Research On Security Evaluation And Optimization Composition Of Software Diversity

With the rapid growth of the network and software market,the security threat posed by "software monoculture" has become increasingly serious.Software diversity can generate functionally equivalent software variants through methods such as memory layout randomization,making it difficult for attackers to reuse their attack experience on different software variants and reproduce their attack effects,effectively alleviating the security threat posed by "software monoculture",reducing the risk of large-scale attacks,improving the resilience and security of networks and software systems.Although existing researches have made some progress in optimizing the defense mechanisms of software diversity,there are still some shortcomings in the research on security evaluation and optimization composition of software diversity,which have resulted in the lack of guidance for the optimization of security gains and performance costs brought by software diversity as well as the enhancement of software diversity’s usability and applicability.To solve the above problems,this thesis firstly focuses on the security evaluation method of software diversity for software variant’s security gains,providing security metrics that can effectively measure the software variant’s security gains,and based on this,proposes a software diversity composition method that comprehensively considers security gains and performance cost.Finally,focusing on the security impact of distributing variants generated by various diversity technologies and their composition to the network,corresponding variant distribution and evaluation method is designed.The main research content and work are as follows:1.Aiming at the problem of current evaluation methods that focus on the software variant’s security gains,which are difficult to accurately and comprehensively reflect the software variant’s security gains brought by software diversity,this thesis proposes a security evaluation method of software diversity based on gadget feature analysis.Firstly,this thesis analyzes the attack steps of code reuse attack affected by software diversity,extracts their gadget features,and proposes corresponding gadget quality,practicality,and distribution metrics to comprehensively measure the impact of software diversity on each attack step of code reuse attacks.Then,this thesis constructs a security evaluation algorithm based on the proposed gadget metrics to comprehensively evaluate the software variant’s security gains brought by software diversity.Finally,the effectiveness of the proposed evaluation method is verified through evaluation experiments on diversity technologies of different granularities,the analysis of the evaluation results shows that fine-grained diversity technologies can make a large number of gadgets in variants difficult to identify due to relocation/modification,and increase the cost of attacking software variants.The conclusion is drawn that software diversity can effectively alleviate the threat of code reuse attack and improve software security to a certain extent.2.Aiming at the problem of current composition method’s low search efficiency,small search space,incomplete security evaluation,which result in difficulty in effectively generating a combination of diversity technologies that balances security and performance costs,this thesis proposes a composition method based on multi-objective optimization algorithm NSGA-II.Firstly,this thesis analyzes the problem of software diversity composition and the differences in diversity technologies of different granularities,and construct a multi-objective optimization model that comprehensively considers TLSH metric,gadget quality metric,and CPU clock cycle count metric.Then,this thesis proposes a solving algorithm based on NSGA-II,which includes chromosome encoding and initial population generation algorithms,adaptive crossover and mutation operators,and verification algorithm for the composition schemes.Finally,the effectiveness of the proposed composition method is verified through example analysis,and comparative experiments are conducted with composition methods based on random strategy,greedy strategy,and backward stepwise regression.The results show that the composition scheme generated by the proposed composition method can bring higher security gains while maintaining lower performance overhead.3.Aiming at the problem of current variant distribution and evaluation methods in network scenarios only analyzing the impact of natural software diversity introduced by different commercial software on network security and using a relatively single attack strategy during evaluation,this thesis proposes a variant distribution and evaluation method for network scenarios.Firstly,this thesis constructs a network attack and defense model based on four different diversity technologies,including redundant buffer insertion and buffer dimension increase,as well as four different attack strategies such as binary attack and step-by-step attack.A diversity metric based on vulnerability information in node’s reachable paths as well as a set of network security metrics are proposed.Then,based on the proposed diversity metrics,this thesis constructs the variant distribution problem as a integer programming problem,and proposes a variant distribution method based on simulated annealing algorithm to solve the problem.Finally,the effectiveness of the proposed evaluation method and variant distribution method are verified through simulation experiments and comparative analysis.