Star 0

Abstract

The protective qualities of software diversity has been known for at least three decades. Even so, more than two dozen papers related to software diversity has been published since 2008. The reason is simple: the weaknesses of commonly adopted defenses and the shift to Internet-based software distribution for traditional and mobile computer systems has caused a resurgence of interest in artificial software diversity. Software diversity offers several unique properties. Unlike many other defenses, it introduces uncertainty in the target. This is a fundamental assumptions that a wide range of attacks make; this makes diversity a broad rather than narrowly focused defense mechanism. Second, diversity offers probabilistic protection similar to cryptography — attacks may succeed by chance so security relies on high entropy. Finally, the design space of diversifying program transformations is large. As a result, researchers have proposed a diverse range of approaches to software diversity that varies with respect to threat models, security, performance and practicality. In this paper, we survey the state-of-the-art in software diversity along these dimensions and highlight fundamental trade-offs between the approaches. We also point to unresolved challenges such as error reporting and software updating and information-leakage attacks on diversified software. Finally, we argue that the research community has not yet realized the full reach of software diversity as a protection mechanism and call for research into software diversity as a defense against side-channel attacks.