HONEY-MON: Combining Survivability with Cyber Deception

Abstract

We propose a next-generation survivable system architecture that integrates redundant execution approaches from the domain of dependable systems with moving target defense techniques and cyber deception concepts from the domain of cyber security. As an added bonus, our approach provides novel defenses against exploits that target hardware flaws, including microarchitectural side channels. To the best of our knowledge, the combination of the first three that we are proposing here is an entirely novel approach that hasn t been tried before, and the fourth characteristic makes it even more compelling.In the proposed architecture, every server is a true moving-target NVX system and is simultaneously also a honeypot. Our main idea is that instead of terminating execution when a variant in a multi-variant execution is compromised by an attacker, the compromised variant is instead peeled off the joint computation and turned into a dynamic honeypot instance instead, while the surviving variants re-constitute and continue operating.Moreover, our approach significantly increases the mutual dissimilarity of the simultaneously executing variants by allowing the different versions to run on heterogeneous hardware; specifically, on both x86 and ARM at the same time. In order to totally subvert such a system, an attacker would need to craft an attack that simultaneously compromises both an ARM-based and an x86-based system using the identical inputs, and potentially do this while both the x86-based and the ARM-based variants themselves are constantly mutating as a moving-target defense. It is also highly unlikely that a hardware flaw such as a microarchitectural side channel would manifest itself in the same manner across two completely different processor architectures, so that an NVX system executing across different ISAs provides a natural defense against attacks that rely on such side channels. For example, it is outright impossible to mount a Rowhammer attack on memory cells that are not co-located on the same machine. If successful, our approach will set the bar to attackers significantly higher than all existing defense techniques that we are aware of, either implemented or proposed.The most important advantage of our proposed approach is that it doesn t require a human specialer to obtain the desired resilience gains. While existing approaches to retrofitting security onto legacy software, including current approaches of introducing heterogeneity, have been quite effective, they typically require substantial source code understanding and manual source code adaptation. Theproposed solution requires source code, but operates on such source code automatically.Our plan is to perform the research and build the infrastructure so that such cyberdeceptive NVX systems can be generated automatically from the source code of an ordinary server application. As part of our research plan, we propose to build a fully functioning prototype of the proposed system at scale. That system will take an existing server application, such as the Nginx web server, and then automatically instantiate it into a cyber-deceptive NVX system. Ourresearch will also conduct a comprehensive and objective evaluation of our approach and produce clear and concise metrics of its performance. Lastly, all software developed under this project will be released as open source.If successful, our project will go a long way towards increasing the survivability of networked systems, while simultaneously shifting the economies of cyber warfare in favor of defenders by raising the cost of an attack for the adversary.Approved for Public Release

Document Details

Document Type

DoD Grant Award

Publication Date

May 05, 2021

Source ID

N000142112409

Entities

Tags