软件异构冗余执行系统的安全能力分析

doi:10.11959/j.issn.1000-436x.2021176

Abstract

Abstract:

Software-based redundant execution (SRE) is a popular fault-tolerant design method which makes use of faults occurring randomly to achieve fault-tolerance.Software-based heterogeneous redundant execution (SHRE) uses heterogeneous redundant software replicas with identical function based on SRE and diversity of software.By comparing the results of heterogeneous redundant software replicas, SHRE can resist threats from software vulnerabilities and homogenization.The classification method of SHRE was proposed, and the security capability of SHRE was introduced.Based on N-modular redundancy, I/O operation mode and the recovery capability of attacked software replica, resistance to attack of different structures were analyzed.The analysis shows that the security capability of SHRE performs best when it is triple-mode redundancy architecture and attacked software replica can be recovered.Besides, by shortening the recovery time of attacked software replica, security to SHRE can be improved.

Key words: software-based heterogeneous redundant execution, software vulnerabilities and homogenization, security capability

CLC Number:

TP393

Bolin MA, Zheng ZHANG, Quan REN, Gaofei ZHANG, Jiangxing WU. Security capability analysis of software-based heterogeneous redundant execution system[J]. Journal on Communications, 2021, 42(9): 1-11.

Figures/Tables 9

References 39

[1]	ZHANG Y G , VIN H , ALVISI L ,et al. Heterogeneous networking:a new survivability paradigm[C]// Proceedings of The 2001 Workshop on New Security Paradigms. New York:ACM Press, 2001: 33-39.
[2]	STAMP M . Risks of monoculture[J]. Communications of the ACM, 2004,47(3): 120.
[3]	CHEN Y S , CHEN P S . A software-based redundant execution programming model for transient fault detection and correction[C]// 2016 45th International Conference on Parallel Processing Workshops (ICPPW). Piscataway:IEEE Press, 2016: 66-71.
[4]	吴斌, 高珑 . 软件双冗余容错系统的容错能力和性能分析[J]. 计算机研究与发展, 2009,46(z2): 129-136.
	WU B , GAO L . Fault tolerance and performance analysis of software double redundant implemented hardware fault tolerance[J]. Journal of Computer Research and Development, 2009,46(z2): 129-136.
[5]	JUST J E , CORNWELL M . Review and analysis of synthetic diversity for breaking monocultures[C]// Proceedings of the 2004 ACM Workshop on Rapid Malcode. New York:ACM Press, 2004: 23-32.
[6]	KOREN I , SU S . Reliability analysis of N-modular redundancy systems with intermittent and permanent faults[J]. IEEE Transactions on Computers, 1979,28(7): 514-520.
[7]	JEON H , ANNAVARAM M . Warped-DMR:light-weight error detection for GPGPU[C]// 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture. Piscataway:IEEE Press, 2012: 37-47.
[8]	NEUMANN J V . Probabilistic logics and the synthesis of reliable organisms from unreliable components[J]. Automata Studies, 1956,34: 43-99.
[9]	姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94.
	YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94.
[10]	REINHARDT S K , MUKHERJEE S S . Transient fault detection via simultaneous multithreading[C]// Proceedings of 27th International Symposium on Computer Architecture. Piscataway:IEEE Press, 2000: 25-36.
[11]	仝青, 张铮, 邬江兴 . 基于软硬件多样性的主动防御技术[J]. 信息安全学报, 2017,2(1): 1-12.
	TONG Q , ZHANG Z , WU J X . The active defense technology based on the software/hardware diversity[J]. Journal of Cyber Security, 2017,2(1): 1-12.
[12]	马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42.
	MA H L , YI P , JIANG Y M ,et al. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. Journal of Cyber Security, 2017,2(1): 29-42.
[13]	张铮, 马博林, 邬江兴 . web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[14]	宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26.
	SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communications, 2020,41(5): 18-26.
[15]	马博林, 张铮, 陈源 ,等. 基于指令集随机化的抗代码注入攻击方法[J]. 信息安全学报, 2020,5(4): 30-43.
	MA B L , ZHANG Z , CHEN Y ,et al. The defense method for code-injection attacks based on instruction set randomization[J]. Journal of Cyber Security, 2020,5(4): 30-43.
[16]	张宇嘉, 庞建民, 张铮 ,等. 基于软件多样化的拟态安全防御策略[J]. 计算机科学, 2018,45(2): 215-221.
	ZHANG Y J , PANG J M , ZHANG Z ,et al. Mimic security defence strategy based on software diversity[J]. Computer Science, 2018,45(2): 215-221.
[17]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// 2015 IEEE/ACM 1st International Workshop on Software Protection. Piscataway:IEEE Press, 2015: 3-9.
[18]	姚东, 张铮, 张高斐 ,等. MVX-CFI:一种实用的软件安全主动防御架构[J]. 信息安全学报, 2020,5(4): 44-54.
	YAO D , ZHANG Z , ZHANG G F ,et al. MVX-CFI:a practical active defense framework for software security[J]. Journal of Cyber Security, 2020,5(4): 44-54.
[19]	FRANZ M , . E unibus pluram:massive-scale software diversity as a defense mechanism[C]// Proceedings of the 2010 New Security Paradigms Workshop.[S.n.:s.l.], 2010: 7-16.
[20]	LEVITIN G , XING L D , XIANG Y P . Co-residence data theft attacks on N-version programming-based cloud services with task cancelation[J]. IEEE Transactions on Systems,Man,and Cybernetics:Systems, 2020,PP(99): 1-10.
[21]	COX B , EVANS D , FILIPI A ,et al. N-Variant systems:a secret less framework for security through diversity[C]// USENIX Security Symposium. Berkeley:USENIX Association, 2006: 105-120.
[22]	CAVALLARO L . Comprehensive memory error protection via diversity and taint-tracking[D]. Milan:University of Milan, 2007.
[23]	SALAMAT B , JACKSON T , GAL A ,et al. Orchestra:intrusion detection using parallel execution and monitoring of program variants in user-space[C]// Proceedings of the fourth ACM European Conference on Computer Systems. New York:ACM Press, 2009: 33-46.
[24]	VOLCKAERT S , DE SUTTER B , DE BAETS T ,et al. GHUMVEE:efficient,effective,and flexible replication[C]// Foundations and Practice of Security. Berlin:Springer, 2013: 261-277.
[25]	CAO M C , HOU X T , WANG T ,et al. Different is good:detecting the use of uninitialized variables through differential replay[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1883-1897.
[26]	ZHANG Y , LEE J W , JOHNSON N P ,et al. DAFT:decoupled acyclic fault tolerance[J]. International Journal of Parallel Programming, 2012,40(1): 118-140.
[27]	REIS G A , CHANG J , VACHHARAJANI N ,et al. SWIFT:software implemented fault tolerance[C]// International Symposium on Code Generation and Optimization. Piscataway:IEEE Press, 2005: 243-254.
[28]	THATI V B , VANKEIRSBILCK J , PISSOORT D ,et al. Instruction level duplication and comparison for data error detection:a first experiment[C]// 2018 IEEE XXVII International Scientific Conference Electronics. Piscataway:IEEE Press, 2018: 1-4.
[29]	CHIELLE E , KASTENSMIDT F L , CUENCA-ASENSI S , . Overhead reduction in data-flow software-based fault tolerance techniques[C]// FPGAs and Parallel Architectures for Aerospace Applications.[S.n.:s.l. ], 2016: 279-291.
[30]	VOLCKAERT S , COPPENS B , VOULIMENEAS A ,et al. Secure and efficient application monitoring and replication[C]// 2016 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2016: 167-179.
[31]	潘传幸, 张铮, 马博林 ,等. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021,42(1): 37-47.
	PAN C X , ZHANG Z , MA B L ,et al. Method against process control-flow hijacking based on mimic defense[J]. Journal on Communications, 2021,42(1): 37-47.
[32]	方滨兴 . 定义网络空间安全[J]. 网络与信息安全学报, 2018,4(1): 1-5.
	FANG B X . Define cyberspace security[J]. Chinese Journal of Network and Information Security, 2018,4(1): 1-5.
[33]	HUMPHREY W S . Personal software process (PSP)[M]. New York: John Wiley ＆ Sons,Inc., 2002.
[34]	HOSEK P , CADAR C . VARAN the unbelievable:an efficient N-version execution framework[C]// ACM Special Interest Group on Programming Languages. New York:ACM Press, 2015: 339-353.
[35]	LU K . Securing software systems by preventing information leaks[D]. Atlanta:Georgia Institute of Technology, 2017.
[36]	NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability[J]. Communications of the ACM, 2008,51(12): 87-95.
[37]	任权, 邬江兴, 贺磊 . 基于GSPN的拟态DNS构造策略研究[J]. 信息安全学报, 2019,4(2): 37-52.
	REN Q , WU J X , HE L . Research on mimic DNS architectural strategy based on generalized stochastic petri net[J]. Journal of Cyber Security, 2019,4(2): 37-52.
[38]	SHI J , MENG Y X , WANG S P ,et al. Reliability and safety analysis of redundant vehicle management computer system[J]. Chinese Journal of Aeronautics, 2013,26(5): 1290-1302.
[39]	WANG S P , CUI X Y , SHI J ,et al. Modeling of reliability and performance assessment of a dissimilar redundancy actuation system with failure monitoring[J]. Chinese Journal of Aeronautics, 2016,29(3): 799-813.

Metrics

Recommended 0

No Suggested Reading articles found!

状态序号	含义
M₁	各副本正常运行，处于漏洞休眠状态
M₂	副本α₀被攻击成功
M₃	副本α₁被攻击成功
M₄	副本α₂被攻击成功
M₅	SHRE系统失去安全能力

Security capability analysis of software-based heterogeneous redundant execution system

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 39

Related Articles 15

Metrics

Recommended 0

[1]	Jingbo LI, Li MA, Yang LI, Yingxun FU, Dongchao MA. Optimized design of sensing transmission and computing collaborative industrial Internet [J]. Journal on Communications, 2023, 44(6): 12-22.
[2]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[3]	Zhen CHEN, Wenhui CHEN, Xiaowei LIU, Dianlong YOU, Linlin LIU, Limin SHEN. Functional complementarity relationship enhanced cloud API recommendation method [J]. Journal on Communications, 2023, 44(6): 125-137.
[4]	Debin WEI, Chengsheng PAN, Li YANG, Zuoren YAN. Adaptive random early detection algorithm based on network traffic level grade prediction [J]. Journal on Communications, 2023, 44(6): 154-166.
[5]	Yuancheng LI, Yongtai QIN. Deep reinforcement learning based algorithm for real-time QoS optimization of software-defined security middle platform [J]. Journal on Communications, 2023, 44(5): 181-192.
[6]	Yingjie XIA, Siyu ZHU, Xuejiao LIU. Research on efficient cross trust-domain group authentication with conditional privacy of vehicle platoon under blockchian architecture [J]. Journal on Communications, 2023, 44(4): 111-123.
[7]	Renchao XIE, Wen WEN, Qinqin TANG, Yunlong LIU, Gaochang XIE, Tao HUANG. Survey on rail transit mobile edge computing network security [J]. Journal on Communications, 2023, 44(4): 201-215.
[8]	Zhiyong LUO, Yu ZHANG, Qing WANG, Weiwei SONG. Study of SDN intrusion intent identification algorithm based on Bayesian attack graph [J]. Journal on Communications, 2023, 44(4): 216-225.
[9]	Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN, Yongliang ZHOU, Jiali MA. Method based on contrastive incremental learning for fine-grained malicious traffic classification [J]. Journal on Communications, 2023, 44(3): 1-11.
[10]	Jin ZHANG, Qiang GE, Weihai XU, Yiming JIANG, Hailong MA, Hongtao YU. Design, implementation and formal verification of BGP proxy for mimic router [J]. Journal on Communications, 2023, 44(3): 33-44.
[11]	Pujie JING, Liangmin WANG, Xuewen DONG, Yushu ZHANG, Qian WANG, Sohail Muhammad. CHA: cross-chain based hierarchical architecture for practicable blockchain regulatory [J]. Journal on Communications, 2023, 44(3): 93-104.
[12]	Jian SHU, Jiawei SHI, Linlan LIU, Al-Kali Manar. Topology prediction for opportunistic network based on spatiotemporal convolution [J]. Journal on Communications, 2023, 44(3): 145-156.
[13]	Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network [J]. Journal on Communications, 2023, 44(2): 1-11.
[14]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[15]	Yuntao ZHANG, Binxing FANG, Chunlai DU, Zhongru WANG, Zhijian CUI, Shouyou SONG. Container escape detection method based on heterogeneous observation chain [J]. Journal on Communications, 2023, 44(1): 49-63.