| Computer security has come a long way since the days of the first Internet worm. With the spreading and commercialization of the Internet, the stakes have gotten higher. Viruses existed and spread before most computers were online, but as global networking has spread an interesting new phenomenon has arisen: homogenous computing. Vast swathes of internet-connected computers can be placed into distinct categories such as "Linux 3.1 machines" and "Windows 7 machines", with each category having vulnerabilities that work across the entire class. Thus the Internet has acted as a vulnerability amplifier: if you infect one, you can infect many --- it has never been easier to infect a large number of systems. This thesis aims to raise the difficulty for attackers to spread exploits easily: increasing the failure rates associated with using the same exploit across multiple machines, denying surveillance of target machines and binary codes, denying persistence on a target system once it has been exploited, and eliminating common exploitation techniques. These goals are accomplished by enhancing nondeterminism in operating systems: utilizing a hypervisor to refresh microkernels and add restrictions on their operation, adding diversity to microkernels and user processes, and adding camouflage to network protocols. Collectively these techniques serve to make each running system unique, unpredictable, and difficult to identify. |
