Séminaire méthodes formelles et sécurité

Accueil     Présentation     Archives

Benoit Baudry (Inria)

Proactive software diversification in source code and platforms to reduce the predictability of execution

Software diversification has been extensively investigated at the operating system level to mitigate the risks of OS monoculture. In particular, address space layout randomization, instruction set randomization, NOP insertion offer effective protections against code injection and return oriented programming.

Our observations show that a new form of software monoculture emerges at the application level. Mitigating this new risk requires new forms of software diversification. In this talk I present two ongoing works that tackle this challenge.

This first one explores the automatic synthesis of large sets of program variants, called sosies. Sosies provide the same expected functionality as the original program, while exhibiting different executions. They are said to be computationally diverse. Sosie synthesis is based on program transformations at the granularity of statements. We synthesized large quantities of sosies for 9 open source widely used Java libraries and frameworks, which provide evidence for the feasibility of automatic changes and diversification in source code.

The second work explores diversification at the software platform level against browser fingerprinting. We leverage virtualization and modular architectures to automatically assemble and reconfigure software components at multiple levels. We operate on operating systems, browsers, fonts and plugins. This work is the first application of software reconfiguration to build a moving target defense against browser fingerprint tracking. We have assembled and reconfigured thousands of platforms, and we observe that all of them exhibit different fingerprints, and that commercial fingerprinting solutions are not able to detect that the different platforms actually correspond to a single user.