Article

Countering code-injection attacks with instruction-set randomization

Authors:

Angelos D. Keromytis,

Vassilis PrevelakisAuthors Info & Claims

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 272 - 280

https://doi.org/10.1145/948109.948146

Published: 27 October 2003 Publication History

Abstract

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.

References

[1]

Bochs Emulator Web Page. http://bochs.sourceforge.net/.

[2]

The Perltidy Home Page. http://perltidy.sourceforge.net/.

[3]

Trusted Computing Platform Alliance. http://www.trustedcomputing.org/.

[4]

CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html, July 2001.

[5]

CERT Advisory CA-2001-33: Multiple Vulnerabilities in WU-FTPD. http://www.cert.org/advisories/CA-2001-33.html, November 2001.

[6]

CERT Advisory CA-2002-12: Format String Vulnerability in ISC DHCPD. http://www.cert.org/advisories/CA-2002-12.html, May 2002.

[7]

CERT Vulnerability Note VU#282403. http://www.kb.cert.org/vuls/id/282403, September 2002.

[8]

CERT Vulnerability Note VU#496064. http://www.kb.cert.org/vuls/id/496064, April 2002.

[9]

Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.

[10]

The Spread of the Sapphire/Slammer Worm. http://www.silicondefense.com/research/worms/slammer.php, February 2003.

[11]

A. Acharya and M. Raje. Mapbox: Using parameterized behavior classes to confine applications. In Proceedings of the 9th USENIX Security Symposium, pages 1--17, August 2000.

Digital Library

[12]

Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), 1996.

[13]

A. Alexandrov, P. Kmiec, and K. Schauser. Consh: A confined execution environment for internet computations, December 1998.

[14]

V. Anupam and A. Mayer. Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies. In Proceedings of the 7th USENIX Security Symposium, pages 187--200, January 1998.

Digital Library

[15]

R. Balzer and N. Goldman. Mediating connectors: A non-bypassable process wrapping technology. In Proceeding of the 19th IEEE International Conference on Distributed Computing Systems, June 1999.

[16]

A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In Proceedings of the USENIX Annual Technical Conference, June 2000.

Digital Library

[17]

A. Berman, V. Bourassa, and E. Selberg. TRON: Process-Specific File Protection for the UNIX Operating System. In Proceedings of the USENIX Technical Conference, January 1995.

Digital Library

[18]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120, August 2003.

Digital Library

[19]

Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack, 5(56), May 2000.

[20]

H. Chen and D. Wagner. MOPS: an Infrastructure for Examining Security Properties of Software. In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 235--244, November 2002.

Digital Library

[21]

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 191--199, August 2001.

Digital Library

[22]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, August 2003.

Digital Library

[23]

C. Cowan, S. Beattie, C. Pu, P. Wagle, and V. Gligor. SubDomain: Parsimonious Security for Server Appliances. In Proceedings of the 14th USENIX System Administration Conference (LISA 2000), March 2000.

Digital Library

[24]

C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, Jan. 1998.

Digital Library

[25]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI), December 2002.

Digital Library

[26]

J. Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/, June 2000.

[27]

J. Foster, M. Fahndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), May 1999.

Digital Library

[28]

M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In Proceedings of the 10th USENIX Security Symposium, pages 55--66, August 2001.

Digital Library

[29]

T. Fraser, L. Badger, and M. Feldman. Hardening COTS Software with Generic Software Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.

[30]

T. Garfinkel. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pages 163--176, February 2003.

[31]

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pages 191--206, February 2003.

[32]

D. P. Ghormley, D. Petrou, S. H. Rodrigues, and T. E. Anderson. SLIC: An Extensibility System for Commodity Operating Systems. In Proceedings of the 1998 USENIX Annual Technical Conference, pages 39--52, June 1998.

Digital Library

[33]

I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications. In Procedings of the 1996 USENIX Annual Technical Conference, 1996.

Digital Library

[34]

T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference, pages 275--288, Monterey, California, June 2002.

Digital Library

[35]

R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In 3rd International Workshop on Automated Debugging, 1997.

[36]

A. D. Keromytis, J. L. Wright, and T. de~Raadt. The Design of the OpenBSD Cryptographic Framework. In Proceedings of the USENIX Annual Technical Conference, June 2003.

[37]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191--205, August 2002.

Digital Library

[38]

D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 177--190, August 2001.

Digital Library

[39]

E. Larson and T. Austin. High Coverage Detection of Input-Related Security Faults. In Proceedings of the 12th USENIX Security Symposium, pages 121--136, August 2003.

Digital Library

[40]

K. Lhee and S. J. Chapin. Type-assisted dynamic buffer overflow detection. In Proceedings of the 11th USENIX Security Symposium, pages 81--90, August 2002.

Digital Library

[41]

P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. In Proceedings of the USENIX Annual Technical Conference, Freenix Track, pages 29--40, June 2001.

Digital Library

[42]

M. Conover and w00w00 Security Team. w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt, January 1999.

[43]

T. C. Miller and T. de~Raadt. strlcpy and strlcat: Consistent, Safe, String Copy and Concatentation. In Proceedings of the USENIX Technical Conference, Freenix Track, June 1999.

Digital Library

[44]

T. Mitchem, R. Lu, and R. O'Brien. Using Kernel Hypervisors to Secure Applications. In Proceedings of the Annual Computer Security Applications Conference, December 1997.

Digital Library

[45]

D. Moore, C. Shanning, and K. Claffy. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the 2nd Internet Measurement Workshop (IMW), pages 273--284, November 2002.

Digital Library

[46]

National Bureau~of Standards. Data Encryption Standard, January 1977. FIPS-46.

[47]

G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the Principles of Programming Languages (PoPL), January 2002.

Digital Library

[48]

D. S. Peterson, M. Bishop, and R. Pandey. A Flexible Containment Mechanism for Executing Untrusted Code. In Proceedings of the 11th USENIX Security Symposium, pages 207--225, August 2002.

Digital Library

[49]

M. Prasad and T. Chiueh. A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks. In Proceedings of the USENIX Annual Technical Conference, pages 211--224, June 2003.

[50]

V. Prevelakis and A. D. Keromytis. Drop-in Security for Distributed and Portable Computing Elements. Internet Research: Electronic Networking, Applications and Policy, 13(2), 2003.

[51]

V. Prevelakis and D. Spinellis. Sandboxing Applications. In Proceedings of the USENIX Technical Annual Conference, Freenix Track, pages 119--126, June 2001.

Digital Library

[52]

N. Provos. Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium, pages 257--272, August 2003.

Digital Library

[53]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201--216, August 2001.

Digital Library

[54]

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report Technical Report CSD-TR-823, Purdue University, West Lafayette, IN 47907-2004, 1988.

[55]

Technology Quarterly. Bespoke chips for the common man. The Economist, pages 29--30, 14-20 December 2002.

[56]

Tool Interface~Standards Committee. Executable and Linking Format (ELF) specification, May 1995.

[57]

Vendicator. Stack shield. http://www.angelfire.com/sk/stackshield/.

[58]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 3--17, February 2000.

[59]

K. M. Walker, D. F. Stern, L. Badger, K. A. Oosendorp, M. J. Petkac, and D. L. Sherman. Confining root programs with domain and type enforcement. In Proceedings of the USENIX Security Symposium, pages 21--36, July 1996.

Digital Library

[60]

R. N. M. Watson. TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings of the USENIX Annual Technical Conference, Freenix Track, pages 15--28, June 2001.

Digital Library

[61]

A. Whitaker, M. Shaw, and S. D. Gribble. Scale and Performance in the Denali Isolation Kernel. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI), December 2002.

Digital Library

[62]

J. Wilander and M. Kamkar. A Comparison of Publicly Available Tools for Dynamic Intrusion Prevention. In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pages 123--130, February 2003.

[63]

C. C. Zou, W. Gong, and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 138--147, November 2002.

Digital Library

Cited By

Lombardi FRecchia A(2024)On Abstract Machines Security and PerformanceProcedia Computer Science10.1016/j.procs.2023.12.182231:C(111-118)Online publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.procs.2023.12.182
Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
Sun RZhu YFei JChen X(2023)A Survey on Moving Target Defense: Intelligently Affordable, Optimized and Self-AdaptiveApplied Sciences10.3390/app1309536713:9(5367)Online publication date: 25-Apr-2023
https://doi.org/10.3390/app13095367
Show More Cited By

Index Terms

Countering code-injection attacks with instruction-set randomization
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Randomized instruction set emulation to disrupt binary code injection attacks
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary ...
On the General Applicability of Instruction-Set Randomization

We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

374 pages

ISBN:1581137389

DOI:10.1145/948109

General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27 - 30, 2003

Washington D.C., USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

423
Total Citations
View Citations
3,693
Total Downloads

Downloads (Last 12 months)76
Downloads (Last 6 weeks)7

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lombardi FRecchia A(2024)On Abstract Machines Security and PerformanceProcedia Computer Science10.1016/j.procs.2023.12.182231:C(111-118)Online publication date: 12-Apr-2024
https://dl.acm.org/doi/10.1016/j.procs.2023.12.182
Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
Sun RZhu YFei JChen X(2023)A Survey on Moving Target Defense: Intelligently Affordable, Optimized and Self-AdaptiveApplied Sciences10.3390/app1309536713:9(5367)Online publication date: 25-Apr-2023
https://doi.org/10.3390/app13095367
Al Maruf ANiu LClark AMertoguno JPoovendran R(2023)A Timing-Based Framework for Designing Resilient Cyber-Physical Systems under Safety ConstraintACM Transactions on Cyber-Physical Systems10.1145/35946387:3(1-25)Online publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1145/3594638
Adhikari SAsad HJones K(2023)Enhancing IoT Security: Novel Mechanisms for Malware Detection using HPCs and Neural Networks2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00199(1455-1463)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00199
Khan AXu DTian D(2023)Low-Cost Privilege Separation with Compile Time Compartmentalization for Embedded Systems2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179388(3008-3025)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179388
Saputro N(2023)A Brief review on Network Identity-based Moving Target Defense2023 International Conference on Information Networking (ICOIN)10.1109/ICOIN56518.2023.10048901(610-615)Online publication date: 11-Jan-2023
https://doi.org/10.1109/ICOIN56518.2023.10048901
Ismail MAlrabaee SHarous SChoo K(2023)Empirical Evaluations of Machine Learning Effectiveness in Detecting Web Application AttacksFuture Access Enablers for Ubiquitous and Intelligent Infrastructures10.1007/978-3-031-50051-0_8(99-116)Online publication date: 15-Dec-2023
https://doi.org/10.1007/978-3-031-50051-0_8
Butt MAjmal ZKhan ZIdrees MJaved Y(2022)An In-Depth Survey of Bypassing Buffer Overflow Mitigation TechniquesApplied Sciences10.3390/app1213670212:13(6702)Online publication date: 1-Jul-2022
https://doi.org/10.3390/app12136702
Potteiger BZhang ZCheng LKoutsoukos X(2022)A Tutorial on Moving Target Defense Approaches Within Automotive Cyber-Physical SystemsFrontiers in Future Transportation10.3389/ffutr.2021.7925732Online publication date: 7-Feb-2022
https://doi.org/10.3389/ffutr.2021.792573
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents