Article

Randomized instruction set emulation to disrupt binary code injection attacks

Authors:

Elena Gabriela Barrantes,

David H. Ackley,

Stephanie Forrest,

Trek S. Palmer,

Darko Stefanovic, and

Dino Dai ZoviAuthors Info & Claims

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

Pages 281 - 289

https://doi.org/10.1145/948109.948147

Published: 27 October 2003 Publication History

Abstract

Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary method of protection, which disrupts foreign code execution regardless of how the code is injected. A unique and private machine instruction set for each executing program would make it difficult for an outsider to design binary attack code against that program and impossible to use the same binary attack code against multiple machines. As a proof of concept, we describe a randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. The prototype disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. The paper describes the RISE implementation and its limitations, gives evidence demonstrating that RISE defeats common attacks, considers how the dense x86 instruction set affects the method, and discusses potential extensions of the idea.

References

[1]

CORE Security Technologies. In http://www1.corest.com/home/home.php.

[2]

CVS Directory Request Double Free Heap Corruption Vulnerability. In http://www.securityfocus.com/bid/6650.

[3]

libsafe - Detect and handle buffer overflow attacks. In http://www.gnu.org/directory/ security/net/libsafe.html.

[4]

MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability. In http://www.securityfocus.com/bid/6373.

[5]

TCPA Trusted Computing Platform Alliance. In http://www.trustedcomputing.org/home.

[6]

Aleph One. Smashing the stack for fun and profit. Phrack, 49(7), Nov. 1996.

[7]

R. Anderson. 'Trusted Computing' and competition policy - issues for computing professionals. Upgrade, IV(3):35--41, June 2003.

[8]

W. A. Arbaugh. Improving the TCPA specification. IEEE Computer, 35(8):77--79, August 2002.

Digital Library

[9]

A. Avizienis. The Methodology of N-Version Programming. In M. Lyu, editor, Software Fault Tolerance, pages 23--46. John Wiley & Sons Ltd., 1995.

[10]

A. Avizienis and L. Chen. On the implementation of N-Version programming for software fault tolerance during execution. In Proceedings of IEEE COMPSAC 77, pages 149--155, Nov. 1977.

[11]

V. Bala, E. Duesterwald, and S. Banerjia. Dynamo: a transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN '00 conference on Programming language design and implementation, pages 1--12, Vancouver, British Columbia, Canada, 2000. ACM Press.

Digital Library

[12]

R. M. Best. Microprocessor for executing enciphered programs, U.S. Patent No. 4 168 396, September 18 1979.

[13]

R. M. Best. Preventing software piracy with crypto-microprocessors. In Proceedings of the IEEE Spring COMPCON '80, pages 466--469, San Francisco, California, Feb. 1980.

[14]

S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An approach to combat buffer overflows, format-string attacks and more. In 12th Usenix Security Symposium, Aug. 2003.

[15]

D. Bruening, S. Amarasinghe, and E. Duesterwald. Design and implementation of a dynamic optimization framework for Windows. In 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4), Dec. 2001.

[16]

M. Chew and D. Song. Mitigating Buffer Overflows by Operating System Randomization. Technical Report CMU-CS-02-197, Department of Computer Science, Carnegie Mellon University, Dec. 2002.

[17]

F. Cohen. Operating System Protection through Program Evolution. Computers and Security, 12(6):565--584, Oct. 1993.

Digital Library

[18]

C. Cowan, M. Barringer, S. Beattie, and G. Kroah-Hartman. Format guard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 2001 USENIX Security Symposium, Washington DC, August 2001.

Digital Library

[19]

C. Cowan, H. Hinton, C. Pu, and J. Walpole. A Cracker Patch Choice: An Analysis of Post Hoc Security Techniques. In National Information Systems Security Conference (NISSC), Baltimore MD, October 16-19 2000.

[20]

C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Automatic Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, Jan. 1998.

Digital Library

[21]

C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and\ Exposition (DISCEX 2000), pages 119--129, Jan. 2000.

[22]

Dallas Semiconductor. DS5002FP secure microprocessor chip. http://pdfserv.maxim-ic.com/en/ds/DS5002FP.pdf.

[23]

P. Fayolle and V. Glaume. A buffer overflow study, attacks & defenses. In http://www.enseirb.fr/~glaume/indexen.html.

[24]

S. Forrest, A. Somayaji, and D. Ackley. Building Diverse Computer Systems. In Proceedings of the Sixth Workshop on Hot Topics in Operating Systems, pages 67--72, 1997.

Digital Library

[25]

M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proceedings of the 10th USENIX Security Symposium, Washington D.C., August 2001.

Digital Library

[26]

M. Harper. SQL injection attacks - are you safe? In Sitepoint, http://www.sitepoint.com/article/794, June 17 2002.

[27]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In www.cs.columbia.edu/~gskc/publications/isaRandomization.pdf.

[28]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution Via Program Sheperding. In Proceeding of the 11th USENIX Security Symposium, San Francisco, California, August 2002.

Digital Library

[29]

M. Kuhn. The TrustNo 1 cryptoprocessor concept. Technical Report CS555 Report, Purdue University, April 04 1997.

[30]

Nergal. The advanced return-into-lib(c) exploits. Phrack, 58(4), Dec. 2001.

[31]

T. Newsham. Format string attacks. In http://www.securityfocus.com/archive/1/81565, September 9 2000.

[32]

PaX team. Non executable data pages. In http://pageexec.virtualave.net/pageexec.txt, 2002.

[33]

C. Pu, A. Black, C. Cowan, and J. Walpole. A specialization toolkit to increase the diversity of operating systems. In Proceedings of the 1996 ICMAS Workshop on Immunity-Based Systems, Nara, Japan, December 1996.

[34]

B. Randell. System Structure for Software Fault Tolerance. IEEE Transactions in Software Engineering, 1(2):220--232, 1975.

Digital Library

[35]

B. Schneier. Applied Cryptography. John Wiley & Sons, 1996.

[36]

J. Seward. Valgrind, an open-source memory debugger for x86-GNU/Linux. In http://developer.kde.org/~sewardj/, 2002.

[37]

Solar Designer. Non-executable user stack. In http://www.openwall.com/linux.

[38]

Tool Interface Standards Committee. Executable and Linking Format (ELF), May 1995.

[39]

T. Tso. random.c A strong random number generator. In http://www.linuxsecurity.com/feature_stories/random.c.

[40]

Vendicator. StackShield: A stack smashing technique protection tool for Linux. In http://angelfire.com/sk/stackshield.

[41]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Network and Distributed System Security Symposium, pages 3--17, San Diego, CA, February 2000.

Cited By

Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
Schrom EKinzig AForrest SGraham ALevin SBergstrom CCastillo-Chavez CCollins Jde Boer RDoupé AEnsafi RFeldman SGrenfell BHalderman JHuijben SMaley CMoses MPerelson APerrings CPlotkin JRexford JTiwari M(2023)Challenges in cybersecurity: Lessons from biological defense systemsMathematical Biosciences10.1016/j.mbs.2023.109024362(109024)Online publication date: Aug-2023
https://doi.org/10.1016/j.mbs.2023.109024
Cabrera Arteaga JLaperdrix PMonperrus MBaudry BOkhravi HWang C(2022)Multi-variant Execution at the EdgeProceedings of the 9th ACM Workshop on Moving Target Defense10.1145/3560828.3564007(11-22)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560828.3564007
Show More Cited By

Index Terms

Randomized instruction set emulation to disrupt binary code injection attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Compilers

Recommendations

Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Read More
Countering code-injection attacks with instruction-set randomization
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing ...
Read More
Randomized instruction set emulation

Injecting binary code into a running program is a common form of attack. Most defenses employ a “guard the doors” approach, blocking known mechanisms of code injection. Randomized instruction set emulation (RISE) is a complementary method of defense, ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

374 pages

ISBN:1581137389

DOI:10.1145/948109

General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27 - 30, 2003

Washington D.C., USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

252
Total Citations
View Citations
2,017
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Keromytis A(2024)Buffer Overflow AttacksEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_502-2(1-4)Online publication date: 14-Feb-2024
https://doi.org/10.1007/978-3-642-27739-9_502-2
Schrom EKinzig AForrest SGraham ALevin SBergstrom CCastillo-Chavez CCollins Jde Boer RDoupé AEnsafi RFeldman SGrenfell BHalderman JHuijben SMaley CMoses MPerelson APerrings CPlotkin JRexford JTiwari M(2023)Challenges in cybersecurity: Lessons from biological defense systemsMathematical Biosciences10.1016/j.mbs.2023.109024362(109024)Online publication date: Aug-2023
https://doi.org/10.1016/j.mbs.2023.109024
Cabrera Arteaga JLaperdrix PMonperrus MBaudry BOkhravi HWang C(2022)Multi-variant Execution at the EdgeProceedings of the 9th ACM Workshop on Moving Target Defense10.1145/3560828.3564007(11-22)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560828.3564007
Morel LCouroussé DHiscock T(2022)Code Polymorphism Meets Code Encryption: Confidentiality and Side-channel Protection of Software ComponentsDigital Threats: Research and Practice10.1145/34870584:2(1-27)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1145/3487058
Olney BKaram R(2022)Diverse, Neural Trojan Resilient Ecosystem of Neural Network IPACM Journal on Emerging Technologies in Computing Systems10.1145/347118918:3(1-23)Online publication date: 4-Aug-2022
https://dl.acm.org/doi/10.1145/3471189
Nigussie TSchabel JLipa SMcIlrath LPatti RFranzon P(2022)Design Obfuscation Through 3-D Split Fabrication With Smart PartitioningIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.317930430:9(1230-1243)Online publication date: Sep-2022
https://doi.org/10.1109/TVLSI.2022.3179304
Pearce HSurabhi VKrishnamurthy PTrujillo JKarri RKhorrami F(2022)Detecting Hardware Trojans in PCBs Using Side Channel LoopbacksIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.317117430:7(926-937)Online publication date: Jul-2022
https://doi.org/10.1109/TVLSI.2022.3171174
Zhang QMohammed AWan ZCho JMoore T(2022)Diversity-by-Design for Dependable and Secure Cyber-Physical Systems: A SurveyIEEE Transactions on Network and Service Management10.1109/TNSM.2021.309139119:1(706-728)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3091391
Chen HCam HXu S(2022)Quantifying Cybersecurity Effectiveness of Dynamic Network DiversityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.310751419:6(3804-3821)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TDSC.2021.3107514
Tian DZeng QWu DLiu PHu C(2022)Semi-Synchronized Non-Blocking Concurrent Kernel CruisingIEEE Transactions on Cloud Computing10.1109/TCC.2020.297018310:2(1428-1444)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2020.2970183
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents