Bunshin: Compositing security mechanisms through diversification

Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

A number of security mechanisms have been proposed to harden programs written in unsafe languages, each of which mitigates a specific type of memory error. Intuitively, enforcing multiple security mechanisms on a target program will improve its overall security. However, this is not yet a viable approach in practice because the execution slowdown caused by various security mechanisms is often non-linearly accumulated, making the combined protection prohibitively expensive; further, most security mechanisms are designed for independent or isolated uses and thus are often in conflict with each other, making it impossible to fuse them in a straightforward way. In this paper, we present BUNSHIN, an N-version-based system that enables different and even conflicting security mechanisms to be combined to secure a program while at the same time reducing the execution slowdown. In particular, we propose an automated mechanism to distribute runtime security checks in multiple program variants in such a way that conflicts between security checks are inherently eliminated and execution slowdown is minimized with parallel execution. We also present an N-version execution engine to seamlessly synchronize these variants so that all distributed security checks work together to guarantee the security of a target program.

Original languageEnglish (US)
Title of host publicationProceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017
PublisherUSENIX Association
Pages271-283
Number of pages13
ISBN (Electronic)9781931971386
StatePublished - 2019
Externally publishedYes
Event2017 USENIX Annual Technical Conference, USENIX ATC 2017 - Santa Clara, United States
Duration: Jul 12 2017Jul 14 2017

Publication series

NameProceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017

Conference

Conference2017 USENIX Annual Technical Conference, USENIX ATC 2017
CountryUnited States
CitySanta Clara
Period7/12/177/14/17

Bibliographical note

Funding Information:
8 Acknowledgment We thank our shepherd, Ittay Eyal, and the anonymous reviewers for their helpful feedback. This research was supported by NSF under award DGE-1500084, CNS-1563848, CRI-1629851, CNS-1017265, CNS-0831300, and CNS-1149051, ONR under grant N000140911042 and N000141512162, DHS under contract No. N66001-12-C-0133, United States Air Force under contract No. FA8650-10-C-7025, DARPA under contract No. DARPA FA8650-15-C-7556, and DARPA HR0011-16-C-0059, and ETRI MSIP/IITP[B0101-15-0644].

Funding Information:
We thank our shepherd, Ittay Eyal, and the anonymous reviewers for their helpful feedback. This research was supported by NSF under award DGE-1500084, CNS-1563848, CRI-1629851, CNS-1017265, CNS-0831300, and CNS-1149051, ONR under grant N000140911042 and N000141512162, DHS under contract No. N66001-12-C-0133, United States Air Force under contract No. FA8650-10-C-7025, DARPA under contract No. DARPA FA8650-15-C-7556, and DARPA HR0011-16-C-0059, and ETRI MSIP/IITP[B0101-15-0644].

Fingerprint Dive into the research topics of 'Bunshin: Compositing security mechanisms through diversification'. Together they form a unique fingerprint.

Cite this