6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors

Articles

USINGREDUNDANCYTODETECTSECURITYANOMALIES:TOWARDSIOT
SECURITYATTACKDETECTORS
THEINTERNETOFTHINGS(UBIQUITYSYMPOSIUM)
Ubiquity,Volume2016IssueJanuary,January2016 | BYROOPAKVENKATAKRISHNAN ,MLADENA.VOUK

FullcitationintheACMDigitalLibrary |PDF

Ubiquity

Volume2016,NumberJanuary(2016),Pages119

Usingredundancytodetectsecurityanomalies:towardsIoTsecurityattackdetectors:ubiquitysymposium:the
internetofthings
RoopakVenkatakrishnan,MladenA.Vouk
DOI:10.1145/2822881

Cyberattacksandbreachesareoftendetectedtoolatetoavoiddamage.While"classical"reactivecyberdefensesusually
workonlyifwehavesomepriorknowledgeabouttheattackmethodsand"allowable"patterns,properlyconstructed
redundancybasedanomalydetectorscanbemorerobustandoftenabletodetectevenzerodayattacks.Theyareastep
towardanoraclethatusesknowablebehaviorofahealthysystemtoidentifyabnormalities.IntheworldofInternetofThings
(IoT),security,andanomalousbehaviorofsensorsandotherIoTcomponents,willbeordersofmagnitudemoredifficult
unlesswemakethoseelementssecurityawarefromthestart.Inthisarticleweexaminetheabilityofredundancybased
anomalydetectorstorecognizesomehighriskanddifficulttodetectattacksonwebserversalikelymanagementinterface
formanyIoTstandaloneelements.Inreallife,ithastakenlong,anumberofyearsinsomecases,toidentifysomeofthe
vulnerabilitiesandrelatedattacks.Wediscusspracticalrelevanceoftheapproachinthecontextofprovidinghighassurance
WebservicesthatmaybelongtoautonomousIoTapplicationsanddevices.

SecurityattacksonWebservershaveincreasedbymorethan30percentfrom2012to2013[1].Manyoftheattackswere
successfuldespiteextensiveattemptstoeducatethesoftwaredevelopmentcommunityabouttherelevantvulnerabilitiesand
exploits[2].Wellinto2015,theproblempersists.Intheworldof"InternetofThings"(IoT),practicallyanydevicemayhavean
IPaddress,anAPI,orawebinterfaceandacertainlevelof"smartness."IntheIoTwheredevicesareprobablysoftware
based,programmable,andautonomousvulnerabilitiesandthreatswillcontinuetogrowevenfurther.Infact,thesecurity
problemwillprobablygrowbyordersofmagnitude.Ideally,onewouldbuildsecurityintothesedevicestomakethem
inherentlyresilient.Unfortunately,inpracticereliabilityandsecurityofsoftwarebasedsystem,sensors,andIoTelementscan
beimprovedonlytoacertaindegreepriortodeployment.Reasonsaremany,andmayrangefrompowerconsumption
restrictions,tocomplexity,topoordesignsorlackofplanning.

Giventheassumptionthatinnormaloperationsuchsystemsoperatereliably,oneofthequestionsiswhethersome"classical"
reliabilityapproachcanhelpusdevelopaftermarketsolutionsthatwouldmakesuchsystemsmoreresilienttosecurity
attacksoratleastawarethattheyareunderattack?Attacksusuallychangethebehaviorofasystem.Therearebasically
threewaysofdetectingexecutiontimeanomaliesorchangesinbehavior,andthisincludessecurityanomalies:acceptance
testing,externalconsistencychecking,andredundancybasedtechniques.

Acceptancetestingisatechniquewheretheinputtoasystem(orsensor)isvalidatedagainstconditionsspecifiedbythe
developerordefender.Thisrequirespriorknowledgeabouttheattackormalwarepatternsandsignatures.Ontheotherhand,
http://ubiquity.acm.org/article.cfm?id=2822881 1/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
externalconsistencychecksworkwellatverificationandvalidationtime(e.g.,faultinjection),buttheirapplicabilitymaybe
limitedatruntimebecausetheexactknowledgeofthetrueconditionsofoperationmaynotbeavailabletoasysteminthe
field.Finally,anomalydetectionbasedonredundancyisflexibleandcanbeproactivebutisoftenexpensive(e.g.,diversity
basedvoters,errorcoding).Inonesuchapproach,Nversionprogramming,thesameinputisgiventomultiplefunctionally
equivalentversionsofthesoftware.Ifallversionsdonotagree,theremaybeanissue.Anomalydetectiontechniquesthat
workbycomparingoutputvectorsofdiverse,butfunctionallyequivalent,softwarehavebeeninactiveuseinthehigh
assurancesoftwareindustryforalongtime[3,4].Recentlythesetechniqueshavebeenrevisitedinthecontextof
cybersecurityforWebbasedsystems[5,6].

ThereisagoodchanceIoTdevices/systemswilloperatethesame(perhapsnewerandstrippeddown)typesofWebservers
astheonesusedonserverstoday.ANetcraftanalysisofWebserversinusetodayshowsthatmorethan80percentof
websitesuseApache,Nginx,orMicrosoft(IIS)servers[7].Therefore,itmaybereasonabletoassume,manyoftheattacks
directedatWebserverswillprobablytargetoneofthetopthreeservers,ortheirderivatives.

InthisarticleweexaminesomedifficulttodetecthighseveritycyberattacksonWebservicesthathavetakenplaceinthe
lastfiveyearstoseehowaredundancybased,possiblycloudbased,securityanomalyidentificationmechanismmighthave
madethedetectionofattacks(andoftheireffects)quickerandeasier.Thediscussionthatfollows,however,appliestoanyIoT
devices(sensors)solongassomediversityisavailable.

Background:AnomalyClassification

AttacksonWebserverscantargetaWebserverdirectlyortargetapplicationsithosts,thirdpartyaddons,andother
componentsthatarepartoftheWebservice,suchasdatabase,scriptingengine,etc.Welimitourscopetoattacksdirected
towardtheWebservercore.Ofspecialinterestistheabilityofacomparisonbasedapproachtodetectzerodayattacks.In
classifyinganomaliesandtheirdetectionweonlyconsiderthosethatmanifestthroughtheHTTP/HTTPSportoftheWeb
server,andnotitsinteractionswiththehostsystemorotherapplications.

TwocategoriesofWebserverexploitsareofinteresthere(seeFigure1).Bothcouldbeperceivedaszerodayexploits.One
categorytargetsinherentvulnerabilitiesthatstemfromissuesintheWebservercode,configuration,pluginsandaffiliated
applications(forexamplePHP,CGI,oranSQLengine).ThoseareusuallyexploitedbyattacksthroughdirectWebinterface
channels(e.g.,port80).Theothercategoryarerelatively"silent,"compromisesthatmayhavehappenedindirectly(e.g.,
throughanSSHattack).Thesewecalllateralattacksandexploits.

Identifyingoncomingattacksisoftendonequitesuccessfullybyacceptancetestseitheratthenetworkinglevel,operating
systemlevelorapplicationlevel(e.g.,firewalls).However,acceptancetestsdonotworkunlesswehaveidentifiedpatternsor
relationshipsthatdescribeanobservablecharacteristicoftheattack,oritsbehavioralimpacts.Thisusuallymeansweneedto
experienceanattackbeforewecandefendagainstit.

Anattackcanresultin:

Amodifiedserverresponsebutnotabreach
Anexploit,andastheresultofthatbehavioralchangesonitsprimaryprincipalcommunicationchannel
Normalresponsedespitebeingcompromised.
FailureDetectionandFaultTolerance

Inproactivefaulttolerance,failureisassumedandmitigationisalwaysapplied(e.g.,errorcodingbasedforwardrecovery
suchasconvolutionalcoding).Inreactivefaulttolerance,mitigationisappliedonlyifanactualfailureissuspected(e.g.,
memorychecksumfails).Inreactivefaulttolerance,thefirststepistodetectananomaly.

Hardwarecanfailrandomlyasitgetsolder.Inthiscontext,usingidenticalbackupcomponents(e.g.,coldorhotstandby)isa
sensibleapproach.Severaldecadesagothisideawasextendedtothesoftwarespace[8,9,10],buttheproblemisthat
softwarefaults(andvulnerabilities)areusuallyduetodesignflawsorimplementationerrorsnotrandomwear,soreplication
mayormaynotguardagainstfailures.Forexample,separategroupsofdeveloperscoulddevelopfunctionallyequivalent
components[10].Whendifferentpeoplearegivenidenticalspecificationstheymaynotusetheexactsamedesignand
implementationdetailsandalgorithms.Infact,itisoftenassumedthefaultsleftinsuchsoftwarecomponentswillnotbethe
same,i.e.,commonmodeorcorrelated,meaningtwofunctionallyequivalentversionswouldnotfailonthesameinput.A
correlatedfailureisonewheretwoormorecomponentsfailonthesameinput.Ifthesefailedcomponentsgivetheexactsame
response,theeventisknownasanidenticalandwrongresponseevent[4].Detectionofsucheventsisdifficultusing
techniquesthatrelyonthecomparisonoftheoutputsalone.Apointtonoteissuchafailuredoesnotnecessarilyimplythe
versionsfailedduetoa"commoncause."Identicalandwrongresultscouldalsobetheresultof"smalloutputspaces"(e.g.,
systemcanonlygiveresults0and1,theformerbeingincorrect,thenallincorrectresultswillbethesame)[11].Acommon
causefaultisonewheremultipleversionsfailbecausetheymayshareafaultypieceofcodeorcomponentorlogic.The
outputofdifferentversionsinthecaseofacommoncausefailurecouldbesimilarbutneednotnecessarilybeidentical.

Thismeanseverythingfromthelanguagesoftwareiswrittenin[12],totheoperatingsystemitrunson[13],totheruntime
memorylocations[14]canbeusedtomakeitsruntimeinternalsmorediverse,andstillkeepitsfunctionalbehaviorthesame.
Theideaistomakefunctionallyequivalentsoftwaredifferentintherightway,sotheprobabilityofcorrelatedfailuresisasclose
tozeroaspossible.Methodsthatmanagerandomfailuresduringsoftwareoperationhavebeenstudiedingreatdetailoverthe
years[14,15,16,17].Diversitybasedapproachesworkwellaslongascertainconditions(suchasindependenceoffailures

http://ubiquity.acm.org/article.cfm?id=2822881 2/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
amongversions)aresatisfied.Infact,redundantfunctionallyequivalentsoftwarehasbeenusedinpracticeto,forexample,fly
aircraft[18]andguidetrains[19].

Inbothacceptancebasedalgorithmsandincomparisonbasederrorstatedetectionalgorithmsonehastodecidewhether
response(s)ofasystemis(are)acceptable.Inthefirstcaseitisdoneagainstknownpatternsandbehaviors,inthesecond
caseitisdoneagainstthebehavior(oroutput)oftheredundantversions.Thealgorithmthatdoesthecomparisonanddecides
onthisisknownasan"adjudicator."Therearemanyalgorithmsthatareusedforthispurposefromsimpleacceptancetests
(e.g.,istheanswerlargerthanX?),tomajorityvoting,tomedianselection,tomorecomplexcomparisonbaseddecision
analysis.Wedistinguishbetweenanomalydetectionandactions(mitigation)thatmayfollowadjudication.

Effectiveness

Redundancybasedanomalydetectionisbeneficialonlyifitiseffectiveindetectingattacks,especiallybecauseofthe
increasedcostofimplementingit.ConsiderfunctionallyequivalentbutdiverseversionsV1,V2,...Vi,...VN,i=1...N.Let
Tjbethejthinputvector(whichmayhaveanumberofdimensions)thatisreceivedbyallversions.Lettherebeninput
vectors(e.g.,WebrequeststoWebserver).LettheprobabilitythatversionVieitherfails(i.e.,iscompromised)orreactstoa
securityattackrelatedprobeinananomalousfashionbepAi(Tj).Let,forsimplicityforalliandi,pAi(Tj)=p.Ifalsowe
assumeversionfailuresoranomalousreactionsareindependent,i.e.,P(versionifails|versionkhasfailed)=P(versionk
fails|versionihasfailed)whereik.Thenitcanbeshown[4]thattheprobabilitythatNversionsofthesoftwaredetectann
sequenceattackstreamis

ThisscenariohasveryhighprobabilityofdetectingalmostanyattempttoprobeorintrudeevenforN=3or2.

OntheotherendoftheefficiencyspectrumisscenariowhereallNversionshavethesamevulnerability.Thisbasicallymeans
ifonecomponentfails,allmayfailwithanidenticalresponse,andthisexploitorprobecannotbedetected.Iftheresponsesare
notidentical,thereisafiniteprobabilitythatthefailuresoranomaliesstemmingfromthisvulnerabilityorvulnerabilityprobewill
bedetected.Itcanbeshown[4]thatinthefirstapproximation,theprobabilitythatsuchaNtupledetectssuchanattackis

where,NistheconditionalprobabilitythattheNoutputvectorsfromtheversionsareacceptedandareidenticalgiventhatall
theversionshavefailed.

Anaturalquestioninthiscontextis"HowoftenandhowmanyWebservers(differentversionsormanufacturers)harboran
identicalvulnerability"?

AnalyzingVulnerabilities

Aspartofthisworkwestudiedanumberofmajorvulnerabilitiesorsecurityissuesfoundinthelastfiveorsoyearsinpopular
Webservers[6].WeinvestigatedindepthtwomostcommonlyusedWebbrowsers[7]:NginxandApache.Inthecaseof
Apache,weinvestigatedvulnerabilitiesinversion2.4.Insomecases,thesameissuewaspresentinbothserverbrands.The
aimwastoanalyzecomparisonsbetweenfunctionallyequivalentbutdiverseserversasapotentialvulnerability/attack
detectionmechanism.TableIsummarizestheresults.

WeseeoftheninevulnerabilitiesstudiedinthecaseofNginxfourofthemcanbecaughtusingacomparisons(orbackto
backtesting[4]).Mostofothervulnerabilitiesdidnotspecificallyshowanychangeinoutputalongtheprincipalportof
communication(Port80forHTTPand443forHTTPS).Thismeansthereisnodifferencethatcouldberecognizedthrough
comparisonofprincipalportoutputsfrommultipleversions.InthecaseofApache,ofthefivevulnerabilitieswestudied,three
weredetectableusingcomparisonsbetweenserveroutputs.Inotherwords,forthetwoWebserverbrandswestudied,about
halfofthevulnerabilitiescouldbedetectedusingcomparisons,whiletheotherhalfremainedundetected.

Inadditiontothevulnerabilitiesinthetable,wealsoexaminedafewadditionalvulnerabilitiesthataffectedtheWebservers,
andcaughttheattentionofthemedia.Theseadditionswereformostpartlateralcompromisesthatalsoincludedafew
vulnerabilitiesintheWebservercore.TheywerefoundbymonitoringtechnewssiteslikeHackerNews[20]andblogslike
Sucuri[21],andotheroutlets[22,23,24,25,26,27].

TableIIillustrateshowlongithastakenthecommunitytodetectoractoninherentvulnerabilitiesfoundintheWebservercore
andinaddons,aswellassomethatidentifyalateralexploit.Inthecaseofinherentvulnerabilitiesthetimetakenisthetime
thatanexploitableversionhasbeenoutintheopenwithoutapatchavailable.Allvulnerabilitieslistedcanbedetectedusing
backtobacktesting.Ontheaverageitwouldappearithastakenaboutthreeyearsorsotodetectsuchvulnerabilitiesand
exploits.Bythetimetheyarefoundconsiderableharmcanbecaused.Usuallyadifficulttofindvulnerabilityisdetectedonly
whenitstartstoaffectalargenumberofpublicmachines.

Thenumberofinherentvulnerabilitiesappearstobemuchhigherthanthatoflateral(orindirect)compromises.Onereasonis
probablythatlateralcompromisesmaynotusethemaincommunicationchannel(e.g.,port80)forpropagatingthe
compromise.Inthatcase,monitoringthatchannelmaynotrevealmuch.Unfortunately,laterallyinjectedvulnerabilitiesappear
tobemoredangerous.

http://ubiquity.acm.org/article.cfm?id=2822881 3/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
AllvulnerabilitiesandattackslistedinTableII[6]showsomechangeinoutputsontheprincipalWebserverportof
communication.Thisiswhatmakesthemdetectableusingadiversitybasedtechnique.Further,eachvulnerabilitydoesnot
manifestinallWebserverssimultaneously(e.g.,onlyNginxandApacheareaffected,butMSIISisnot),oronlyinsome
particularenvironment(e.g.,Windowsonly).

CaseStudies

Thefollowingcasesillustratehowatriplyredundantsystemcouldcatchsomeofthe(difficult)attacks.Moredetailsare
availablein[6].

Linux/Cdorked.AAttack2013

ThisisasituationwheretheWebserverwascompromisedthroughalaterallyinjectedexploit.Thisparticularattackwas,at
thetime,calledthemostsophisticatedattackonApachelikeWebservers[28].ItisknowntoaffectversionsofApacheand
Nginx.ArecentWindingoreport[29],indicatesCdorkedwaspartofalargeroperation,andapreviousexploitonopenSSH
knownasEburywasusedtodeployCdorked.WhatisinterestingisthemalwarewaswrittenspecificallyforeachofApache,
Nginx,andLighthttpd.Thoughmuchofthecodewasreused,thehooksforeachversionweredifferentbasedonthetargeted
server.

WhatHappened?

IntrusiontoinjectCdorked.Adoesnotappeartoleaveanytraceinthelogsoftheaffectedsystem,butCdorked.Acodeis
detectableifoneknowswheretolook(orhasawayofcheckinguncompromisedinstallationlogs).Italwaysoperatesonlyin
memory.Thusasimplerestartdestroysallevidenceofitsoperation.Initiallythespeculationwasaflawedinstallationofadd
onsfromacompromised(fake)installer.TheWindingoreport[29]describesthemethodusedbytheattackers.Alateral
compromise,whichsuccessfullybrokeintoopenSSH,gavetheattackersaccesstodeployCdorked.Whatmadethings
worseisthattheattackwasdesignedinawaythatmadeitveryhardtodetectbyadministratorsofthemachines.The
infectedWebservershadaplugin/modulethatsenttheuseraURLredirectbasedonconditionsthatincludedarandomfactor
aswell.SomeoftheseconditionsinvolvedachecktoseeiftheURLwasfromanadminlikepage.Ifitwastonot,theredirect
happened.Sincethemalwarewaslimitedtoinmemoryoperation,andCdorked.Amadesurethatnoinformationwasstoredin
thelogs,detectionofCdorked.Awasachallenge.

HowcanRedundancyHelp?

Ouranalysis,showsdetectionofthismalwarewouldhavebeenmucheasierusingbacktobackcomparisons.Becauseit
affectedonlyApache,andasmallnumberofNginxandLighthttpdserverversions,functionallyequivalentserversuchasIIS
remainedunaffected.

Therefore,atriplyredundantdiversesystembasedontheApache,Nginx,andIIScouldhaveidentifiedthecompromise
automaticallybycomparingresultsoftherelativelysimplecombinationofsysteminputsandoutputs.Therandomfactorbuilt
intotheattack/compromisecomplicatesthesituationabit.Thesameinputquery,whenpassedtomultipleinfectedservers
wouldonlysometimesgeneratethemaliciousredirect.Thereforeprobabilityofredirectdetectionwaslower,butthisalso
meantevenwithouttheuseofdiverse(different)servers,redundancywouldhavebeeneffectiveindetectinganunusual
behavior.Useofdifferentserversaddsanadditionaladvantage.SimpleWebserverstatuscodesandresponsesizescould
havebeenusedtoconstructabacktobacktestingmechanism,andwouldhaveraisedanalertprovidedasufficientnumber
ofrequestsweregiventothesystem.

Obviouslyitispossibletoexperiencefalsealarms.However,multiplesuchalertsshouldindicatethatsomethingiswrong.
Thisisbetterthanwhatwasactuallyexperiencedwiththismalware.Webserveradministratorsdidnotknowtheirservershad
beencompromisedinsomecasesforoversixmonths[26].Cdorked.AhadbeeninitiallynoticedinAugust2012,butwithout
muchideaofwhatexactlyitwas.ESETandSucurianalyzedandwroteascripttodetectthisroguemoduleinearlyFebruary
2013whentheattackgainedmomentum[29].Severalthousandserverswereinfectedevenafterthis,asitwasonlyonMarch
20thandlaterthatantivirusscannersaddedthistotheirdatabases.

Thisparticularattack,affectedbothApacheandNginx.Itispossiblethatanattackcouldaffectalltypesofserversadiversity
basedapproachuses.But,eveninsuchacaseuseofthreecompromisedApacheandNginxserversmayhavepotentially
detectedtheattack.Thetriggerforredirectionincludedarandomfactor,whichmakestheprobabilityofidenticalandwrong
outputslessthanoneandgivesachanceofdetectingthisparticularattackevenwithcompromisedserverssolongas
randomeventstonotcoincide.

Itisalsoimportanttonoteinallsituationsdiscussedherein,itisassumedthattheoutputcomparatorisnotcompromised(i.e.,
thatitdoesnot"lie").Thatcanbeachievedinanumberofways.Forexample,protected(readonly)code,independent
(remote,perhapscloud)processing,andsimilar.

AnNginxVulnerability(CVE20134547)

InNovember2013,anengineerfromGooglediscoveredavulnerabilityinNginx[30].Thisvulnerabilitycouldhaveallowedan
attackertobypasssecurityrestrictions.Thisisaninherentfaultinthesoftware,anditisexploitedthroughspeciallycrafted
servercommunicationportrequests.Againacomparisonbasedsystemcouldhelpdetectthisattack.

WhatHappened?
http://ubiquity.acm.org/article.cfm?id=2822881 4/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
WhenarequestispassedtoavulnerableNginx(versions0.8.41through1.4.3and1.5.xbefore1.5.7)checkswerenot
performedonunescapedspacecharacters.ThespacecharacterisaninvalidcharacteraccordingtotheHTTPprotocol[31,
32,33].Thiswaspermittedforcompatibilityreasons.Thisallowedforcertainsecurityrestrictionstobebypassedinsome
cases.Forexample,hismadeitpossibletoaccessadirectorywithpermissionssetto"denyall."[6]Thisexploitneededatool
likeTelnet,whichsendstheHTTPrequestasiswithoutmodifyingorescapingcharacters.Accordingtotheerrorreport,this
flawwasreleasedsometimein2010.Threeyearstodiscovery/patchisquiteawhile,consideringmillionsofWebservers
throughtheworlduseNginx.Fortunately,thisvulnerabilitymaynothavebeenexploitedtoofrequentlybecauseofitspre
requisiterequirements.Furthermore,

HowcanRedundancyHelp?

Havingabacktobackcomparisonoptioninplacecouldhavedetectedthispotentialzerodayattack.Consideraverysimple
system.LetussaythesystemhasthreeWebserverssensorsandanindependentandprotectedcomparator.Letoneof
thesebeNginxbased,andthattheothertwobeApacheandIISbased.

Figure2illustratestheapproach.TheinputistheattackWebrequest.AllWebserversarepassedthesamerequest.Let's
assumethecomparatorlooksonlyatthestatuscodes.Inthisexample,onlyNginxisvulnerableanditreturnsthe200status
code(OK)andtheresponseitself.However,theothertwoserversreturna403(Forbidden),astheyshould.Inthiscase
Nginxautomaticallycausesadisagreement,andhenceanalert.Inthisexample,twoversionredundancywouldhave
detectedtheissue.Alertmitigationwouldhavetobeconsideredseparately.

TheHeartbleedVulnerabilityCVE20140160

AvulnerabilityinOpenSSLwasreportedonApril7,2014byNeelMehtaatGoogle.Thisparticularvulnerabilityhadlarge
potentialimpact.ItisthoughttohavelefttwothirdsoftheserversontheInternetvulnerable[34].Atleasthalfamillionservers
werestillexposedonApril10th(threedaysaftertheexploitwasdisclosed).Theattackdoesnotleaveanobvioustrace,and
canprovideanattackerwithinformationsuchasprivatekeys,orevenuseraccountpasswords[22,35].Itwascausedbya
simpleimplementationerror.

WhatHappened?

InSSL,anextensioncalledheartbeatkeepsasessionaliveprovidedbothpartieswanttokeepthesessionaliveeventhough
theycurrentlyhavenodatatoexchange.Itconsistsofapayloadandamatchingresponsetomakesurethattheconnectionis
functional.Thepayloadissupposedtobelimitedto16KBaccordingtoRFC6520[36].However,thevulnerable
implementationshadamissingboundcheckonthesizeofthepayload.Sincetheresponseissupposedtocontaintheoriginal
payloadsenttotheserver,theservercopiesthisbackfortheresponse.Letasmallpayload,sayonebyte,besent,butletthe
lengthofthepayloadbesetto65,535bytes.Withthebugpresent,theserverdoesnotcheckthesize,andcopiesbackinto
responsetoclient65,535bytes.Thismeansthelibrarycopiesfromthememorysegmentsitwasnotmeanttoread.This
allowedattackerstogetpasswordsandprivatekeyinformation[35].

HowcanRedundancyHelp?

Thisisacaseofaninherentattack,buttheproblemiswithathirdpartyaddon,andnotdirectlywiththeWebserver.Diversity
couldhavebeenusedtodetectthefirstattemptatexploit.Alltheinformationexchangetakesplaceoverport443(orthe
primaryportforcommunicationofawebserverwhenusingHTTPS).Thisbeingthecase,ifadiversitybasedsetupwereto
inspectalltrafficonthisport,andnotjustbasicrequestsandresponses(notjusttheGETandPOST),thisattackwouldbe
verysimpletocatch.AnimproperimplementationofSSLwouldreturnmorethan16KBofdatawhereasanyother
implementationwouldfailwithoutaresponse.InthiscasediversitywouldhavetoinvolveserversnotusingOpenSSL.For
example,MicrosoftservicesutilizeSChannelasopposedtoopenSSLandthusanythingusingaMicrosoftbasedstack
remainsunaffected[37].

Discussion

SomeofthevulnerabilitiesinTableIIcouldbedetectedjustbylookingatthesizeoftheresponsesfromtheWebserver.
SomewouldrequireanalyzingtheoutputfromeachoftheWebserverswhilesomewouldbecaughtifthelogsforeach
requestwereanalyzed.Theheartbleedvulnerabilityshowednotonlyeveryrequesttotheservershouldbeanalyzedtosome
extent,buteveryinputovertheprincipalportofcommunication(443inthecaseofHTTPS)shouldbecompared.

Figuringouthowmanyparametersfromthevariousoutputvectorsneedtobecomparedtodetectmostoftheattacksisa
questionthatneedstobeansweredaspartofthecomparatordesign.Ourwork[6]indicatesthatanoutputvectorthathasat
leastfivedifferentparametersmaybesufficienttocatchpracticallyallattackswehaveexamined.Howeveritshouldbenoted
comparinglongeroutputvectorscarriesacostandcomplexitypenalty.

Forredundancytomakeeconomicsense,theincreaseinthecostneedstobejustifiedbytheneedforanincreasedabilityto
detectattacks.InthecaseofanIoTbasedsystemthatmaybeoperatingformonthsandyearswithoutanydirect
administrativeinterventionoroversight,thisinvestmentmaybeworthwhile.

ThevotingbasedalgorithmsandsolutionproposedbyToteletal.[5]isaredundancyanddiversitybasedsolutionintendedto
catchsecurityvulnerabilitiesinstaticWebservercontentsituations.Theauthorsobservethatfortheirarchitecturetowork
withdynamiccontent,suchasscriptsanddatabases,replicationwouldneedtobeatmanylevelsandeachcomponentwould
bedealtwithindividually.Thefollowinghavetobeconsideredwhentryingtoimplementaredundancybasedsystem.
http://ubiquity.acm.org/article.cfm?id=2822881 5/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
Maskingdesigndifferences.Whenmultipleversionsofsoftwarearedesignedtodothesamething,theyarealldesigned
accordingtoaspecification.Therewillalwaysbesomepartswherethespecificationsarenotexact.Atthispointitisusually
upthedeveloperstodecidehowtodoit.InthecaseofWebservers,onewouldprobablyhavemultiplefunctionallyequivalent
COTS(commercialoftheshelf)componentsdevelopedbydifferentmanufacturers.Thismeanseachgroupofdevelopers
mayhaveimplementedthelessfullyspecifiedportionofthesoftwareinadifferentmanner.Tocomparetheoutputsfromsuch
software,wemayneedtomaskthedesigndifferences.

AsimpleexamplewouldbeURLterminatingwitha"forwardslash,"ItistreateddifferentlyondifferentWebservers.Ifa
directoryisrequested,aterminatingforwardslashdoesnotmakeadifferenceincaseoftherequest.However,serversmay
handlearequestwithaslashslightlydifferentlythantheonewithoutit.

SobeforetherequestispassedontoeachWebserver,stepsneedtobetakentomaskdesigndifferences.Thismighthave
tobedonebymodifyingtherequestbeforetherequestispassedtotheWebserver,orbynormalizingoutputafterthe
responseisreceivedfromtheWebserver[5,11].

Costs.Evenifasystemcandetectandprevent100percentoftheattacksthatcomesitsway,itisnotaviablesolutionunless
itisaffordable.Redundancyrequirestheuseofextraresources.InIoTsystems,particularlylargeautonomousonessuch
ascarsofthefuture,autonomousfarmequipment,orhousealarmsystems,etc.thismaybeajustifiableandinfactrequired
expense.Furthermore,cloudcomputingmayhelpalotinthiscontext.Intheclouditisveryeasytospinupaninstanceand
bringdownaninstanceasrequired.Henceinthecasewedetectanattack,andweknowwhichserverorsensormayhave
beencompromised,thesystemcanbebroughtbacktoasafestateandthedetectionprocessrestarted.Thiswouldtypically
involvebringingupanewvirtualmachine,rollingforwardsothatalltheWebserversareinsyncandinthesamestate.This
processisachievedveryeasilyinthecloud.InafielddeployedIoTsensorsituationthecostofoperatingredundantsensors
maynotbehigh,butrecoveryfromananomalymaybeverysituationsspecific.

ConclusionsAndFutureWork

Wehaveshowndiversitybaseddetectorsmayhelpidentifyattacksthatotherwisecannotbedetectedeasily,includingquitea
fewzerodayattacks.Inthisdayandageofcloudcomputing,andthusperhapsreadilyavailablefunctionallyequivalent
services,suchanapproachmaymakeeconomicsense[9].IntheIoTworld,eachcomponenthasanIPandanAPI.IoTunits
maybeinthefieldformonthsandyearswithoutmuchadministrativeoversight.Infact,giventhediversenatureofIoT
elementsandtheirscale,scope,andspeedthesecuringthemisordersofmagnitudemorecomplexthansecuritymore
monolithicentitiesoftoday.Havingredundancy,justtoincreasereliabilityandpreservefunctionalityofIoTelementsmakes
sense.Leveragingdiverseredundancytoprovidesecurityawarenessseemslikeanaturalextension.

Diversitybasedattackdetectorsneedtobesecureandneedtohavelowfalsepositiveratetobepractical.Forexample,an
anomalydetectionsystemthatidentifies30percentoftheinputsasanattackwhentheactualnumberofattacksisonlyabout
twoorthreepercentmaynotbeveryuseful.Mitigationofdetectedattacksisaseparatequestion.

Acknowledgments

ThisworkissupportedinpartthroughNSFgrants0910767,1330553,and1318564,theU.S.ArmyResearchOffice(ARO)
grantW911NF0810105,theNSANCSUScienceofSecurityLablet,andbytheIBMSharedUniversityResearchand
Fellowshipsprogramfunding.

References

[1]Symantec.2013InternetSecurityThreatReport,volume18.20013.

[2]TheMitreCorp.CWE/SANSTop25MostDangerousSoftwareErrors.Sept.13,2011.

[3]D.McAllisterandM.Vouk.Faulttolerantsoftwarereliabilityengineering.InHandbookofSoftwareReliabilityEngineering.
McGrawHill,Hightstown,NJ,1996,567614.

[4]M.A.Vouk.Backtobacktesting.Inf.Softw.Technol.32,1(Jan.1990),3445.

[5]E.Totel,F.Majorczyk,andL.Me.COTSdiversitybasedintrusiondetectionandapplicationtowebservers.Inthe
Proceedingsofthe8thInternationalConferenceonRecentAdvancesinIntrusionDetection(RAID'05).SpringerVerlag,Berlin,
Heidelberg,2006,4362.

[6]R.Venkatakrishnan.RedundancyBasedDetectionofSecurityAnomaliesinWebServerEnvironments.NorthCarolina
StateUniversity.M.S.thesis,2014.

[7]Netcraft.October2015webserversurvey.Oct.16,2015.

[8]B.Randell.Systemstructureforsoftwarefaulttolerance.IEEETransactionsonSoftwareEngineering1,2(June1975),
220232.

[9]A.AvizienisandJ.P.J.Kelly.Faulttolerancebydesigndiversity:Conceptsandexperiments.Computer17,8(Aug.1984),
6780.

http://ubiquity.acm.org/article.cfm?id=2822881 6/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
[10]D.Eckhardt,A.K.Caglayan,J.Knight,L.D.Lee,D.McAllister,M.Vouk,andJ.Kelly.Anexperimentalevaluationof
softwareredundancyasastrategyforimprovingreliability.IEEETransactionsonSoftwareEngineering17,7(July1991),692
702.

[11]D.F.McAllister,C.E.Sun,andM.A.Vouk.Reliabilityofvotinginfaulttolerantsoftwaresystemsforsmalloutputspaces.
IEEETrans.Rel.39,5(1990),524534.

[12]A.Avizienis,M.R.Lyu,andW.Schultz.Insearchofeffectivediversity:asixlanguagestudyoffaulttolerantflightcontrol
software.IntheEighteenthInternationalSymposiumonFaultTolerantComputing(FTCS18).IEEE,WashingtonD.C.,1988,
1522.

[13]M.Garcia,A.Bessani,I.Gashi,N.Neves,andR.Obelheiro.Analysisofoperatingsystemdiversityforintrusion
tolerance.Software:PracticeandExperience44,6(2014),735770.DOI:10.1002/spe.2180.

[14]H.Shacham,M.Page,B.Pfaff,EuJinGoh,N.Modadugu,andD.Boneh.Ontheeffectivenessofaddressspace
randomization.InProceedingsofthe11thACMConferenceonComputerandCommunicationsSecurity(CCS'04).ACM,
NewYork,2004,298307.

[15]M.R.Lyu.SoftwareFaultTolerance.JohnWiley&Sons,NewYork,1995.

[16]M.R.Lyuetal.HandbookofSoftwareReliabilityEngineering.McGrawHill,1996.

[17]J.C.Laprie,.Dependability:Basicconceptsandterminology.Springer,1992.

[18]Y.Yeh.DesignconsiderationsinBoeing777flybywirecomputers.IntheThirdIEEEInternationalSymposiumonHigh
AssuranceSystemsEngineering.IEEE,WashingtonD.C.,1998,6472.

[19]H.KantzandC.Koza.TheELEKTRArailwaysignalingsystem:Fieldexperiencewithanactivelyreplicatedsystemwith
diversity.IntheTwentyFifthInternationalSymposiumonFaultTolerantComputing.IEEE,WashingtonD.C.,1995,453458.

[20]Ycombinator.HackerNews.

[21]SucuriInc.SucuriBlog.

[22]B.Schneier.Heartbleed.SchneierOnSecurity.Blog.April9.2014.

[23]D.Sinegubko.MysteriouszencartredirectleveragesHTTPheaders.SucuriBlog.Feb.16,2014.

[24]L.Constantin.CybercriminalsoffermalwareforNginx,ApacheWebservers.ComputerWorld.Dec.24,2013.

[25]Symantec.Java.Tomdep.Securityresponse.2013.

[26]D.Goodin.OngoingmalwareattacktargetingApachehijacks20,000sites.ArsTechnica.April2,2013.

[27]Symantec.Trojan.Apmod.Securityresponse.2011.

[28]ESET.ESETandSucuriuncoverLinux/Cdorked.A:ThemostsophisticatedApachebackdoor.Pressrelease.April
29.2013.

[29]O.Bilodeau,P.M.Bureau,J.Calvet,A.DoraisJoncas,M.E.M.Lveill,andB.Vanheuverzwijn.OperationWindingo
ThevivisectionofalargeLinuxserversidecredentialstealingmalwarecampaign.Whitepaper.ESET.March2014.

[30]CommonVulnerabilitiesandExposures(CVE).VulnerabilityinNGINX,CVE20134547.2013.

[31]J.Starr.StopusingunsafecharactersinURLs.PerishablePress.Dec.31,2012.UpdatedNov.3,2015.

[32]T.BernersLee,R.Fielding,andL.Masinter.UniformResourceIdentifier(URI):Genericsyntax.RFC3986.IETF.
NetworkWorkingGroup.Jan.2005.TheInternetSociety.

[33]T.BernersLee,L.Masinter,andM.McCahill.UniformResourceLocators(URL).RFC1738.IETF.NetworkWorking
Group.Dec.1994.

[34]D.Goodin.CriticalcryptobuginOpenSSLopenstwothirdsoftheWebtoeavesdropping.ArsTechnica.April7,
2014.

[35]D.Goodin.CriticalcryptobugexposesYahooMail,otherpasswordsRussianroulettestyle.ArsTechnica.April8,
2014.

[36]P.Ducklin.AnatomyofadataleakagebugtheOpenSSL"heartbleed"bufferoverflow.NakedSecurity.April8,
2014.

[37]L.Tung.Google,AWS,RackspaceaffectedbyHeartbleedOpenSSLflawbutAzureescapes.ZDNet.April10,
2014.

http://ubiquity.acm.org/article.cfm?id=2822881 7/8
6/1/2017 UsingRedundancytoDetectSecurityAnomalies:TowardsIoTsecurityattackdetectors
Authors

RoopakVenkatakrishnanreceivedhisbachelor'sdegreeincomputersciencefromAnnaUniversity,Chennaiin2012anda
master'sincomputersciencefromNorthCarolinaStateUniversityin2014.HeiscurrentlyasoftwareengineeratTwitter.

Dr.MladenAlanVoukisadistinguishedprofessoranddepartmentheadofcomputerscience.HeisalsodirectoroftheNorth
CarolinaStateDataScienceInitiative.Dr.Voukhasextensiveexperienceinbothcommercialsoftwareproductionand
academiccomputing.Heistheauthor/coauthorofmorethan300publications.Hisinterestsincludesoftwareandsecurity
engineering,bioinformatics,scientificcomputingandanalytics,informationtechnologyassistededucation,andhigh
performancecomputingandclouds.Dr.VoukisamemberoftheIFIPWorkingGroup2.5onNumericalSoftware,anda
recipientoftheIFIPSilverCoreaward.HeisanIEEEFellow,andarecipientoftheIEEEDistinguishedServiceandGoldCore
Awards.HeisamemberofseveralIEEEsocieties,andofASEE,ASQ(SeniorMember),ACM,andSigmaXi.

Figures

Figure1.TypesofattacksonWebservers.

Figure2.ComparisoncouldbeusedtodetecttheNginxvulnerabilityanddecideonthecorrect
response.

Tables

Table1.ApacheandNginxvulnerabilities

Table2.Timetakentodetectsomewebservercompromises.

2016ACM$15.00

Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfee
providedthatcopiesarenotmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefull
citationonthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecific
permissionand/orafee.

TheDigitalLibraryispublishedbytheAssociationforComputingMachinery.Copyright2016ACM,Inc.

COMMENTS

POSTACOMMENT

YourName(Required)

YourEMailaddress(Required)

Comment(RequiredHTMLsyntaxisnotallowedandwillberemoved)

Post

http://ubiquity.acm.org/article.cfm?id=2822881 8/8