Abstract
Injecting binary code into a running program is a common form of attack. Most defenses employ a “guard the doors” approach, blocking known mechanisms of code injection. Randomized instruction set emulation (RISE) is a complementary method of defense, one that performs a hidden randomization of an application's machine code. If foreign binary code is injected into a program running under RISE, it will not be executable because it will not know the proper randomization. The paper describes and analyzes RISE, describing a proof-of-concept implementation built on the open-source Valgrind IA32-to-IA32 translator. The prototype effectively disrupts binary code injection attacks, without requiring recompilation, linking, or access to application source code. Under RISE, injected code (attacks) essentially executes random code sequences. Empirical studies and a theoretical model are reported which treat the effects of executing random code on two different architectures (IA32 and PowerPC). The paper discusses possible extensions and applications of the RISE technique in other contexts.
- Anderson, R. 2003. “Trusted Computing” and competition policy---Issues for computing professionals. Upgrade IV, 3 (June), 35--41.]]Google Scholar
- Arbaugh, W. A. 2002. Improving the TCPA specification. IEEE Comput. 35, 8 (Aug.), 77--79.]] Google ScholarDigital Library
- Avijit, K., Gupta, P., and Gupta, D. 2004. Tied, libsafeplus: Tools for dynamic buffer overflow protection. In Proceeding of the 13th USENIX Security Symposium. San Diego, CA.]] Google Scholar
- Avizienis, A. 1995. The methodology of N-version programming. In Software Fault Tolerance, M. Lyu, Ed. Wiley, New York, 23--46.]]Google Scholar
- Avizienis, A. and Chen, L. 1977. On the implementation of N-Version programming for software fault tolerance during execution. In Proceedings of IEEE COMPSAC 77. 149--155.]]Google Scholar
- Bala, V., Duesterwald, E., and Banerjia, S. 2000. Dynamo: A transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN '00 Conference on Programming language design and implementation. ACM Press, Vancouver, British Columbia, Canada, 1--12.]] Google Scholar
- Baratloo, A., Singh, N., and Tsai, T. 2000. Transparent run-time defense against stack smashing attacks. In Proceedings of the 2000 USENIX Annual Technical Conference (USENIX-00), Berkeley, CA. 251--262.]] Google Scholar
- Barrantes, E. G., Ackley, D., Forrest, S., Palmer, T., Stefanovic, D., and Zovi, D. D. 2003. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC. 272--280.]] Google Scholar
- Best, R. M. 1979. Microprocessor for executing enciphered programs, U.S. Patent no. 4 168 396.]]Google Scholar
- Best, R. M. 1980. Preventing software piracy with crypto-microprocessors. In Proceedings of the IEEE Spring COMPCON '80, San Francisco, CA. 466--469.]]Google Scholar
- Bhatkar, S., DuVarney, D., and Sekar, R. 2003. Address obfuscation: An approach to combat buffer overflows, format-string attacks and more. In Proceedings of the 12th USENIX Security Symposium, Washington, DC. 105--120.]] Google Scholar
- Boyd, S. W. and Keromytis, A. D. 2004. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. Yellow Mountain, China. 292--302.]]Google Scholar
- Bruening, D., Amarasinghe, S., and Duesterwald, E. 2001. Design and implementation of a dynamic optimization framework for Windows. In 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4).]]Google Scholar
- Butler, T. R. 2004. Bochs. http://bochs.sourceforge.net/.]]Google Scholar
- Chew, M. and Song, D. 2002. Mitigating Buffer Overflows by Operating System Randomization. Tech. Rep. CMU-CS-02-197, Department of Computer Science, Carnegie Mellon University.]]Google Scholar
- Chiueh, T. and Hsu, F.-H. 2001. Rad: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems (ICDCS), Phoenix, AZ. 409--420.]] Google Scholar
- Cohen, F. 1993. Operating system protection through program evolution. Computers and Security 12, 6 (Oct.), 565--584.]] Google ScholarDigital Library
- CORE Security. 2004. CORE security technologies. http://www1.corest.com/home/home.php.]]Google Scholar
- Cowan, C., Barringer, M., Beattie, S., and Kroah-Hartman, G. 2001. Format guard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. 191--199.]] Google Scholar
- Cowan, C., Beattie, S., Johansen, J., and Wagle, P. 2003. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, Washington, DC. 91--104.]] Google Scholar
- Cowan, C., Hinton, H., Pu, C., and Walpole, J. 2000. A cracker patch choice: An analysis of post hoc security techniques. In National Information Systems Security Conference (NISSC), Baltimore MD.]]Google Scholar
- Cowan, C., Pu, C., Maier, D., Hinton, H., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. 1998. Automatic detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX.]] Google Scholar
- Cowan, C., Wagle, P., Pu, C., Beattie, S., and Walpole, J. 2000b. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition (DISCEX 2000). 119--129.]]Google Scholar
- Dallas Semiconductor. 1999. DS5002FP secure microprocessor chip. http://pdfserv.maxim-ic.com/en/ds/DS5002FP.pdf.]]Google Scholar
- Dor, N., Rodeh, M., and Sagiv, M. 2003. CSSV: Towards a realistic tool for statically detecting all buffer overflows in c. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation. 155--167.]] Google Scholar
- Etoh, H. and Yoda, K. 2000. Protecting from stack-smashing attacks. Web publishing, IBM Research Division, Tokyo Research Laboratory, http://www.trl.ibm.com/projects/security/ssp/main.html. June 19.]]Google Scholar
- Etoh, H. and Yoda, K. 2001. Propolice: Improved stack smashing attack detection. IPSJ SIGNotes Computer Security (CSEC) 14 (Oct. 26).]]Google Scholar
- Fayolle, P.-A. and Glaume, V. 2002. A buffer overflow study, attacks & defenses. Web publishing, ENSEIRB, http://www.wntrmute.com/docs/bufferoverflow/report.html.]]Google Scholar
- Forrest, S., Somayaji, A., and Ackley, D. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems. 67--72.]] Google ScholarDigital Library
- Frantzen, M. and Shuey, M. 2001. Stackghost: Hardware facilitated stack protection. In Proceedings of the 10th USENIX Security Symposium. Washington, DC.]] Google Scholar
- Gera and Riq. 2002. Smashing the stack for fun and profit. Phrack 59, 11 (July 28).]]Google Scholar
- Harper, M. 2002. SQL injection attacks---Are you safe? In Sitepoint, http://www.sitepoint. com/article/794.]]Google Scholar
- IBM. 2003. PowerPC Microprocessor Family: Programming Environments Manual for 64 and 32-Bit Microprocessors. Version 2.0. Number order nos. 253665, 253666, 253667, 253668.]]Google Scholar
- Intel Corporation. 2004. The IA-32 Intel Architecture Software Developer's Manual. Number order nos. 253665, 253666, 253667, 253668.]]Google Scholar
- Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of c. In Proceedings of the USENIX Annual Technical Conference, Monterey, CA. 275--288.]] Google ScholarDigital Library
- Jones, R. W. M. and Kelly, P. H. 1997. Backwards-compatible bounds checking for arrays and pointers in C programs. In 3rd International Workshop on Automated Debugging. 13--26.]]Google Scholar
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM Press, Washington, DC. 272--280.]] Google Scholar
- Kiriansky, V., Bruening, D., and Amarasinghe, S. 2002. Secure execution via program sheperding. In Proceeding of the 11th USENIX Security Symposium, San Francisco, CA.]] Google Scholar
- Klaiber, A. 2000. The technology behind the crusoe processors. White Paper http://www.transmeta.com/pdf/white_papers/paper_aklaiber_19jan00.pdf. January.]]Google Scholar
- Kuhn, M. 1997. The TrustNo 1 Cryptoprocessor Concept. Tech. Rep. CS555 Report, Purdue University. April 04.]]Google Scholar
- Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. 177--190.]] Google Scholar
- Lhee, K. and Chapin, S. J. 2002. Type-assisted dynamic buffer overflow detection. In Proceeding of the 11th USENIX Security Symposium, San Francisco, CA. 81--88.]] Google Scholar
- Milenković, M., Milencović, A., and Jovanov, E. 2004. A framework for trusted instruction execution via basic block signature verification. In Proceedings of the 42nd Annual Southeast Regional Conference (ACM SE'04). ACM Press, Huntsville, AL. 191--196.]] Google Scholar
- Nahum, E. M. 2002. Deconstructing specweb99. In Proceedings of 7th International Workshop on Web Content Caching and Distribution, Boulder, CO.]]Google Scholar
- Nebenzahl, D. and Wool, A. 2004. Install-time vaccination of Windows executables to defend against stack smashing attacks. In Proceedings of the 19th IFIP International Information Security Conference. Kluwer, Toulouse, France, 225--240.]]Google Scholar
- Necula, G. C., McPeak, S., and Weimer, W. 2002. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the Symposium on Principles of Programming Languages. 128--139.]] Google Scholar
- Nergal. 2001. The advanced return-into-lib(c) exploits. Phrack 58, 4 (Dec.).]]Google Scholar
- Nethercote, N. and Seward, J. 2003. Valgrind: A program supervision framework. In Electronic Notes in Theoretical Computer Science, O. Sokolsky and M. Viswanathan, Eds. Vol. 89. Elsevier, Amsterdam.]]Google ScholarCross Ref
- Newsham, T. 2000. Format string attacks. http://www.securityfocus.com/archive/1/81565.]]Google Scholar
- PaX Team. 2003. Documentation for the PaX project. See Homepage of The PaX Team. http://pax.grsecurity.net/docs/index.html.]]Google Scholar
- Prasad, M. and Chiueh, T. 2003. A binary rewriting defense against stack based overflow attacks. In Proceedings of the USENIX 2003 Annual Technical Conference, San Antonio, TX.]]Google Scholar
- Pu, C., Black, A., Cowan, C., and Walpole, J. 1996. A specialization toolkit to increase the diversity of operating systems. In Proceedings of the 1996 ICMAS Workshop on Immunity-Based Systems, Nara, Japan.]]Google Scholar
- Randell, B. 1975. System structure for software fault tolerance. IEEE Trans. Software Eng. 1, 2, 220--232.]]Google ScholarDigital Library
- Ruwase, O. and Lam, M. S. 2004. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium.]]Google Scholar
- Schneier, B. 1996. Applied Cryptography. Wiley, New York.]]Google Scholar
- Security Focus. 2003. CVS directory request double free heap corruption vulnerability. http://www.securityfocus.com/bid/6650.]]Google Scholar
- Seward, J. and Nethercote, N. 2004. Valgrind, an open-source memory debugger for x86-GNU/Linux. http://valgrind.kde.org/.]]Google Scholar
- Simon, I. 2001. A comparative analysis of methods of defense against buffer overflow attacks. Web publishing, California State University, Hayward, http://www.mcs.csuhayward.edu/simon/security/boflo.html. January 31.]]Google Scholar
- SPEC Inc. 1999. Specweb99. Tech. Rep. SPECweb99_Design_062999.html, SPEC Inc. June 29.]]Google Scholar
- TCPA 2004. TCPA trusted computing platform alliance. http://www.trustedcomputing.org/home.]]Google Scholar
- Tool Interface Standards Committee. 1995. Executable and Linking Format (ELF). Tool Interface Standards Committee.]]Google Scholar
- Tsai, T. and Singh, N. 2001. Libsafe 2.0: Detection of format string vulnerability exploits. White Paper Version 3-21-01, Avaya Labs, Avaya Inc. February 6.]]Google Scholar
- Tso, T. 1998. random.C: A strong random number generator. http://www.linuxsecurity.com/feature_stories/random.c.]]Google Scholar
- Vendicator. 2000. StackShield: A stack smashing technique protection tool for Linux. http://angelfire.com/sk/stackshield.]]Google Scholar
- Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, San Diego, CA. 3--17.]]Google Scholar
- Wilander, J. and Kamkar, M. 2003. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Network and Distributed System Security Symposium, San Diego, CA. 149--162.]]Google Scholar
- Xu, J., Kalbarczyk, Z., and Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceeding of the 22nd International Symposium on Reliable Distributed Systems (SRDS'03), Florence, Italy. 26--272.]]Google Scholar
- Xu, J., Kalbarczyk, Z., Patel, S., and Iyer, R. K. 2002. Architecture support for defending against buffer overflow attacks. In 2nd Workshop on Evaluating and Architecting System dependabilitY (EASY), San Jose, CA. http://www.crhc.uiuc.edu/EASY/.]]Google Scholar
Index Terms
- Randomized instruction set emulation
Recommendations
Randomized instruction set emulation to disrupt binary code injection attacks
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityBinary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary ...
Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityCode reuse attacks such as return-oriented programming are one of the most powerful threats to contemporary software. ASLR was introduced to impede these attacks by dispersing shared libraries and the executable in memory. However, in practice its ...
CoDaRR: Continuous Data Space Randomization against Data-Only Attacks
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications SecurityThe widespread deployment of exploit mitigations such as CFI and shadow stacks are making code-reuse attacks increasingly difficult. This has forced adversaries to consider data-only attacks against which the venerable ASLR remains the primary deployed ...
Comments