Panel: Moving Target Defenses: Johnny Can't Secure, So He Moves

Moderator: Dr. Hamed Okhravi, MIT Lincoln Laboratory

Panelists:

• Dr. Samuel Weber, Senior Researcher, Software Engineering Institute, Carnegie Mellon University

• Prof. Ehab Al-Shaer, Professor and Director of Cyber Defense and Network Assurability Center (CyberDNA), University of North Carolina Charlotte

• Dr. Todd R. Andel, Associate Professor, School of Computing, University of South Alabama

Abstract:

Moving target (MT) defenses has been identified by the White House and Networking and Information Technology Research and Development (NITRD) as one of the game-changing themes to re-balance the cyber landscape in favor of defense. MT techniques make cyber systems less static, less homogeneous, and less deterministic in order to create uncertainty for the attackers.

Although many MT techniques have been proposed in the literature, little has been done on evaluating their effectiveness, benefits, and weaknesses. Many important questions remain unanswered in this domain and researchers often have opposing views on these topics. Is movement a better strategy than traditional systems security defenses? How can we change the internals of a system to defend against attacks while maintaining its functionality? Are diversity and randomization effective defensive strategies? Is dynamics without randomization and diversity (e.g. rotating virtual machines) an effective defense? How much diversity is enough? Is moving target capable of changing the landscape, or is it just another bump in the road for the attackers? How can we expose complexity to attackers, but keep the operations and maintenance simple for the defender? What are the next steps to evaluate the effectiveness of moving target defenses?

The panel seeks to debate and discuss various viewpoints on these questions. The panelists, chosen from diverse sectors and backgrounds will advocate and provide their arguments for various viewpoints about MT defenses.

Position Statements

• Dr. Weber: Via agility, moving target defenses offer the attractive proposition of proactively and directly reducing the probability of an adversary’s success. Many presume that such a reduction increases net value for defenders and decreases it for attackers, per se. A closer inspection of simple value functions shows that (1) the opposite changes in net value are possible and (2) that new attacks might have even higher net-value for attackers when a defender employs moving target defenses. We use examples from nature to illustrate: plants & sheep and flies & spiders.

• Prof. Al-Shaer: We have developed various moving target defense techniques for cyber and cyber-physical systems including random host mutation, random route mutation, VN mutation/migration, finger printing deceiving, mutable measurements for state estimation and Advance Metering Infrastructure of smart grid, and others. For each of these projects, we provided analytical and experimental techniques to evaluate the proposed MTD mechanism. In the context of the issues raised in this panel, there are number findings that we learned from these projects that we can share in this panel. First, moving target defense is evidently effective for improving the systems security and resiliency if the MTD model appropriately considers the attack model, evasion techniques and the cost. Second, Moving target defense is not limited to diversity and/or randomization approaches but it inherently includes other approaches as long as they can increase intrusion deterrence “proactively” through target non-determinism. For example, dynamic changes of system may (or may not) be MTD; it essentially depends on the outcome of the dynamic behavior on the system state. Thirds, MTD must have provable properties to show that system can be defended without jeopardizing its functional requirements. Fourth, quantitative metrics and valid evaluation is the holy grail of MTD research. Suggested evaluation criteria includes accuracy (true positive) to measure the impact on attackers, false positive to measure the impact on benign users and cost to measure the operational and deployment overhead in the system environment. Unfortunately there is no unified framework (yet) to validate and evaluate MTD mechanisms and thereby each researchers has to come up with his/he own methodology/experimentation.

• Dr. Andel: As a relatively new domain, moving target defense techniques have been focused on changing the attack space, either through randomization or diversity techniques. Most approaches to date have focused on changing the software target, through techniques such as Address Space Layout Randomization (ASLR) and Instruction Set Randomization (ISR). Additional research has focused on changing the network space through techniques such as Software Defined Networks (SDNs). I will highlight another potential area in that of dynamic hardware approaches at a circuit level. The commodity status of reprogrammable logic devices such as Field Programmable Gate Arrays (FPGAs) and Systems on Chip (SoC) has provided an opportunity to partition software onto hardware implementations which can further change via circuit obfuscation techniques.