Sciweavers

Share
EUROSYS
2009
ACM

Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space

10 years 9 months ago
Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space
In a Multi-Variant Execution Environment (MVEE), several slightly different versions of the same program are executed in lockstep. While this is done, a monitor compares the behavior of the versions at certain synchronization points with the aim of detecting discrepancies which may indicate attacks. As we show, the monitor can be implemented entirely in user space, eliminating the need for kernel modifications. As a result, the monitor is not a part of the trusted code base. We have built a fully functioning MVEE, named Orchestra, and evaluated its effectiveness. We obtained benchmark results on a quad-core system, using two variants which grow the stack in opposite directions. The results show that the overall penalty of simultaneous execution and monitoring of two variants on a multi-core system averages about 15% relative to unprotected conventional execution. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection — Security kernels; K.6.5 [Managem...
Babak Salamat, Todd Jackson, Andreas Gal, Michael
Added 10 Mar 2010
Updated 10 Mar 2010
Type Conference
Year 2009
Where EUROSYS
Authors Babak Salamat, Todd Jackson, Andreas Gal, Michael Franz
Comments (0)
books