Evaluating results of multiple virtual machines that use application randomization mechanism
First Claim
1. A method comprising:
- initializing, by a computing system, a plurality of virtual machines (VMs), wherein initializing the plurality of VMs comprises;
for at least one particular VM of the plurality of VMs;
generating, by the computing system, a randomized instance of an operating system for the particular VM, wherein the randomized instance of the operating system for the particular VM has a randomized Application Binary Interface (ABI), the randomized ABI being a randomized version of an ABI of the operating system; and
installing, by the computing system, the randomized instance of the operating system for the particular VM on the particular VM; and
deploying, by the computing system, the plurality of VMs;
receiving, by the computing system, a series of incoming messages from a client device;
distributing, by the computing system, a copy of each incoming message in the series of incoming messages to each VM of the plurality of VMs;
receiving, by the computing system, results generated by the plurality of VMs in response to the series of incoming messages, wherein the results generated by the VMs in response to the series of incoming messages include a first result different from a second result if code executing in one of the VMs uses the randomized version of the ABI and code executing in another one of the VMs uses a publicly available version of the ABI, the publicly available version of the ABI being different from the randomized version of the ABI;
performing, by the computing system, a comparison on the results; and
in response to the comparison revealing that two or more of the results are not the same, performing, by the computing system, a cybersecurity defense action.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method includes providing, by a computing system, first randomized configuration information, generating, by the computing system and based on the first randomized configuration information, a first unique instance of a software component, providing second randomized configuration information, wherein the second randomized configuration information is different from the first randomized configuration information, and generating, based on the second randomized configuration information, a second unique instance of the software component that is executable on the runtime computing system. The first and second unique instances of the software component comprise different instances of the same software component that each are configured to have uniquely different operating characteristics during execution on the runtime computing system, and the first and second unique instances of the software component are each further configured, during execution on the runtime computing system, to output false information to an external computing system.
43 Citations
13 Claims
-
1. A method comprising:
-
initializing, by a computing system, a plurality of virtual machines (VMs), wherein initializing the plurality of VMs comprises; for at least one particular VM of the plurality of VMs; generating, by the computing system, a randomized instance of an operating system for the particular VM, wherein the randomized instance of the operating system for the particular VM has a randomized Application Binary Interface (ABI), the randomized ABI being a randomized version of an ABI of the operating system; and installing, by the computing system, the randomized instance of the operating system for the particular VM on the particular VM; and deploying, by the computing system, the plurality of VMs; receiving, by the computing system, a series of incoming messages from a client device; distributing, by the computing system, a copy of each incoming message in the series of incoming messages to each VM of the plurality of VMs; receiving, by the computing system, results generated by the plurality of VMs in response to the series of incoming messages, wherein the results generated by the VMs in response to the series of incoming messages include a first result different from a second result if code executing in one of the VMs uses the randomized version of the ABI and code executing in another one of the VMs uses a publicly available version of the ABI, the publicly available version of the ABI being different from the randomized version of the ABI; performing, by the computing system, a comparison on the results; and in response to the comparison revealing that two or more of the results are not the same, performing, by the computing system, a cybersecurity defense action. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing system comprising:
-
a development computing system comprising a first set of one or more processors; a runtime computing system comprising a second set of one or more processors; a distributor comprising a third set of one or more processors; and a result evaluator comprising a fourth set of one or more processors, wherein the development computing system is configured to; initialize a plurality of virtual machines (VMs), wherein the development computing system is configured such that, as part of initializing the plurality of VMs, the development computing system; for at least one particular VM of the plurality of VMs; generates a randomized instance of an operating system for the particular VM, wherein the randomized instance of the operating system for the particular VM has a randomized Application Binary Interface (ABI), the randomized ABI being a randomized version of an ABI of the operating system; and installs the randomized instance of the operating system for the particular VM on the particular VM; and deploy the plurality of VMs on the runtime computing system, wherein the distributor is configured to; receive a series of incoming messages from a client device; and distribute a copy of each incoming message in the series of incoming messages to each VM of the plurality of VMs, and wherein the result evaluator is configured to; receive results generated by the plurality of VMs in response to the series of incoming messages, wherein the results generated by the VMs in response to the series of incoming messages include a first result different from a second result if code executing in one of the VMs uses the randomized version of the ABI and code executing in another one of the VMs uses a publicly available version of the ABI, the publicly available version of the ABI being different from the randomized version of the ABI; perform a comparison on the results; and in response to the comparison revealing that two or more of the results are not the same, perform a cybersecurity defense action. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having instructions stored thereon that, when executed, cause a computing system to:
-
initialize a plurality of virtual machines (VMs), wherein as part of causing the computing system to initialize the plurality of VMs, the instructions cause the computing system to; for at least one particular VM of the plurality of VMs; generate a randomized instance of an operating system for the particular VM, wherein the randomized instance of the operating system for the particular VM has a randomized Application Binary Interface (ABI), the randomized ABI being a randomized version of an ABI of the operating system; and install the randomized instance of the operating system for the particular VM on the particular VM; and deploy the plurality of VMs; receive a series of incoming messages from a client device; distribute a copy of each incoming message in the series of incoming messages to each VM of the plurality of VMs; receive results generated by the plurality of VMs in response to the series of incoming messages, wherein the results generated by the VMs in response to the series of incoming messages include a first result different from a second result if code executing in one of the VMs uses the randomized version of the ABI and code executing in another one of the VMs uses a publicly available version of the ABI, the publicly available version of the ABI being different from the randomized version of the ABI; perform a comparison on the results; and in response to the comparison revealing that two or more of the results are not the same, perform a cybersecurity defense action.
-
Specification