TY - GEN
T1 - The MINESTRONE architecture combining static and dynamic analysis techniques for software security
AU - Keromytis, Angelos D.
AU - Stolfo, Salvatore J.
AU - Yang, Junfeng
AU - Stavrou, Angelos
AU - Ghosh, Anup
AU - Engler, Dawson
AU - Dacier, Marc
AU - Elder, Matthew
AU - Kienzle, Darrell
N1 - Generated from Scopus record by KAUST IRTS on 2022-09-12
PY - 2011/12/23
Y1 - 2011/12/23
N2 - We present MINESTRONE, a novel architecture that integrates static analysis, dynamic confinement, and code diversification techniques to enable the identification, mitigation and containment of a large class of software vulnerabilities in third-party software. Our initial focus is on software written in C and C++; however, many of our techniques are equally applicable to binary-only environments (but are not always as efficient or as effective) and for vulnerabilities that are not specific to these languages. Our system seeks to enable the immediate deployment of new software (e.g., a new release of an open-source project) and the protection of already deployed (legacy) software by transparently inserting extensive security instrumentation, while leveraging concurrent program analysis, potentially aided by runtime data gleaned from profiling actual use of the software, to gradually reduce the performance cost of the instrumentation by allowing selective removal or refinement. Artificial diversification techniques are used both as confinement mechanisms and for fault-tolerance purposes. To minimize the performance impact, we are leveraging multicore hardware or (when unavailable) remote servers that enable quick identification of likely compromise. To cover the widest possible range of systems, we require no specific hardware or operating system features, although we intend to take advantage of such features where available to improve both runtime performance and vulnerability coverage. © 2011 IEEE.
AB - We present MINESTRONE, a novel architecture that integrates static analysis, dynamic confinement, and code diversification techniques to enable the identification, mitigation and containment of a large class of software vulnerabilities in third-party software. Our initial focus is on software written in C and C++; however, many of our techniques are equally applicable to binary-only environments (but are not always as efficient or as effective) and for vulnerabilities that are not specific to these languages. Our system seeks to enable the immediate deployment of new software (e.g., a new release of an open-source project) and the protection of already deployed (legacy) software by transparently inserting extensive security instrumentation, while leveraging concurrent program analysis, potentially aided by runtime data gleaned from profiling actual use of the software, to gradually reduce the performance cost of the instrumentation by allowing selective removal or refinement. Artificial diversification techniques are used both as confinement mechanisms and for fault-tolerance purposes. To minimize the performance impact, we are leveraging multicore hardware or (when unavailable) remote servers that enable quick identification of likely compromise. To cover the widest possible range of systems, we require no specific hardware or operating system features, although we intend to take advantage of such features where available to improve both runtime performance and vulnerability coverage. © 2011 IEEE.
UR - http://ieeexplore.ieee.org/document/6092763/
UR - http://www.scopus.com/inward/record.url?scp=83755183629&partnerID=8YFLogxK
U2 - 10.1109/SysSec.2011.33
DO - 10.1109/SysSec.2011.33
M3 - Conference contribution
SN - 9780769545301
SP - 53
EP - 56
BT - Proceedings - 1st SysSec Workshop, SysSec 2011
ER -