|
1.INTRODUCTIONThe means of network attack has been continuously improved with the development of information technology, and the attackers’ destructive behaviors against information systems have been characterized by increased scale, various means, and coordinated levels1. Traditional defense means focusing on detecting and eliminating known threats, such as intrusion detection technology, by monitoring the network or system resources, looking for attacks or signs that undermine the security policy, and issuing attack alerts2. Still, this monitoring determination requires an a priori basis, that is, the need to establish a specific library of attack behavior characteristics to match the behavior of various types of access to the system, which results in the inability of intrusion detection technology to effectively This results in intrusion detection technologies that cannot effectively respond to diverse attacks (APT attacks)3 or cannot respond when faced with backdoors (0-day)4 that exploit unapproved vulnerabilities. Many other defenses are similar to intrusion detection, such as firewalls5, intrusion prevention6, vulnerability scanning7, honeypot technology8, etc. Since these defenses are implemented by attaching external security protection to the protected system, focusing on the discovery and removal of known security threats, they belong to the category of passive defense and cannot effectively respond to diverse and complex attacks. With the development of software diversification techniques, a new type of security defense approach has emerged that responds to external attacks by increasing the dynamism, randomness, and diversity within the system, which belongs to the dynamic, proactive defense category9. MVX is a typical representative of proactive defense technology built on software heterogeneous redundant execution technology. By using software diversity technology to create a collection of functionally equivalent and structurally different process variants, a distributor is set to synchronize the input content and timing of each variant while the program is running, and a monitor monitors the output behavior of each variant and detects the difference in its output results. MVX can mechanically avoid internal errors and protect against external threats10. Although the industrial technology development of MVX is more mature and has more extensive applications in cyberspace security, there is a lack of sound theoretical models to evaluate and test its security capability. Research on network security defense systems requires the establishment of objective and scientific formal description methods to accurately characterize and give hidden dangers in security policies and provide theoretical support to enhance security defense capabilities further11. Program verification and analysis based on formal methods is essential to ensure that the software is correct and has credibility. Compared with software testing, program verification based on mathematical logic has syntactic and semantic rigor and attribute-related completeness, which can theoretically prove the reliability and correctness of the system12. However, with the increasing scale of software and the gradual complexity of software functions, it is difficult for the theoretical approach of proving the correctness of software systems or programs to cope with the completeness analysis of complex software effectively and give reasonable security analysis13. In response to the inability of traditional network attack models to effectively construct correspondence with dynamic defense systems, we disassemble a multi-stage network attack chain into a single atomic attack and combines multiple atomic attacks to build an attack chain model for dynamic environments, analyzes the necessary conditions on which the model relies for successful execution of the attack, and evaluates how security defense systems can effectively respond to the synergistic cooperation of multi-atomic attacks to achieve the attack chain We also assess how the security defense system can effectively cope with the synergy of multi-atomic attacks to achieve attack chain blocking. Further, we model the security scenario of the MVX system, evaluate the security defense capability of the MVX system through a probabilistic model, quantitatively evaluate the security capability of the MVX system through an attack case against the Linux kernel, further elaborate on the effectiveness of the MVX system, and finally propose improvement measures for the shortcomings of the MVX system. 2.ATOMIC COMBINATION ATTACK CHAIN MODELTo reflect the complexity and dynamics of the attack process, we establish an atomic combination attack chain model based on the network attack chain model, disassembles the macroscopic attack process into several sub-processes (referred to as atomic attacks), and combines several atomic attacks according to the response time of the system to form a complete attack chain. Definition 1 Define a complete set of cyber-attack over procedures. where ATKi(1 ≤ i ≤ n) denotes the attack phase and ATKi is completed by several atomic attacks. Since the system takes execution time in response to an atomic attack, each atomic attack in ATKi is considered to have a temporal order, and the moment of completion of the atomic attack is taken as the temporal order, let the combination of atomic attacks in the attack ATKi phase be atkij (1 ≤ j ≤ Ni) Definition 2 Combining all atomic attacks during a complete network attack constitutes a chain of atomic combined attacks. Considering the different attack effects achieved by alien attack means in the actual network environment, atomic attacks ordered by time alone have certain drawbacks, e.g., some atomic attacks achieve the attack purpose at the moment of launching the attack. In contrast, some atomic attacks are designed to gain control of the target object and create conditions for subsequent attacks. Therefore, there are dependencies between different atomic attacks. The various dependencies required for the successful execution of a single atomic attack (atkij) are integrated into a logical expression and is used to denote the preconditions on which atkij depends, where k denotes the minimum value of the preconditions satisfied by atkij and ℂk denotes the number of predecessor attacks in a single set of preconditions. Assume that the prerequisite for an atomic attack atk2l is the successful execution of atk11, which is denoted as pre2l~11; the prerequisite for atk22 is either atk12 or atk13, i.e., either of the two attacks can be executed as a prerequisite for the latter, which is denoted as pre22~21 ˅ pre22~22 ; and atk3l requires both prerequisites to be satisfied before the attack can be completed properly. The dependency diagram for multiple atomic attacks is shown in Figure 1. For the general case, atkij prerequisites for successful implementation are integrated. The success rate of atomic attacks atkij (1 ≤ i ≤ n,1≤ j ≤ Ni) is described according to the attack timing and the conditions that must be relied upon to complete the attack successfully. Then, according to the probability formula, the probability of a single attack chain successfully executing an attack is If the probability of a successful attack on an attack chain is 0, the attack chain is said to be blocked, that is, the defense is successful, and this parameter is used to measure the security defense capability of the security defense system. 3.MVX SYSTEM MODEL3.1Related definitionsDefinition 1 Collection of variants. Define multiple functionally equivalent, structurally distinct variants of an MVX system as Definition 2 System Resource Sequence and Timing. Let the occupied time period during system operation be ∆ti (i ≥ 0), the sequence of occupied system resources within that time period be , and the timing sequence resulting from the invocation of system resources be ∆T = ∆t0∆t1∆t2 …∆tn …. The series of system resources invoked and occupied by the MVX system during operation includes memory consumption, CPU context switching, processing of system calls, etc. By differentiating the time, the invocation of system resources in a single time period ∆ti can be decomposed into multiple ordered sequences. The system resource sequence is represented by , the system service timing is represented by ∆T, and the system runtime cycle of MVX is represented by . Definition 3 Single atomic attack operation success rate. The success of a single atomic attack operation is the probability that an attacker launches one attack operation, which is split into atomic attacks under the support of the attack chain theory, and that one atomic attack is successfully executed, defined as P(atkij). Definition 4 Attack task success rate. One attack mission success indicates the successful execution of an attack chain, defined as P(atomATKchain), according to the probability formula in Section 2 Definition 5 Overall system attack success rate. In the MVX system invoking a complete sequence of system resources , if the number of times an attacker executes the same attack chain within a given system service timing ∆T using system vulnerabilities is α, and assuming that the attack chain consists of γ atomic attacks, if there are β successful completions during the execution of the attack chain at a, the overall system attack success rate is recorded as Definition 6 System security gain. To implement the attack chain containingγ atomic attacks, two software systemsS andS’ implement the same attack chain with the overall system attack success rate of PS,γ and PS′,γ, respectively. The ratio of the two is noted as the system security gain of S compared to S′. Definition 7 kth-order output agreement rate Define the set of voting points: SetM = (M1,M2, …,Mn). When the program runs to a voting point (e.g., a monitor votes against a system call), the state of each variant is checked. The processing granularity of the system monitor is consistent across an MVX system, so only one of the voting point sets is selected as the voting policy of the system during normal system execution. Assuming that the chosen voting policy is M, the output of the variant after voting is represented as the set: Seto = {M(V1), M(V2), …, M(Vn)}. For multiple output results of the variant after the completion of the vote, if there exists k at most consistent results that are not consistent with the output results of the normal execution process, the system is called kth-order output consistent, denoted as MAX{Equal(Seto)} = k. Define the kth-order consistency rate concerning a single attack chain as where N is the total number of attacks and N′ is the number of occurrences where the output of the kth-order is consistent. The kth-order consistency rate is a measure of an attacker’s ability to perform an attack on an MVX system, considering the following two cases. 3.2MVX formal modelThe security performance of the MVX system is determined by factors such as heterogeneous variants, system resource sequences, system service timing, and voting policies. The attack capability is determined by the attack success rate, attack time spent, and the combined implementation strategy of atomic attacks. Considering these factors or attribute parameters together, a mathematical model is developed in the form of a multivariate group14, as shown in the following equation. Symbol Interpretation: N denotes the number of system variants, i.e., the set of variants Setv has variants V1,V2, …Vn; 1 is the system voting threshold, i.e., after the voting policy M, the output result greater than or equal to l is considered as the correct output; is the sequence of system resources utilized by MVX; ∆T denotes the average system change time; atki denotes the single atomic attack acting on the variant; denotes the probability of success of the atomic attack on the variant denotes the atomic attack atki ‘s implement time; γ indicates the number of atomic attacks contained in an attack chain. 3.3Model solutionFor an atomic combination attack chain Г, assuming it contains γ atomic attacks, the total number of attacks on the MVX system from all atomic attacks in the chain is γ·n, denoted by N. A sequence of system resources , where the attacker takes continuous control of the system during the dynamic change of system resources for consecutive γ atomic attacks. The average time of dynamic change of system state due to mobilization of system resources by atomic attacks is ∆T. The success of the attack task is expressed as the coordinated cooperation of multiple atomic attacks to complete the execution of the attack chain within the MVX system operation cycle . is influenced by the current MVX system control policy of the variant as well as the execution boundary and execution granularity of the variant, and is used to measure the use of resources by different variants during execution. It is used to measure the use of resources in executing different variants. The updated function f′ represents the weight of the attack’s success after being influenced by the resource sequence. According to the above conditions, the attacker uses the system resource in the first i (1 ≤ i ≤ γ) atomic attack atki in one system operation cycle and launches an atomic attack at the beginning of system resource usage and succeeds; the probability of success of the attack in this step is Since the dynamic change cycle of the system state has an impact on the implementation of the attack, we define the function A single atomic attack fails when the atomic attack execution time is greater than the system changes cycle time. Considering the synergistic cooperation of all atomic attacks and the resource execution strategy of multiple variants, the probability of successful execution of an attack chain is Assuming that the sequence of system resources occurs independently and uniformly over a runtime cycle, the variant’s weight on system resource utilization is a deterministic value αV, and simplifying the above formula yields 4.MVX SECURITY CAPABILITY ANALYSIS4.1Security gains of MVX over traditional defense systemsThe traditional defense system can be considered as an example of the same function as the MVX system, i.e., there is only a single variant, when the number of variants n = 1 and the system does not change dynamically, under the same static conditions, according to Definition 3.6, we can obtain To simplify the model, assuming that all single atom attacks have the same probability of success, the system security gain can be reduced to Due to the number of variants within the MVX system n ≥ 2, the system resource utilization weight 0 < αV ≤ 1, and the system kth-order consistency rate 0 < εk < 1, the security gain of the MVX system over the traditional defense system can be analyzed SGr (S,S′) > 1, and the security gain is higher when the number of atomic attacks is higher. 4.2Attack & defense scenarioTo ensure the completeness of the analysis, the following quantitative analysis of MVX security capabilities is conducted for specific attack example. 4.2.1Attack Scenario.To verify the atomic combination attack chain model and MVX system defense model proposed earlier, we use a scenario simulation of an attack on the Linux system kernel, with the example of a buffer overflow vulnerability in the AF_PACKET module, number CVE-2017-730. The atomic combination attack chain model is shown in Figure 2, where the atomic attacks are described in Table 1, and the weights of each atomic attack are divided according to the attack a priori conditions and the difficulty of attacking resource exploitation. Table 1.Description of atomic attacks.
Considering the existence of five attack chains in the combined chain, the success probability of each atomic attack is measured according to the weights, and the results are calculated as shown in Table 2. Table 2.qatk of each atomic attack.
4.3Security policy improvements based on example scenario4.3.1Voting Strategy.In the MVX system model Ψ, the voting threshold is l. According to Definition 3.7, an attack that results in a consistent system output will cause a system false alarm. The voting threshold needs to be greater than the kth-order consistency of the system, i.e., l> k. When the value of l is larger, the number of attacks that result in kth-order character in the set of output results of the variant after voting Seto = {M(V1),M(V2),…,M(Vn)}will be smaller, and the corresponding kth-order consistency rate εk will be lower. Figure 3 shows the relations between Pγ and εk based on the probability of the execution of each atomic attack, with the precondition that . According to the function figure analysis, when the voting threshold is equal to the kth-order consistency, the MVX system has the same probability of success of being attacked as a traditional security defense system with a kth-order consistency rate of 1. However, in practical situations, it is almost impossible for εk to take a value of 1. Garcia M15 analyzed 11 operating system vulnerabilities over 18 years based on the National Vulnerability Database (NVD), the number of common-mode vulnerabilities would be higher between operating systems of the same family. Still, the number of common-mode vulnerabilities of different families would be almost zero, so for two variants with sufficient heterogeneity, εk is nearly 0 for general attack means. Therefore, a reasonable set of the voting threshold of the MVX system for the output results is the key to improving the system’s security. Still, the threshold setting is not the larger the better in the case of more variants. It is also necessary to consider that the cost-efficiency ratio of the system is in the confidence interval. Volckaert S et al. improves the multi-variant execution voting strategy to effectively improve the system reliability16. 4.3.2Variant Heterogeneity and Redundancy
4.3.3System Resource Isolation.During system execution, each variant Vi is scheduled for use for different system resources, and we set the weight . When , it means that the set of variants schedules the benefit of all the resources in the system resource sequence . which hardly exists in the actual application scenario, so in general . εk is set to 0.1 for analysis, assuming that different variants utilize the exact weight of resources. In real scenarios, is affected by the current MVX system control policy for variants as well as various factors such as execution boundaries of variants and execution granularity, e.g., cred as the credential set of processes in this example may get abnormal outputs in different variants under normal input incentives. Similarly, according to Table 2 in the atomic attack success probability to obtain a graph of Pγ as a function of , which is shown in Figure 4. 5.SUMMARYWe analyze the overall security capability of the MVX system, and the analysis of the defense system is based on the establishment of a reasonable attack model. We establish an atomic combination attack chain model, and by splitting the complete attack phase into multiple single atomic attacks, the dependencies between different atomic attacks are explanatory analysis. The mathematical model of the MVX system is established utilizing multivariate groups, various system execution metrics are defined based on different assumptions. Specific attack examples are used to measure the success rate of the atomic combinatorial attack chain in the face of MVX systems and the security gain of MVX over traditional defense systems. It is essential for the system design and engineering implementation of MVX. REFERENCESDawkins, J. and Hale, J.,
“A systematic approach to multi-stage network attack analysis,”
in Proc IIAW,
48
–56
(2004). Google Scholar
Kemmerer, R. A. and Vigna, G.,
“Intrusion detection: a brief history and overview,”
Computer. Papers, 35
(4), 27
–30
(2002). Google Scholar
Kim, Y. H. and Park, W. H.,
“A study on cyber threat prediction based on intrusion detection event for APT attack detection,”
Multimedia tools and applications, 71
(2), 685
–698
(2014). https://doi.org/10.1007/s11042-012-1275-x Google Scholar
Armin, J., Foti, P. and Cremonini, M.,
“0-day vulnerabilities and cybercrime,”
in Proc ARS,
711
–718
(2015). Google Scholar
Kamara, S., Fahmy, S., Schultz, E., et al.,
“Analysis of vulnerabilities in internet firewalls,”
C&S. Papers, 22
(3), 214
–232
(2003). Google Scholar
Fuchsberger, A.,
“Intrusion detection systems and intrusion prevention systems,”
ISTR, 10
(3), 134
–139
(2005). Google Scholar
Daud, N. I., Bakar, K. A. A. and Hasan, M. S. M.,
“A case study on web application vulnerability scanning tools,”
in Proc S&I,
595
–600
(2014). Google Scholar
Baykara, M. and Daş, R,
“A survey on potential applications of honeypot technology in intrusion detection systems,”
IJCNA, 2
(5), 203
–211
(2015). Google Scholar
O’Donnell, A. J. and Sethu, H.,
“On achieving software diversity for improved network security using distributed coloring algorithms,”
Proc CCS, 121
–131
(2004). https://doi.org/10.1145/1030083 Google Scholar
Cox, B., Evans, D., Filipi, A., et al.,
“N-variant systems: A secretless framework for security through diversity,”
in Proc USENIX,
105
–120
(2006). Google Scholar
Samarati, P. and Vimercati, S. C.,
“Access control: Policies, models, and mechanisms,”
in Proc SFSAD,
137
–196
(2000). Google Scholar
Bringsjord, S.,
“A vindication of program verification,”
History and Philosophy of Logic, 36
(3), 262
–277
(2015). https://doi.org/10.1080/01445340.2015.1065461 Google Scholar
Eom, J., Han, Y. J., Park, S. H., et al.,
“Active cyber attack model for network system’s vulnerability assessment,”
in Proc ICISS,
153
–158
(2008). Google Scholar
Green, P. E.,
“[Mathematical tools for applied multivariate analysis],”
8
–11 Academic Press, New York & San Francisco & London
(1976). Google Scholar
Garcia, M., Bessani, A., Gashi, I., et al.,
“Analysis of operating system diversity for intrusion tolerance,”
SPE. Papers, 44
(6), 735
–770
(2014). Google Scholar
Volckaert, S., Coppens, B., Voulimeneas, A., et al.,
“Secure and efficient application monitoring and replication,”
in Proc USENIX ATC,
167
–179
(2016). Google Scholar
Li, B., Zhang, Z., Wang, X., et al.,
“SecMVX: Analysis on the vulnerability of multi-variant execution,”
China Commun, 18
(8), 85
–95
(2021). https://doi.org/10.23919/JCC.2021.08.007 Google Scholar
|