Automated Instruction-Set Randomization for Web Applications in Diversified Redundant Systems

Author

Majorczyk, Frédéric ; Demay, Jonathan-Christofer

Author_Institution

IRISA, Univ. of Rennes 1, Rennes

fYear

2009

fDate

16-19 March 2009

Firstpage

978

Lastpage

983

Abstract

The use of diversity and redundancy in the security domain is an interesting approach to prevent or detect intrusions. Many researchers have proposed architectures based on those concepts where diversity is either natural or artificial. These architectures are based on the architecture of N-version programming and were often instantiated for web servers without taking into account the web application(s) running on those. In this article, we present a solution to protect the web applications running on this kind of architectures in order to detect and tolerate code injection intrusions. Our solution consists in creating diversity in the web application scripts by randomizing the language understood by the interpreter so that an injected code can not be executed by all the servers. We also present the issues related to the automatization of our solution and present some solutions to tackle these issues.

Keywords

Internet; instruction sets; security of data; software architecture; N-version programming; Web application scripts; automated instruction-set randomization; code injection intrusion; diversified redundant systems; intrusion detection; intrusion prevention; security domain; Availability; Binary codes; Probabilistic logic; Protection; Redundancy; Safety; Security; Service oriented architecture; Voting; Web server; Diversity; causal dependencies; redundancy; web application;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security, 2009. ARES '09. International Conference on

Conference_Location

Fukuoka

Print_ISBN

978-1-4244-3572-2

Electronic_ISBN

978-0-7695-3564-7

Type

conf

DOI

10.1109/ARES.2009.64

Filename

5066597