Joel Coffman, A. Chakravarty, Joshua A. Russo, A. Gearhart
{"title":"Quantifying the Effectiveness of Software Diversity using Near-Duplicate Detection Algorithms","authors":"Joel Coffman, A. Chakravarty, Joshua A. Russo, A. Gearhart","doi":"10.1145/3268966.3268974","DOIUrl":null,"url":null,"abstract":"Software diversity is touted as a way to substantially increase the cost of cyber attacks by limiting an attacker's ability to reuse exploits across diversified variants of an application. Despite the number of diversity techniques that have been described in the research literature, little is known about their effectiveness. In this paper, we consider near-duplicate detection algorithms as a way to measure the static aspects of software diversity---viz., their ability to recognize variants of an application. Due to the widely varying results reported by previous studies, we describe a novel technique for measuring the similarity of applications that share libraries. We use this technique to systematically compare various near-duplication detection algorithms and demonstrate their wide range in effectiveness, including for real-world tasks such as malware triage. In addition, we use these algorithms as a way to assess the relative strength of various diversity strategies, from recompilation with different compilers and optimization levels to techniques specifically designed to thwart exploit reuse. Our results indicate that even small changes to a binary disproportionately affect the similarity reported by near-duplicate detection algorithms. In addition, we observe a wide range in the effectiveness of various diversity strategies.","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 5th ACM Workshop on Moving Target Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3268966.3268974","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 4
Abstract
Software diversity is touted as a way to substantially increase the cost of cyber attacks by limiting an attacker's ability to reuse exploits across diversified variants of an application. Despite the number of diversity techniques that have been described in the research literature, little is known about their effectiveness. In this paper, we consider near-duplicate detection algorithms as a way to measure the static aspects of software diversity---viz., their ability to recognize variants of an application. Due to the widely varying results reported by previous studies, we describe a novel technique for measuring the similarity of applications that share libraries. We use this technique to systematically compare various near-duplication detection algorithms and demonstrate their wide range in effectiveness, including for real-world tasks such as malware triage. In addition, we use these algorithms as a way to assess the relative strength of various diversity strategies, from recompilation with different compilers and optimization levels to techniques specifically designed to thwart exploit reuse. Our results indicate that even small changes to a binary disproportionately affect the similarity reported by near-duplicate detection algorithms. In addition, we observe a wide range in the effectiveness of various diversity strategies.