | NEUMANN J V . Probabilistic logics and the synthesis of reliable organisms from unreliable components[J]. Automata Studies, 1956,34: 43-99. |
[9] | 姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94. |
YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94. | |
[10] | REINHARDT S K , MUKHERJEE S S . Transient fault detection via simultaneous multithreading[C]// Proceedings of 27th International Symposium on Computer Architecture. Piscataway:IEEE Press, 2000: 25-36. |
[11] | 仝青, 张铮, 邬江兴 . 基于软硬件多样性的主动防御技术[J]. 信息安全学报, 2017,2(1): 1-12. |
TONG Q , ZHANG Z , WU J X . The active defense technology based on the software/hardware diversity[J]. Journal of Cyber Security, 2017,2(1): 1-12. | |
[12] | 马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42. |
MA H L , YI P , JIANG Y M ,et al. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. Journal of Cyber Security, 2017,2(1): 29-42. | |
[13] | 张铮, 马博林, 邬江兴 . web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28. |
ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28. | |
[14] | 宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26. |
SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communications, 2020,41(5): 18-26. | |
[15] | 马博林, 张铮, 陈源 ,等. 基于指令集随机化的抗代码注入攻击方法[J]. 信息安全学报, 2020,5(4): 30-43. |
MA B L , ZHANG Z , CHEN Y ,et al. The defense method for code-injection attacks based on instruction set randomization[J]. Journal of Cyber Security, 2020,5(4): 30-43. | |
[16] | 张宇嘉, 庞建民, 张铮 ,等. 基于软件多样化的拟态安全防御策略[J]. 计算机科学, 2018,45(2): 215-221. |
ZHANG Y J , PANG J M , ZHANG Z ,et al. Mimic security defence strategy based on software diversity[J]. Computer Science, 2018,45(2): 215-221. | |
[17] | JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// 2015 IEEE/ACM 1st International Workshop on Software Protection. Piscataway:IEEE Press, 2015: 3-9. |
[18] | 姚东, 张铮, 张高斐 ,等. MVX-CFI:一种实用的软件安全主动防御架构[J]. 信息安全学报, 2020,5(4): 44-54. |
YAO D , ZHANG Z , ZHANG G F ,et al. MVX-CFI:a practical active defense framework for software security[J]. Journal of Cyber Security, 2020,5(4): 44-54. | |
[19] | FRANZ M , . E unibus pluram:massive-scale software diversity as a defense mechanism[C]// Proceedings of the 2010 New Security Paradigms Workshop.[S.n.:s.l.], 2010: 7-16. |
[20] | LEVITIN G , XING L D , XIANG Y P . Co-residence data theft attacks on N-version programming-based cloud services with task cancelation[J]. IEEE Transactions on Systems,Man,and Cybernetics:Systems, 2020,PP(99): 1-10. |
[21] | COX B , EVANS D , FILIPI A ,et al. N-Variant systems:a secret less framework for security through diversity[C]// USENIX Security Symposium. Berkeley:USENIX Association, 2006: 105-120. |
[22] | CAVALLARO L . Comprehensive memory error protection via diversity and taint-tracking[D]. Milan:University of Milan, 2007. |
[23] | SALAMAT B , JACKSON T , GAL A ,et al. Orchestra:intrusion detection using parallel execution and monitoring of program variants in user-space[C]// Proceedings of the fourth ACM European Conference on Computer Systems. New York:ACM Press, 2009: 33-46. |
[24] | VOLCKAERT S , DE SUTTER B , DE BAETS T ,et al. GHUMVEE:efficient,effective,and flexible replication[C]// Foundations and Practice of Security. Berlin:Springer, 2013: 261-277. |
[25] | CAO M C , HOU X T , WANG T ,et al. Different is good:detecting the use of uninitialized variables through differential replay[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1883-1897. |
[26] | ZHANG Y , LEE J W , JOHNSON N P ,et al. DAFT:decoupled acyclic fault tolerance[J]. International Journal of Parallel Programming, 2012,40(1): 118-140. |
[27] | REIS G A , CHANG J , VACHHARAJANI N ,et al. SWIFT:software implemented fault tolerance[C]// International Symposium on Code Generation and Optimization. Piscataway:IEEE Press, 2005: 243-254. |
[28] | THATI V B , VANKEIRSBILCK J , PISSOORT D ,et al. Instruction level duplication and comparison for data error detection:a first experiment[C]// 2018 IEEE XXVII International Scientific Conference Electronics. Piscataway:IEEE Press, 2018: 1-4. |
[29] | CHIELLE E , KASTENSMIDT F L , CUENCA-ASENSI S , . Overhead reduction in data-flow software-based fault tolerance techniques[C]// FPGAs and Parallel Architectures for Aerospace Applications.[S.n.:s.l. ], 2016: 279-291. |
[30] | VOLCKAERT S , COPPENS B , VOULIMENEAS A ,et al. Secure and efficient application monitoring and replication[C]// 2016 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2016: 167-179. |
[31] | 潘传幸, 张铮, 马博林 ,等. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021,42(1): 37-47. |
PAN C X , ZHANG Z , MA B L ,et al. Method against process control-flow hijacking based on mimic defense[J]. Journal on Communications, 2021,42(1): 37-47. | |
[32] | 方滨兴 . 定义网络空间安全[J]. 网络与信息安全学报, 2018,4(1): 1-5. |
FANG B X . Define cyberspace security[J]. Chinese Journal of Network and Information Security, 2018,4(1): 1-5. | |
[33] | HUMPHREY W S . Personal software process (PSP)[M]. New York: John Wiley & Sons,Inc., 2002. |
[34] | HOSEK P , CADAR C . VARAN the unbelievable:an efficient N-version execution framework[C]// ACM Special Interest Group on Programming Languages. New York:ACM Press, 2015: 339-353. |
[35] | LU K . Securing software systems by preventing information leaks[D]. Atlanta:Georgia Institute of Technology, 2017. |
[36] | NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability[J]. Communications of the ACM, 2008,51(12): 87-95. |
[37] | 任权, 邬江兴, 贺磊 . 基于GSPN的拟态DNS构造策略研究[J]. 信息安全学报, 2019,4(2): 37-52. |
REN Q , WU J X , HE L . Research on mimic DNS architectural strategy based on generalized stochastic petri net[J]. Journal of Cyber Security, 2019,4(2): 37-52. | |
[38] | SHI J , MENG Y X , WANG S P ,et al. Reliability and safety analysis of redundant vehicle management computer system[J]. Chinese Journal of Aeronautics, 2013,26(5): 1290-1302. |
[39] | WANG S P , CUI X Y , SHI J ,et al. Modeling of reliability and performance assessment of a dissimilar redundancy actuation system with failure monitoring[J]. Chinese Journal of Aeronautics, 2016,29(3): 799-813. |
[1] | 李竟博, 马礼, 李阳, 傅颖勋, 马东超. 感传算协同工业互联网优化设计[J]. 通信学报, 2023, 44(6): 12-22. |
[2] | 赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56. |
[3] | 陈真, 陈文辉, 刘啸威, 尤殿龙, 刘林林, 申利民. 功能互补关系增强的云API推荐方法[J]. 通信学报, 2023, 44(6): 125-137. |
[4] | 魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166. |
[5] | 李元诚, 秦永泰. 基于深度强化学习的软件定义安全中台QoS实时优化算法[J]. 通信学报, 2023, 44(5): 181-192. |
[6] | 夏莹杰, 朱思雨, 刘雪娇. 区块链架构下具有条件隐私的车辆编队跨信任域高效群组认证研究[J]. 通信学报, 2023, 44(4): 111-123. |
[7] | 谢人超, 文雯, 唐琴琴, 刘云龙, 谢高畅, 黄韬. 轨道交通移动边缘计算网络安全综述[J]. 通信学报, 2023, 44(4): 201-215. |
[8] | 罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225. |
[9] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11. |
[10] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[11] | 经普杰, 王良民, 董学文, 张玉书, 王骞, Muhammad Sohail. 分层跨链结构:一种面向区块链系统监管的可行架构[J]. 通信学报, 2023, 44(3): 93-104. |
[12] | 舒坚, 史佳伟, 刘琳岚, Manar Al-Kali. 基于时空卷积的机会网络拓扑预测[J]. 通信学报, 2023, 44(3): 145-156. |
[13] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[14] | 康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135. |
[15] | 张云涛, 方滨兴, 杜春来, 王忠儒, 崔志坚, 宋首友. 基于异构观测链的容器逃逸检测方法[J]. 通信学报, 2023, 44(1): 49-63. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|