This project develops a new approach to software service protection based on tailored program diversity. Systems using the approach have two valuable properties: (1) proofs can be constructed showing that the systems cannot be compromised by a class of attacks, no matter what vulnerabilities exist in the service; and (2) their protection does not depend on keeping any secrets. The basis of the approach is the observation that, without affecting the normal operation of a program, the set of acceptable states for the program can be reduced by imposing artificial execution constraints. Examples of such constraints include limiting the addresses or instructions that the program can use. An artificial constraint is imposed mechanically by a compiler, linker, or run-time system on a server to produce a variant. A system is constructed in which two or more different variants operate in parallel on the same input, thereby producing a system with an overall constraint that is the intersection of the constraints of the variants. With appropriate choices of the constraints for the variants, the overall constraint can be made unsatisfiable. For example, by partitioning the address space between the two variants, any attack that requires referencing an absolute address must fail. Attacks cannot succeed because to do so would require satisfying the unsatisfiable constraint.
