多变体执行误报问题分析与解决方法综述  

作　　者：席睿成 张铮 朱鹏喆 刘子敬 Xi Ruicheng;Zhang Zheng;Zhu Pengzhe;Liu Zijing(School of Cyber&Space Security,Information Engineering University,Zhengzhou 450001,China;Purple Mountain Laboratories,Nanjing 211100,China)

机构地区：[1]中国人民解放军战略支援部队信息工程大学网络与空间安全学院,郑州450001 [2]网络通信与安全紫金山实验室,南京211100

出　　处：《计算机应用研究》2022年第10期2907-2915,共9页Application Research of Computers

基　　金：国家自然科学基金资助项目。

摘　　要：从安全角度出发,多变体执行(multi-variant execution,MVX)被广泛应用于网络安全防御,但多变体执行存在一个共性问题:即各路执行体向裁决器返回内容时,合路产生的误报难以解决。排除机器环境等客观因素,产生误报是因为表决器收到合路信息后开始对非一致变量作安全判断,除真实攻击造成的非一致变量外,还夹杂着正常系统运行产生的非一致变量(如内存描述符、端口号、随机数、代码及进程内的线程调用顺序),从而造成表决器误判,影响多变体系统正常运行。如果能降低多变体执行的误报率,则可以有效地提高系统效率及防御能力。对近年来多变体执行的类型进行归类,并对多变体执行产生的误报问题及解决策略进行归纳总结,分析多变体执行产生表决误报的原因,选择Pina算法进行同步的策略、编译器模块插桩的策略、缩小表决边界的策略,对三种方案在特定应用场景下进行实验分析,分析每个方法的功能及性能,指出各自策略的优点及缺点。最后讨论现有多变体执行现有技术未解决的难点和未来的研究方向。From a security view,MVX is widely used in network security defense,but there is a common problem in multi-variant execution:when each executive body returns content to the arbiter,it is difficult to solve the false alarm caused by the combination.Excluding objective factors such as the machine environment,false alarms are generated because the voter starts to make security judgments on non-consistent variables after receiving the combined information.In addition to non-consistent va-riables caused by real attacks,there are also non-consistent variables generated by normal system operation(such as memory descriptors,port numbers,random numbers,codes,and the calling sequence of threads in the process),which would cause the wrong judgement of the voter and affect the normal operation of the multi-variant system.If the false alarm rate of multi-variant execution can be reduced,the system efficiency and defense capability would be improved effectively.This paper classified the types of multi-variant execution in recent years,summarized the false alarms caused by multi-variant execution and the solutions.It analyzed the causes of false alarms caused by multi-variant execution,selected the Pina algorithm for synchronization,the compiler module instrumentation strategy,and the strategy for narrowing the voting boundary,analyzed the three schemes in specific application scenarios,and analyzed each method.Then it pointed the functions and performance of each strategy,pointed the advantages and disadvantages of each stra-tegy.Finally,it discussed the unsolved difficulties and future research directions of the existing multi-variant implementation.

关 键 词：多变体执行 安全判断 非一致变量 系统误报 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]