Diversity in cloud systems through runtime and compile-time relocation

Cloud computing has become popular in recent years due to the cost and resource savings associated with virtual machines using shared resources. Unfortunately, this mode of operation serves as a vulnerability amplifier because each computer executes multiple versions of the same operating code base carrying the same vulnerabilities. This paper explores techniques for the system´s run-time loader to generate diversity from a single binary source. In addition, we describe compile-time techniques that can augment and enhance the diversity gained through the run-time system alone. Collectively, the techniques randomize the code and data of the binary eliminating vulnerability amplification. Entropy is used as a measure of diversity and we explore the entropy gained by the techniques under several different assumptions concerning the attackers knowledge of the system. The techniques have been implemented into Bear, a from-scratch hypervisor and microkernel designed to run military cloud applications that require resilience.