Reverse Stack Execution in a Multi-Variant Execution Environment

Multi-variant execution allows detecting exploited vulnerabilities before they can cause any damage to systems. In this execution method, two or more slightly different variants of the same application are executed simultaneously on top of a monitoring layer. In the course of execution, the monitoring layer checks whether the instances are always in complying states. Any discrepancies raises an alarm and will result in termination of the non-complying instances. We present a technique to generate program variants that use a stack that grows in reverse direction in contrast to the native stack growth direction of the platform. Such program variants, when executed along with a normal instance in a multi-variant environment, allow us to detect stack-based buffer overflow attacks. The technique is implemented by modifying GCC to generate executables that write their stacks in opposite direction. In addition, we briefly present the technique used to build our multi-variant execution environment. Through evaluation we have shown that our prototype system can interdict the execution of malicious code in popular applications such as the Apache web server by trading off a small performance penalty for a high degree of security.