Skip to main content
SpringerLink
Log in

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

  • Chapter
  • First Online:
Moving Target Defense

Part of the book series: Advances in Information Security ((ADIS,volume 54))

Abstract

Instruction-set randomization (ISR) obfuscates the “language” understood by a system to protect against code-injection attacks by presenting an ever-changing target. ISR was originally motivated by code injection through buffer overflow vulnerabilities. However, Stuxnet demonstrated that attackers can exploit other vectors to place malicious binaries into a victim’s filesystem and successfully launch them, bypassing most mechanisms proposed to counter buffer overflows. We propose the holistic adoption of ISR across the software stack, preventing the execution of unauthorized binaries and scripts regardless of their origin. Our approach requires that programs be randomized with different keys during a user-controlled installation, effectively combining the benefits of code whitelisting/signing and runtime program integrity. We discuss how an ISR-enabled environment for binaries can be implemented with little overhead in hardware, and show that higher-overhead softwareonly alternatives are possible. We use Perl and SQL to demonstrate the application of ISR in scripting environments with negligible overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS). (2000) 3–17

    Google Scholar 

  2. Spafford, E.H.: The Internet worm program: An analysis. Technical Report CSD-TR-823, Purdue University (1988)

    Google Scholar 

  3. CERT: Advisory CA-2001-19: “Code Red” worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/advisories/CA-2001-19.html (2001)

    Google Scholar 

  4. CERT: Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/ advisories/CA-2003-04.html (2003)

    Google Scholar 

  5. Moore, D., Shanning, C., Claffy, K.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW). (2002) 273–284

    Google Scholar 

  6. Zou, C.C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). (2002) 138–147

    Google Scholar 

  7. Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Technical report, SRI International (2009)

    Google Scholar 

  8. Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier version 1.2. White paper (2010)

    Google Scholar 

  9. Adobe: Security advisory for flash player, adobe reader and acrobat. http://www.adobe. com/support/security/advisories/apsa10-01.html (2010)

    Google Scholar 

  10. Symantec: Analysis of a zero-day exploit for adobe flash and reader. Symantec Threat Research (2010)

    Google Scholar 

  11. Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overflows. IEEE Security & Privacy Magazine 2 (2004) 20–27

    Google Scholar 

  12. Aleph One: Smashing the stack for fun and profit. Phrack 7 (1996)

    Google Scholar 

  13. M. Conover and w00w00 Security Team: w00w00 on heap overflows. http://www. w00w00.org/files/articles/heaptut.txt (2010)

    Google Scholar 

  14. Enumeration, C.W.: CWE-416: use after free. http://cwe.mitre.org/data/ definitions/416.html (2010)

    Google Scholar 

  15. PCWorld: Dangling pointers could be dangerous. http://www.pcworld.com/ article/134982/dangling\_pointers\_could\_be\_dangerous.html (2007)

    Google Scholar 

  16. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium. (2001) 201–216

    Google Scholar 

  17. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instructionset randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). (2003)

    Google Scholar 

  18. Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM Conference on Computer and Communications Security. (2003) 281–289

    Google Scholar 

  19. Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovi´c, D.: Randomized instruction set emulation. ACM Transactions on Information System Security 8 (2005) 3–40

    Google Scholar 

  20. Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? the effectiveness of instruction set randomization. In: Proceedings of the 14th USENIX Security Symposium. (2005) 145–160

    Google Scholar 

  21. Microsoft: Microsoft Portable Executable and Common Object File Format Specification. http://www.microsoft.com/whdc/system/platform/firmware/ PECOFF.mspx (2010)

    Google Scholar 

  22. Raghuram, S., Chakrabarti, C.: A programmable processor for cryptography. In: Proceedings of the 2000 IEEE International Symposium on Circuits and Systems (ISCAS). Volume 5. (2000) 685–688

    Google Scholar 

  23. Rogers, B., Solihin, Y., Prvulovic, M.: Memory Predecryption: Hiding the Latency Overhead of Memory Encryption. In: Proceedings of the Workshop on Architectural Support for Security and Anti-virus (WASSA). (2004) 22–28

    Google Scholar 

  24. The Bochs Project: The cross platform IA-32 emulator. http://bochs.sourceforge. net/ (2010)

    Google Scholar 

  25. Prevelakis, V., Keromytis, A.D.: Drop-in Security for Distributed and Portable Computing Elements. Internet Research: Electronic Networking, Applications and Policy 13 (2003)

    Google Scholar 

  26. Hu, W., Hiser, J., Williams, D., Filipi, A., Davidson, J.W., Evans, D., Knight, J.C., Nguyen- Tuong, A., Rowanhill, J.: Secure and practical defense against code-injection attacks using software dynamic translation. In: Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE). (2006) 2–12

    Google Scholar 

  27. Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of Programming Language Design and Implementation (PLDI). (2005) 190–200

    Google Scholar 

  28. Hancock, S.: The Perltidy Home Page. http://perltidy.sourceforge.net/ (2009)

    Google Scholar 

  29. CERT: Vulnerability Note VU#496064. http://www.kb.cert.org/vuls/id/ 496064 (2002)

    Google Scholar 

  30. CERT: Vulnerability Note VU#282403. http://www.kb.cert.org/vuls/id/ 282403 (2002)

    Google Scholar 

  31. Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-Variant Systems: A Secretless Framework for Security through Diversity. In: Proceedings of the 15th USENIX Security Symposium. (2005) 105–120

    Google Scholar 

  32. Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: End-to-end containment of internet worms. In: Proceedings of the ACM Symposium on Systems and Operating Systems Principles (SOSP). (2005)

    Google Scholar 

  33. Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 222–234

    Google Scholar 

  34. Locasto, M., Wang, K., Keromytis, A., Stolfo, S.: FLIPS: Hybrid Adaptive Intrusion Prevention. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection. (2005) 82–101

    Google Scholar 

  35. Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 213–222

    Google Scholar 

  36. Boyd, S.W., Kc, G.S., Locasto, M.E., Keromytis, A.D., Prevelakis, V.: On the general applicability of instruction-set randomization. IEEE Transactions on Dependable and Secure Computing 99 (2008)

    Google Scholar 

  37. Developers, V.: Valgrind user manual – callgrind. http://valgrind.org/docs/ manual/cl-manual.html (2010)

    Google Scholar 

  38. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium. (2003) 105–120

    Google Scholar 

  39. The PaX Team: Homepage of The Pax Team. http://pax.grsecurity.net/ (2010)

    Google Scholar 

  40. Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). (2004) 298–307

    Google Scholar 

  41. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium. (2005) 255–270

    Google Scholar 

  42. Durden, T.: Bypassing PaX ASLR protection. Phrack 0x0b (2002)

    Google Scholar 

  43. DarkReading: Heap spraying: Attackers’ latest weapon of choice. http: //www.darkreading.com/security/vulnerabilities/showArticle. jhtml?articleID=221901428 (2009)

    Google Scholar 

  44. Hardware, E.: CPU-based security: The NX bit. http://hardware.earthweb.com/ chips/article.php/3358421 (2004)

    Google Scholar 

  45. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium. (2003) 91–104

    Google Scholar 

  46. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium. (1998)

    Google Scholar 

  47. Etoh, J.: GCC extension for protecting applications from stack-smashing attacks. http: //www.trl.ibm.com/projects/security/ssp/ (2000)

    Google Scholar 

  48. Bulba, Kil3r: Bypassing StackGuard and StackShield. Phrack 5 (2000)

    Google Scholar 

  49. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy. (2008) 263–277

    Google Scholar 

  50. Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27 (2005) 477–526

    Article  Google Scholar 

  51. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Symposium on Network and Distributed System Security (NDSS). (2005)

    Google Scholar 

  52. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19 (1976) 236– 243

    Article  MathSciNet  MATH  Google Scholar 

  53. Ho, A., Fetterman, M., Clark, C.,Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st ACM EuroSys Conference. (2006) 29–41

    Google Scholar 

  54. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR) Annual Conference. (2006)

    Google Scholar 

  55. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proceedings of the 1st ACM EuroSys Conference. (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Network Security Lab, Columbia University, New York, NY, 10027, USA

    Georgios Portokalidis & Angelos D. Keromytis

Authors
  1. Georgios Portokalidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Georgios Portokalidis .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, 22030-4444, Virginia, USA

    Sushil Jajodia

  2. Center for Secure Information Systems, George Mason University, Fairfax, 22030-4422, Virginia, USA

    Anup K. Ghosh

  3. The MITRE Corporation, McLean, 22102-7508, Virginia, USA

    Vipin Swarup

  4. Computing and Information Science Div., Engineering Sciences Directorate, Triangle Park, 27709-2211, North Carolina, USA

    Cliff Wang

  5. Division of Information & Intelligent Sy, National Science Foundation, Arlington, 22230, Virginia, USA

    X. Sean Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Portokalidis, G., Keromytis, A.D. (2011). Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense. Advances in Information Security, vol 54. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-0977-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-0977-9_3

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-0976-2

  • Online ISBN: 978-1-4614-0977-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation