Abstract
Instruction-set randomization (ISR) obfuscates the “language” understood by a system to protect against code-injection attacks by presenting an ever-changing target. ISR was originally motivated by code injection through buffer overflow vulnerabilities. However, Stuxnet demonstrated that attackers can exploit other vectors to place malicious binaries into a victim’s filesystem and successfully launch them, bypassing most mechanisms proposed to counter buffer overflows. We propose the holistic adoption of ISR across the software stack, preventing the execution of unauthorized binaries and scripts regardless of their origin. Our approach requires that programs be randomized with different keys during a user-controlled installation, effectively combining the benefits of code whitelisting/signing and runtime program integrity. We discuss how an ISR-enabled environment for binaries can be implemented with little overhead in hardware, and show that higher-overhead softwareonly alternatives are possible. We use Perl and SQL to demonstrate the application of ISR in scripting environments with negligible overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS). (2000) 3–17
Spafford, E.H.: The Internet worm program: An analysis. Technical Report CSD-TR-823, Purdue University (1988)
CERT: Advisory CA-2001-19: “Code Red” worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/advisories/CA-2001-19.html (2001)
CERT: Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/ advisories/CA-2003-04.html (2003)
Moore, D., Shanning, C., Claffy, K.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW). (2002) 273–284
Zou, C.C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). (2002) 138–147
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Technical report, SRI International (2009)
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier version 1.2. White paper (2010)
Adobe: Security advisory for flash player, adobe reader and acrobat. http://www.adobe. com/support/security/advisories/apsa10-01.html (2010)
Symantec: Analysis of a zero-day exploit for adobe flash and reader. Symantec Threat Research (2010)
Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overflows. IEEE Security & Privacy Magazine 2 (2004) 20–27
Aleph One: Smashing the stack for fun and profit. Phrack 7 (1996)
M. Conover and w00w00 Security Team: w00w00 on heap overflows. http://www. w00w00.org/files/articles/heaptut.txt (2010)
Enumeration, C.W.: CWE-416: use after free. http://cwe.mitre.org/data/ definitions/416.html (2010)
PCWorld: Dangling pointers could be dangerous. http://www.pcworld.com/ article/134982/dangling\_pointers\_could\_be\_dangerous.html (2007)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium. (2001) 201–216
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instructionset randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). (2003)
Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM Conference on Computer and Communications Security. (2003) 281–289
Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovi´c, D.: Randomized instruction set emulation. ACM Transactions on Information System Security 8 (2005) 3–40
Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? the effectiveness of instruction set randomization. In: Proceedings of the 14th USENIX Security Symposium. (2005) 145–160
Microsoft: Microsoft Portable Executable and Common Object File Format Specification. http://www.microsoft.com/whdc/system/platform/firmware/ PECOFF.mspx (2010)
Raghuram, S., Chakrabarti, C.: A programmable processor for cryptography. In: Proceedings of the 2000 IEEE International Symposium on Circuits and Systems (ISCAS). Volume 5. (2000) 685–688
Rogers, B., Solihin, Y., Prvulovic, M.: Memory Predecryption: Hiding the Latency Overhead of Memory Encryption. In: Proceedings of the Workshop on Architectural Support for Security and Anti-virus (WASSA). (2004) 22–28
The Bochs Project: The cross platform IA-32 emulator. http://bochs.sourceforge. net/ (2010)
Prevelakis, V., Keromytis, A.D.: Drop-in Security for Distributed and Portable Computing Elements. Internet Research: Electronic Networking, Applications and Policy 13 (2003)
Hu, W., Hiser, J., Williams, D., Filipi, A., Davidson, J.W., Evans, D., Knight, J.C., Nguyen- Tuong, A., Rowanhill, J.: Secure and practical defense against code-injection attacks using software dynamic translation. In: Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE). (2006) 2–12
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of Programming Language Design and Implementation (PLDI). (2005) 190–200
Hancock, S.: The Perltidy Home Page. http://perltidy.sourceforge.net/ (2009)
CERT: Vulnerability Note VU#496064. http://www.kb.cert.org/vuls/id/ 496064 (2002)
CERT: Vulnerability Note VU#282403. http://www.kb.cert.org/vuls/id/ 282403 (2002)
Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-Variant Systems: A Secretless Framework for Security through Diversity. In: Proceedings of the 15th USENIX Security Symposium. (2005) 105–120
Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: End-to-end containment of internet worms. In: Proceedings of the ACM Symposium on Systems and Operating Systems Principles (SOSP). (2005)
Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 222–234
Locasto, M., Wang, K., Keromytis, A., Stolfo, S.: FLIPS: Hybrid Adaptive Intrusion Prevention. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection. (2005) 82–101
Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 213–222
Boyd, S.W., Kc, G.S., Locasto, M.E., Keromytis, A.D., Prevelakis, V.: On the general applicability of instruction-set randomization. IEEE Transactions on Dependable and Secure Computing 99 (2008)
Developers, V.: Valgrind user manual – callgrind. http://valgrind.org/docs/ manual/cl-manual.html (2010)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium. (2003) 105–120
The PaX Team: Homepage of The Pax Team. http://pax.grsecurity.net/ (2010)
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). (2004) 298–307
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium. (2005) 255–270
Durden, T.: Bypassing PaX ASLR protection. Phrack 0x0b (2002)
DarkReading: Heap spraying: Attackers’ latest weapon of choice. http: //www.darkreading.com/security/vulnerabilities/showArticle. jhtml?articleID=221901428 (2009)
Hardware, E.: CPU-based security: The NX bit. http://hardware.earthweb.com/ chips/article.php/3358421 (2004)
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium. (2003) 91–104
Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium. (1998)
Etoh, J.: GCC extension for protecting applications from stack-smashing attacks. http: //www.trl.ibm.com/projects/security/ssp/ (2000)
Bulba, Kil3r: Bypassing StackGuard and StackShield. Phrack 5 (2000)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy. (2008) 263–277
Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27 (2005) 477–526
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Symposium on Network and Distributed System Security (NDSS). (2005)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19 (1976) 236– 243
Ho, A., Fetterman, M., Clark, C.,Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st ACM EuroSys Conference. (2006) 29–41
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR) Annual Conference. (2006)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proceedings of the 1st ACM EuroSys Conference. (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Portokalidis, G., Keromytis, A.D. (2011). Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense. Advances in Information Security, vol 54. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-0977-9_3
Download citation
DOI: https://doi.org/10.1007/978-1-4614-0977-9_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-0976-2
Online ISBN: 978-1-4614-0977-9
eBook Packages: Computer ScienceComputer Science (R0)