软件异构冗余执行系统的安全能力分析

doi:10.11959/j.issn.1000-436x.2021176

摘要/Abstract

摘要：

软件冗余执行（SRE）基于故障随机发生的性质，实现对软硬件故障的容错处理，是常见的容错设计方法。软件异构冗余执行（SHRE）则在SRE的基础上利用软件多样化特征，通过冗余执行相同功能的异构软件副本，表决执行结果来抵御软件漏洞和同质化威胁。基于此，提出了SHRE系统的分类方法，引入了SHRE系统的安全能力概念，考虑N模冗余、I/O操作模式以及受攻击软件副本的恢复能力，分析了不同结构SHRE系统的安全性。分析结果显示，SHRE系统在三模冗余且受攻击软件副本具备恢复能力的情况下安全能力表现最好，缩短受攻击软件副本的恢复时间能够提高系统安全性。

关键词: 软件异构冗余执行, 软件漏洞和同质化, 安全能力

Abstract:

Software-based redundant execution (SRE) is a popular fault-tolerant design method which makes use of faults occurring randomly to achieve fault-tolerance.Software-based heterogeneous redundant execution (SHRE) uses heterogeneous redundant software replicas with identical function based on SRE and diversity of software.By comparing the results of heterogeneous redundant software replicas, SHRE can resist threats from software vulnerabilities and homogenization.The classification method of SHRE was proposed, and the security capability of SHRE was introduced.Based on N-modular redundancy, I/O operation mode and the recovery capability of attacked software replica, resistance to attack of different structures were analyzed.The analysis shows that the security capability of SHRE performs best when it is triple-mode redundancy architecture and attacked software replica can be recovered.Besides, by shortening the recovery time of attacked software replica, security to SHRE can be improved.

Key words: software-based heterogeneous redundant execution, software vulnerabilities and homogenization, security capability

中图分类号:

TP393

马博林, 张铮, 任权, 张高斐, 邬江兴. 软件异构冗余执行系统的安全能力分析[J]. 通信学报, 2021, 42(9): 1-11.

Bolin MA, Zheng ZHANG, Quan REN, Gaofei ZHANG, Jiangxing WU. Security capability analysis of software-based heterogeneous redundant execution system[J]. Journal on Communications, 2021, 42(9): 1-11.

图/表 9

图1

图2

图3

表1

图4

图5

图6

图7

图8

参考文献 39

[1]	ZHANG Y G , VIN H , ALVISI L ,et al. Heterogeneous networking:a new survivability paradigm[C]// Proceedings of The 2001 Workshop on New Security Paradigms. New York:ACM Press, 2001: 33-39.
[2]	STAMP M . Risks of monoculture[J]. Communications of the ACM, 2004,47(3): 120.
[3]	CHEN Y S , CHEN P S . A software-based redundant execution programming model for transient fault detection and correction[C]// 2016 45th International Conference on Parallel Processing Workshops (ICPPW). Piscataway:IEEE Press, 2016: 66-71.
[4]	吴斌, 高珑 . 软件双冗余容错系统的容错能力和性能分析[J]. 计算机研究与发展, 2009,46(z2): 129-136.
	WU B , GAO L . Fault tolerance and performance analysis of software double redundant implemented hardware fault tolerance[J]. Journal of Computer Research and Development, 2009,46(z2): 129-136.
[5]	JUST J E , CORNWELL M . Review and analysis of synthetic diversity for breaking monocultures[C]// Proceedings of the 2004 ACM Workshop on Rapid Malcode. New York:ACM Press, 2004: 23-32.
[6]	KOREN I , SU S . Reliability analysis of N-modular redundancy systems with intermittent and permanent faults[J]. IEEE Transactions on Computers, 1979,28(7): 514-520.
[7]	JEON H , ANNAVARAM M . Warped-DMR:light-weight error detection for GPGPU[C]// 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture. Piscataway:IEEE Press, 2012: 37-47.
[8]	NEUMANN J V . Probabilistic logics and the synthesis of reliable organisms from unreliable components[J]. Automata Studies, 1956,34: 43-99.
[9]	姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94.
	YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94.
[10]	REINHARDT S K , MUKHERJEE S S . Transient fault detection via simultaneous multithreading[C]// Proceedings of 27th International Symposium on Computer Architecture. Piscataway:IEEE Press, 2000: 25-36.
[11]	仝青, 张铮, 邬江兴 . 基于软硬件多样性的主动防御技术[J]. 信息安全学报, 2017,2(1): 1-12.
	TONG Q , ZHANG Z , WU J X . The active defense technology based on the software/hardware diversity[J]. Journal of Cyber Security, 2017,2(1): 1-12.
[12]	马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42.
	MA H L , YI P , JIANG Y M ,et al. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. Journal of Cyber Security, 2017,2(1): 29-42.
[13]	张铮, 马博林, 邬江兴 . web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[14]	宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26.
	SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communications, 2020,41(5): 18-26.
[15]	马博林, 张铮, 陈源 ,等. 基于指令集随机化的抗代码注入攻击方法[J]. 信息安全学报, 2020,5(4): 30-43.
	MA B L , ZHANG Z , CHEN Y ,et al. The defense method for code-injection attacks based on instruction set randomization[J]. Journal of Cyber Security, 2020,5(4): 30-43.
[16]	张宇嘉, 庞建民, 张铮 ,等. 基于软件多样化的拟态安全防御策略[J]. 计算机科学, 2018,45(2): 215-221.
	ZHANG Y J , PANG J M , ZHANG Z ,et al. Mimic security defence strategy based on software diversity[J]. Computer Science, 2018,45(2): 215-221.
[17]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// 2015 IEEE/ACM 1st International Workshop on Software Protection. Piscataway:IEEE Press, 2015: 3-9.
[18]	姚东, 张铮, 张高斐 ,等. MVX-CFI:一种实用的软件安全主动防御架构[J]. 信息安全学报, 2020,5(4): 44-54.
	YAO D , ZHANG Z , ZHANG G F ,et al. MVX-CFI:a practical active defense framework for software security[J]. Journal of Cyber Security, 2020,5(4): 44-54.
[19]	FRANZ M , . E unibus pluram:massive-scale software diversity as a defense mechanism[C]// Proceedings of the 2010 New Security Paradigms Workshop.[S.n.:s.l.], 2010: 7-16.
[20]	LEVITIN G , XING L D , XIANG Y P . Co-residence data theft attacks on N-version programming-based cloud services with task cancelation[J]. IEEE Transactions on Systems,Man,and Cybernetics:Systems, 2020,PP(99): 1-10.
[21]	COX B , EVANS D , FILIPI A ,et al. N-Variant systems:a secret less framework for security through diversity[C]// USENIX Security Symposium. Berkeley:USENIX Association, 2006: 105-120.
[22]	CAVALLARO L . Comprehensive memory error protection via diversity and taint-tracking[D]. Milan:University of Milan, 2007.
[23]	SALAMAT B , JACKSON T , GAL A ,et al. Orchestra:intrusion detection using parallel execution and monitoring of program variants in user-space[C]// Proceedings of the fourth ACM European Conference on Computer Systems. New York:ACM Press, 2009: 33-46.
[24]	VOLCKAERT S , DE SUTTER B , DE BAETS T ,et al. GHUMVEE:efficient,effective,and flexible replication[C]// Foundations and Practice of Security. Berlin:Springer, 2013: 261-277.
[25]	CAO M C , HOU X T , WANG T ,et al. Different is good:detecting the use of uninitialized variables through differential replay[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1883-1897.
[26]	ZHANG Y , LEE J W , JOHNSON N P ,et al. DAFT:decoupled acyclic fault tolerance[J]. International Journal of Parallel Programming, 2012,40(1): 118-140.
[27]	REIS G A , CHANG J , VACHHARAJANI N ,et al. SWIFT:software implemented fault tolerance[C]// International Symposium on Code Generation and Optimization. Piscataway:IEEE Press, 2005: 243-254.
[28]	THATI V B , VANKEIRSBILCK J , PISSOORT D ,et al. Instruction level duplication and comparison for data error detection:a first experiment[C]// 2018 IEEE XXVII International Scientific Conference Electronics. Piscataway:IEEE Press, 2018: 1-4.
[29]	CHIELLE E , KASTENSMIDT F L , CUENCA-ASENSI S , . Overhead reduction in data-flow software-based fault tolerance techniques[C]// FPGAs and Parallel Architectures for Aerospace Applications.[S.n.:s.l. ], 2016: 279-291.
[30]	VOLCKAERT S , COPPENS B , VOULIMENEAS A ,et al. Secure and efficient application monitoring and replication[C]// 2016 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2016: 167-179.
[31]	潘传幸, 张铮, 马博林 ,等. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021,42(1): 37-47.
	PAN C X , ZHANG Z , MA B L ,et al. Method against process control-flow hijacking based on mimic defense[J]. Journal on Communications, 2021,42(1): 37-47.
[32]	方滨兴 . 定义网络空间安全[J]. 网络与信息安全学报, 2018,4(1): 1-5.
	FANG B X . Define cyberspace security[J]. Chinese Journal of Network and Information Security, 2018,4(1): 1-5.
[33]	HUMPHREY W S . Personal software process (PSP)[M]. New York: John Wiley ＆ Sons,Inc., 2002.
[34]	HOSEK P , CADAR C . VARAN the unbelievable:an efficient N-version execution framework[C]// ACM Special Interest Group on Programming Languages. New York:ACM Press, 2015: 339-353.
[35]	LU K . Securing software systems by preventing information leaks[D]. Atlanta:Georgia Institute of Technology, 2017.
[36]	NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability[J]. Communications of the ACM, 2008,51(12): 87-95.
[37]	任权, 邬江兴, 贺磊 . 基于GSPN的拟态DNS构造策略研究[J]. 信息安全学报, 2019,4(2): 37-52.
	REN Q , WU J X , HE L . Research on mimic DNS architectural strategy based on generalized stochastic petri net[J]. Journal of Cyber Security, 2019,4(2): 37-52.
[38]	SHI J , MENG Y X , WANG S P ,et al. Reliability and safety analysis of redundant vehicle management computer system[J]. Chinese Journal of Aeronautics, 2013,26(5): 1290-1302.
[39]	WANG S P , CUI X Y , SHI J ,et al. Modeling of reliability and performance assessment of a dissimilar redundancy actuation system with failure monitoring[J]. Chinese Journal of Aeronautics, 2016,29(3): 799-813.

状态序号	含义
M₁	各副本正常运行，处于漏洞休眠状态
M₂	副本α₀被攻击成功
M₃	副本α₁被攻击成功
M₄	副本α₂被攻击成功
M₅	SHRE系统失去安全能力