ABSTRACT
Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary method of protection, which disrupts foreign code execution regardless of how the code is injected. A unique and private machine instruction set for each executing program would make it difficult for an outsider to design binary attack code against that program and impossible to use the same binary attack code against multiple machines. As a proof of concept, we describe a randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. The prototype disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. The paper describes the RISE implementation and its limitations, gives evidence demonstrating that RISE defeats common attacks, considers how the dense x86 instruction set affects the method, and discusses potential extensions of the idea.
- CORE Security Technologies. In http://www1.corest.com/home/home.php.Google Scholar
- CVS Directory Request Double Free Heap Corruption Vulnerability. In http://www.securityfocus.com/bid/6650.Google Scholar
- libsafe - Detect and handle buffer overflow attacks. In http://www.gnu.org/directory/ security/net/libsafe.html.Google Scholar
- MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability. In http://www.securityfocus.com/bid/6373.Google Scholar
- TCPA Trusted Computing Platform Alliance. In http://www.trustedcomputing.org/home.Google Scholar
- Aleph One. Smashing the stack for fun and profit. Phrack, 49(7), Nov. 1996.Google Scholar
- R. Anderson. 'Trusted Computing' and competition policy - issues for computing professionals. Upgrade, IV(3):35--41, June 2003.Google Scholar
- W. A. Arbaugh. Improving the TCPA specification. IEEE Computer, 35(8):77--79, August 2002. Google ScholarDigital Library
- A. Avizienis. The Methodology of N-Version Programming. In M. Lyu, editor, Software Fault Tolerance, pages 23--46. John Wiley & Sons Ltd., 1995.Google Scholar
- A. Avizienis and L. Chen. On the implementation of N-Version programming for software fault tolerance during execution. In Proceedings of IEEE COMPSAC 77, pages 149--155, Nov. 1977.Google Scholar
- V. Bala, E. Duesterwald, and S. Banerjia. Dynamo: a transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN '00 conference on Programming language design and implementation, pages 1--12, Vancouver, British Columbia, Canada, 2000. ACM Press. Google ScholarDigital Library
- R. M. Best. Microprocessor for executing enciphered programs, U.S. Patent No. 4 168 396, September 18 1979.Google Scholar
- R. M. Best. Preventing software piracy with crypto-microprocessors. In Proceedings of the IEEE Spring COMPCON '80, pages 466--469, San Francisco, California, Feb. 1980.Google Scholar
- S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An approach to combat buffer overflows, format-string attacks and more. In 12th Usenix Security Symposium, Aug. 2003.Google Scholar
- D. Bruening, S. Amarasinghe, and E. Duesterwald. Design and implementation of a dynamic optimization framework for Windows. In 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4), Dec. 2001.Google Scholar
- M. Chew and D. Song. Mitigating Buffer Overflows by Operating System Randomization. Technical Report CMU-CS-02-197, Department of Computer Science, Carnegie Mellon University, Dec. 2002.Google Scholar
- F. Cohen. Operating System Protection through Program Evolution. Computers and Security, 12(6):565--584, Oct. 1993. Google ScholarDigital Library
- C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Format guard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001 USENIX Security Symposium, Washington DC, August 2001. Google ScholarDigital Library
- C. Cowan, H. Hinton, C. Pu, and J. Walpole. A Cracker Patch Choice: An Analysis of Post Hoc Security Techniques. In National Information Systems Security Conference (NISSC), Baltimore MD, October 16-19 2000.Google Scholar
- C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Automatic Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, Jan. 1998. Google ScholarDigital Library
- C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and\ Exposition (DISCEX 2000), pages 119--129, Jan. 2000.Google Scholar
- Dallas Semiconductor. DS5002FP secure microprocessor chip. http://pdfserv.maxim-ic.com/en/ds/DS5002FP.pdf.Google Scholar
- P. Fayolle and V. Glaume. A buffer overflow study, attacks & defenses. In http://www.enseirb.fr/~glaume/indexen.html.Google Scholar
- S. Forrest, A. Somayaji, and D. Ackley. Building Diverse Computer Systems. In Proceedings of the Sixth Workshop on Hot Topics in Operating Systems, pages 67--72, 1997. Google ScholarDigital Library
- M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proceedings of the 10th USENIX Security Symposium, Washington D.C., August 2001. Google ScholarDigital Library
- M. Harper. SQL injection attacks - are you safe? In Sitepoint, http://www.sitepoint.com/article/794, June 17 2002.Google Scholar
- G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In www.cs.columbia.edu/~gskc/publications/isaRandomization.pdf.Google Scholar
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution Via Program Sheperding. In Proceeding of the 11th USENIX Security Symposium, San Francisco, California, August 2002. Google ScholarDigital Library
- M. Kuhn. The TrustNo 1 cryptoprocessor concept. Technical Report CS555 Report, Purdue University, April 04 1997.Google Scholar
- Nergal. The advanced return-into-lib(c) exploits. Phrack, 58(4), Dec. 2001.Google Scholar
- T. Newsham. Format string attacks. In http://www.securityfocus.com/archive/1/81565, September 9 2000.Google Scholar
- PaX team. Non executable data pages. In http://pageexec.virtualave.net/pageexec.txt, 2002.Google Scholar
- C. Pu, A. Black, C. Cowan, and J. Walpole. A specialization toolkit to increase the diversity of operating systems. In Proceedings of the 1996 ICMAS Workshop on Immunity-Based Systems, Nara, Japan, December 1996.Google Scholar
- B. Randell. System Structure for Software Fault Tolerance. IEEE Transactions in Software Engineering, 1(2):220--232, 1975.Google ScholarDigital Library
- B. Schneier. Applied Cryptography. John Wiley & Sons, 1996.Google Scholar
- J. Seward. Valgrind, an open-source memory debugger for x86-GNU/Linux. In http://developer.kde.org/~sewardj/, 2002.Google Scholar
- Solar Designer. Non-executable user stack. In http://www.openwall.com/linux.Google Scholar
- Tool Interface Standards Committee. Executable and Linking Format (ELF), May 1995.Google Scholar
- T. Tso. random.c A strong random number generator. In http://www.linuxsecurity.com/feature_stories/random.c.Google Scholar
- Vendicator. StackShield: A stack smashing technique protection tool for Linux. In http://angelfire.com/sk/stackshield.Google Scholar
- D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Network and Distributed System Security Symposium, pages 3--17, San Diego, CA, February 2000.Google Scholar
Index Terms
- Randomized instruction set emulation to disrupt binary code injection attacks
Recommendations
Defining code-injection attacks
POPL '12This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Countering code-injection attacks with instruction-set randomization
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityWe describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing ...
Randomized instruction set emulation
Injecting binary code into a running program is a common form of attack. Most defenses employ a “guard the doors” approach, blocking known mechanisms of code injection. Randomized instruction set emulation (RISE) is a complementary method of defense, ...
Comments