Christian Wimmer

Multi-Variant Program Execution for Vulnerability Detection and Analysis

Todd Jackson, Christian Wimmer, Michael Franz: Multi-Variant Program Execution for Vulnerability Detection and Analysis. In Proceedings of the Workshop on Cyber Security and Information Intelligence Research, article 38. ACM Press, 2010. doi:10.1145/1852666.1852708

Download as PDF
© ACM, 2010.


Software vulnerabilities continue to be a major threat. Although significant advances have been made to reduce such vulnerabilities, there are still vulnerabilities that have eluded these techniques, and unfortunately the attackers have also become more sophisticated, employing more devious methods. Moreover, a huge amount of new code is written every year, so that even though the error rate may be decreasing, the overall number of vulnerabilities is still increasing. For example, the number of buffer errors listed in the National Vulnerabilities Database increased from 398 in 2007 to 563 in the year 2008.

Multi-variant code execution is a run-time technique that prevents the execution of malicious code. It does not remove the vulnerability underlying an attack, but it prevents the vulnerability from being exploited by an attacker. The key idea is to run two or more slightly different variants of the same program in lockstep on a multiprocessor. At certain synchronization points, their behavior is compared against each other. Divergence among the behavior of the variants is an indication of an anomaly in the system and raises an alarm.

In this paper, we provide a brief overview of multi-variant execution, summarize some variation techniques, illustrate a honeypot system constructed from a multi-variant execution environment, and then list combinations of variation techniques that are effective in multi-variant execution environments.