Safe Configuration Alternatives via Lightweight Process Transposition

Presenter
Angelos Stavrou and Michael Locasto, George Mason University

Time
Session I - 8:30am - 10:00am

Abstract
Latent vulnerabilities are often activited by misconfigurations or valid configurations that significantly deviate from a popular default.  Such configurations tend to expose control paths or data structures that are not heavily tested or exercised, an increasingly common situation given the sheer number of available configuration options and the complexity of modern software applications (which compose many individual components, libraries, data formats, and third-party functionality — especially in a Web 2.0 world).

Many vulnerability announcements, however, indicate that the large majority of users employing the default configuration (or some small delta thereof) of a piece of software are not actually at risk; the vulnerability still exists, but this weakness remains dormant because of the nature of the program’s default configuration.  The goal of our research is to leverage this phenomena: users may be able to switch from a vulnerable configuration of a running application to another configuration that is both (1) not susceptible to the vulnerability because the configuration differs “enough” and (2) remains close enough to the non-vulnerability related properties of the original configuration (to allow the software to continue providing the services necessary for its “mission”).

To accomplish such a transition seamlessly, with as little downtime as possible, we believe that it is possible to pre-compute instances of the software by exploring the configuration space: the set of all configuration options and command line parameters.  We envision a system capable of understanding configuration grammars.  The system would generate a new configuration file with modifications driven by a search algorithm, start up a lightweight VM with the new configuration file, suspend the VM at each instruction, and keep each resulting “snapshot.”  We believe that focusing on the configuration grammar keeps this problem tractable (as opposed to approaches that examine the entire possible input space).

One major goal of this type of approach to fault tolerance is to enable availability without resorting to rewriting the software, applying a patch, or rebooting the application: each of which is a seriously disruptive change.

Presentation
Download (PPT, 331kb)