A Multi-variant Execution Environment for Securing In-memory KVSes

The multi-variant execution environment (MVEE) is useful to protect software against network attacks by executing and monitoring the multiple instances (variants) of the target software in a synchronized manner. Applying MVEEs to in-memory key-value stores (KVSes), often written in unsafe languages like C, such as Redis and Memcached, enhances the security of web services since they suffer from memory vulnerabilities. However, it does not come for free to run in-memory KVSes on MVEEs. Since in-memory KVSes store a tremendous number of KVs in their own address spaces, the memory space overhead of executing multiple variants of the in-memory KVS is non-trivial. This paper presents MvKVS, an MVEE system tailored for in-memory KVSes. To launch multiple variants of the target in-memory KVS, MvKVS lowers the total memory utilization of the variants as much as possible by aggressively merging shareable memory pages. We prototyped MvKVS in Linux 4.4.185 and conducted experiments using Redis 6.2.4. The experimental results show that our prototype gracefully mitigates memory consumption with multiple Redis variants.