Internet Research Data
The attackers can inject instructions to the executables.
Instead of executing the executable directly, we add randomizations to the executable, and de-randomize when execute.
- Use a key to XOR with the instruction, and XOR again when execute
Address space layout randomization (ASLR) is a memory-protection process for operating systems to guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
The success of many cyberattacks, particularly zero-day exploits, relies on the hacker’s ability to know or guess the position of processes and functions in memory.
ASLR is able to put address space targets in unpredictable locations. If an attacker attempts to exploit in an incorrect address space location, the target application will crash, stopping the attack and alerting the system.
ASLR was created by the Pax Project as a Linux patch in 2001.
- It was integrated into the Windows operating system beginning with Vista in 2007. Prior to ASLR, the memory locations of files and applications were either known or easily determined.
- Adding ASLR to Vista increasing the number of possible address space locations to 256, meaning attackers only have a 1 in 256 chance of finding the correct location to execute code.
- Apple began including ASLR in MAC OS X 10.5 Leopard, and Apple iOS and Google Andriod both using ASLR in 2011.
 Deception is a mechanism that attempts to distort or mislead an attacker into taking a course of action that is more suited to the goals of the defender.
A common deception defense is the use of network honeypots.
A honeypot is a commuter system that is designed to be a trap for unauthorized accesses.
Honeypots are deployed within a network to appear like normal, active systems to an outsider.
How to build honeypots
- One of the deception technique is mimicking. A honeypot attempts to mimic a real system to fool the adversary into probing and/or attacking it.
- The amount of interaction the honeypots respond to queries with information that represents a possible system within the infrastructure but unlike a normal system, it maintains a very detailed logs of all interactions. From these detailed logs, administrators can gain insight into an attacker’s goal and methods as well as put in place other measures to hopes of preventing an attack.
 Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses, by Michael Crouse, in MTD15
- Web application remains the most popular way for businesses to provide services over the Internet. It is the “front door” of many companies, and therefore their security is of paramount importance.
- Example 
- JPMorgan Chase breach in 2014 affected 76 million US households
- Bloomberg reported that the hackers exploited an overlooed falow in one of the bank’s webistes.
- The efforts in discovering and fixing vulnerabilities are not enough to protect web applications for many reasons 
- The increasing complexity of modern web applications brings inevitable risks that cannot be fully mitigated in the process of web application development and deployment
- Attackers can take their time, to understand the web application’s functionality and technology stack, before launching an attack
- Ref 
- The key issue is to design MTD mechanism that
- Prevent or disrupt a vulnerability or exploit
- While still providing the identical functionality
- Choose what component to move in a web application
- Decide the optimal time and how often to move components
- Change the server-side language used in a web application
- automatically translating server-side web application code to another language in order to prevent Code Injection exploits
- Shifts the Database used in a web application
- transform the backend SQL database into different implementations that speak different dialects in order to prevent SQL Injection exploits.
 Toward a Moving Target Defense for Web Applications, by Marthony Taguinod et al., in International Conference on Information Reuse and Integeration 2015
1. If there are n computers, among which 1 is vulnerable. Each computer is assigned an IP address, the attackers probe randomly on the IP address to check whether its corresponding computer is vulnerable. If the IP addresses of all computer randomly shuffled after each attacker’s probe. What is the probability that the attacker will find the vulnerable machine?
 Analysis of Network Address Shuffling as a Moving Target Defense, by Thomas E. Carroll, in ICC14
The SDN paradigm creates a separation between data plane processing and control flow processing.
- data plan processing
- control flow processing
- determine how to populate forwarding tables
The OpenFlow protocol acts as an API between network switches and a logically centralized decision maker, called the OpenFlow controller. In this model,
- Network switch
- cache data flow rules
- when a switch receive a packet and does not know how to forward it according to its cached rules, the switch sends an “elevation” request containing the original packet and a request for guidance to the controller
- OpenFlow Controller
- examines the packet and sends a set of rules that the switch should add to the data plane cache for use in forwarding packets.
DDos Attack on the controller
- DDos Attack on the controller 
- Since the switches will send all the packets it cannot handle to the controller
- There is no need for an attacker to catch the IP address or location of the controller through scanning before launching an attack. The attackers can send some specific attack packets and abnormal packets to SDN networks, all switches will automatically forward these packets to their controller.
- Attackers send packets to probe whether the target is SDN architecture 
- Every flow entry in the flow table of a switch contains three items, i.e., rule, action and stats.
- The attacker can make a new or abnormal packet from carefully selected IP, Port, MAC etc., and then send it to the switch.
- Generally, there is no rule in the switch matching the fresh packet sent for the first time. The packet will be uploaded to the controller, and then the controller will broadcast this packet’s information to all the network interface to find its route.
- Once getting the route, the controller will issue corresponding rules to the switch’s flow table. Otherwise, the controller will make a rule to switch to drop these packets. This whole response will take a long time.
- Then the attacker will send a group of packets with the same information for a second time to the switch, if the response time is much shorter than that of the first time, the network can be determined to be SDN architecture.
- An attacker may launch Blind DDoS directly on the network which claims to be SDN network architecture or switch the attackers has already known is SDN system by scanning.
- Mininet 
- can be used to create a network of OpenFlow switches that are connected according to your plan.
 Defending Blind DDoS Attack on SDN Based on Moving Target Defense, by Duohe Ma, Zhen Xu and Dongdai Liu, in SecureCOMM14
 OpenFlow random host mutation: Transparent moving target defense using software defined networking, by J. H. Jafarian, in HotSDN 2012
Reconnaissance enables adversaries to gather information about the target system including network topology, configurations, network dynamics.
This information can be used to identify system vulnerabilities, and to design and execute specific exploits.
Procedure of Attack
Most network mapping tools perform their operations by using ICMP packets and TCP or UDP scans.
- ICMP messages are typically used to verify connectivity or reachability of potential targets. TCP and UDP port scans are used to identify running services of a target.
- Replies (RCP RST, silent drop of ICMP unreachable) to scans can also reveal what services are allowed or filtered through transit devices.
- Additionally, the TTL field of IP packets is used to identify the distance between the target and the destination.
 SDN-based solutions for Moving Target Defense Network Protection, by Panos Kampanakis, in WoWMoM14
- Scanning Worms
-  Scanning tools and worms usually send probes to random IP addresses in the network in order to discover their targets.
- When a target responds, it can then be identified and attacked. Otherwise, the probed addresses will be considered unused.
- Despite firewall deployment, most enterprise networks have many public and private hosts accessible from outside.
- The IP address assignment scheme can become more dynamic by using approaches based on DHCP or NAT, but they are insufficient to provide proactive countermeasure because the IP mutation is infrequent and traceable.
- Network mapping threat
- Prior work focused on defending hit-list scanning malware utilized DHCP to change the IP address of the host over time
- However, this change can disrupt existing connections.
- This can be solved by placing an intermediate NAT-like box in the network and transparently transition to the new address over time.
- The NAT-like device provided similar address translating behavior, with additional logic to preserve old addresses while they are still in use by previously established connections.
- IP address randomization 
- Rather than changing out the DHCP lease to achieve randomization, they randomly rotate the IP address contained in the DNS reply and notified the NAT device.
- The NAT device then allows new connections with that IP to reach the requested host by mapping it to the host’s fixed internal address.
- Using NAT to hide the real IP address of the server will make it difficult to reach legitimate hosts remotely. 
- Network Address Space Randomization (NASR) 
- It was proposed to offer an IP hopping approach that can defend against hitlist worms.
- NASR is a LAN-level network address randomization scheme based on DHCP updates.
- Not transparent
- NASR is not transparent to end-hosts because DHCP changes are applied to the end-host itself which results in disruption of active connections during address translation.
- Expensive to deploy
- Moreover, it requires changes to the end-host operating system which makes its deployment very costly.
- Limited unpredictability
- Also, NASR provides very limited unpredictability and mutation speed because its IP mutation is limited on the LAN address space and will require DHCP and host to be reconfigured for this purpose (the maximum IP mutation speed in once very 15 minutes).
Network Address Randomization
- IP address randomization 
- Requires the DNS gateway in both the clients and servers to do the translation
DNS Capability Approach
- Ref 
- The mapping system was implemented using two components
- A DNS server
- Provide clients with the destination IP address of a targeted server at that moment
- A NAT mapping device
- Grant the client access to the server when a destination mapping is used.
- It stores the state for each established flow, allowing the DNS server to change addresses and providing a unique response to each new client without disrupting the established flow.
- My questions
- As the NAT needs to maintain so many states, will it result in DDoS attack?
OpenFlow Mutation Approach
- Ref  
- Similar to DNS Capability approach.
- The network switches plays the role of NAT devices.
- When the switch receives a packet and does not known how to forward the packet, it can ask for instructions (called elevation) from a specific machine, called the OpenFlow controller.
- The OpenFlow mutation approach uses this elevation mechanism to alter the NDS records and to change packet address in flight.
- When a client performs a DNS lookup, the DNS server will provide the client with a virtual IP address for a target.
- When the client attempts to access the target, the packet is forwarded using the virtual IP address until it reaches the destination switch, at which point it is translated to the destination host’s real IP address. The network switches essentially act as NAT devices, performing translations between virtual and real IP addresses.
Communication via Name
- Steps 1-3
- When a DNS query is sent to resolve the name of a host
- The DNS response is updated by the NOX controller to replace the rIP of the server with its active vIP
- The NOX controller also sets the TTL value in the DNS response to a small value.
- Step 4
- The source host can then initiate the connection using the vIP of the destination
- The OF-switch encapsulates and sends the initial packet to the controller, because there is no matching flow for it.
- Step 5
- The NOX controller installs relevant flows in OF-switches in the route.
- These flows are associated with relevant required Set-Field actions which determine the translation of source/destination rIP addresses to/from vIP addresses
- Relevant flows are installed in destination OF-switch as well. Any other switches in the path are only configured (i.e., flows with no actions) to route the traffic based on vIP.
- Future packets will be matches and forward by OF-switches (without being sent to controller) according to the installed flows in the flow table.
- The vIP-rIP translation actions will be applied to packets by OF-switches.
Communication via rIP address
Figure 3 shows how authorized users (e.g., administrator) can reach hosts using rIPs. In this case, the source host initiates a connection with the destination using its rIP.
- Step 1
- Similar to DNS scenario, the OF-switch will fail to match the new packet with any flow and sends it to NOX controller
- Step 2
- The NOX controller authorizes the access request
- Step 3
- If granted, the controller installs appropriate flows in OF-switches in the route with appropriate vIP-rIp translation actions according to Figure 3
If the source host is internal, NOX controller installs two inbound and outbound flows in source OF-switch, same to DNS scenario.
Two flows are also inserted in the flow table of destination OF-switch.
However, destination flows require no translation, because the destination host is being reached via its rIP.
- Ref 
- The client and the server share a symmetric key out-of-band and use these keys to determine the IPv6 addresses the hosts will use.
- To construct their IPv6 address
- the hosts construct a hash using the shared key, a value derived from the host’s MAC address, and a timestamp. The approach extracts 64 bits from the hash output to encode the lower 64 bits of the host’s IPv6 address.
- To perform uniform communication between the host applications, the operating system on each host uses a tunneling approach and rotates the addresses of the tunnel end-points.
- Organizations cannot protect public-facing server infrastructure without requiring clients to install software
- The MT6D approach is only effective when both the client and the server can be modified, which prevents its use when protecting public infrastructure for legacy clients.
 MT6D: A moving target IPv6 defense, by M. Dunlop et al, in Military Communications Conference 2011.
 On building inexpensive network capabilities. by C. A. Shue et al, in SIGCOMM 2012
 OpenFlow random host mutation: Transparent moving target defense using software defined networking, by J. H. Jafarian, in HotSDN 2012
 The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking, by Douglas C. Macfarland, in MTD15
 Adversary-aware IP Address Randomization for Proactive Agility against Sophisticated Attackers, by Jafar Haadi Jafarian, in INFOCOM 2015
 Characterizing Network-Based Moving Target Defense, by Douglas C. MacFarland, in MTD15
 Defending against Hitlist Worms using Network Address Space Randomization, by S. Antonatos, in Computer Network 2007
 Random Host Mutation for Moving Target Defense, by Ehab Al-Shaer, Qi Duan, and Jafar Haadi Jafarian, in Securecomm 2012
Phases of Attacks
Any attack will go through at least three phases: probing, constructing and launching phases. 
If the environment stays static, the attacker has time to identify existing vulnerabilities to be exploited.
However, if the life cycle of an application version ins much shorter than it takes for the attacker to launch the attack as it will be, the attacker will not be able to succeed in exploiting any existing vulnerabilities in the cloud application.
Current Static Network/System
The static nature of current network configuration approaches has made it easy to attack and breach a system and to maintain illegal access to privileges for extended periods of time. 
- The attacker have time to study the network of defender and to determine potential vulnerabilities and choose the time of attack and gain the maximum benefit.
- Once an attacker acquires a privilege, that privilege can be maintained for a long time without being detected.
Objective of Moving Target Defense
Moving target defense aims at continuously changing a system’s attack surface, and thus
- increase the uncertainty, complexity and cost for attackers
- limit the exposure of vulnerabilities
- ultimately increase overall resiliency
The idea of moving target defense is to
- reduce information asymmetry between the attacker and the defender
- and ultimately rendering the reconnaissance information misleading or uesless
Even if the attacker succeeds in finding a vulnerability at one point, the vulnerability could be unavailable as the result of shifting the underlying system, which makes the environment more resilient against attacks.
 Autonomic Resilient Cloud Management (ARCM), by Cihan Tunc etc, in ICCAC 2014
 Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense, by Rui Zhuang, Su Zhang, Scott A. Deloach, Xinming Ou, and Anoop Singhal, in MTD 2015