# Bunshin: Compositing Security Mechanisms through Diversification (with   Appendix)

**Authors:** Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee

arXiv: 1705.09165 · 2017-06-01

## TL;DR

Bunshin is a system that combines multiple security mechanisms into a single program by creating diverse variants, reducing slowdown and resolving conflicts through automated distribution and synchronization of security checks.

## Contribution

It introduces an automated approach to distribute and synchronize conflicting security mechanisms across multiple program variants, enabling effective and efficient composite security.

## Key findings

- Reduces execution slowdown compared to sequential security mechanisms
- Eliminates conflicts between security checks through automated distribution
- Ensures comprehensive security by coordinating multiple program variants

## Abstract

A number of security mechanisms have been proposed to harden programs written in unsafe languages, each of which mitigates a specific type of memory error. Intuitively, enforcing multiple security mechanisms on a target program will improve its overall security. However, this is not yet a viable approach in practice because the execution slowdown caused by various security mechanisms is often non-linearly accumulated, making the combined protection prohibitively expensive; further, most security mechanisms are designed for independent or isolated uses and thus are often in conflict with each other, making it impossible to fuse them in a straightforward way.   In this paper, we present Bunshin, an N-version-based system that enables different and even conflicting security mechanisms to be combined to secure a program while at the same time reducing the execution slowdown. In particular, we propose an automated mechanism to distribute runtime security checks in multiple program variants in such a way that conflicts between security checks are inherently eliminated and execution slowdown is minimized with parallel execution. We also present an N-version execution engine to seamlessly synchronize these variants so that all distributed security checks work together to guarantee the security of a target program.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1705.09165/full.md

## Figures

9 figures with captions in the complete paper: https://tomesphere.com/paper/1705.09165/full.md

## References

47 references — full list in the complete paper: https://tomesphere.com/paper/1705.09165/full.md

---
Source: https://tomesphere.com/paper/1705.09165