Advertisement

Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution

  • Georgios PortokalidisEmail author
  • Angelos D. Keromytis
Chapter
Part of the Advances in Information Security book series (ADIS, volume 54)

Abstract

Instruction-set randomization (ISR) obfuscates the “language” understood by a system to protect against code-injection attacks by presenting an ever-changing target. ISR was originally motivated by code injection through buffer overflow vulnerabilities. However, Stuxnet demonstrated that attackers can exploit other vectors to place malicious binaries into a victim’s filesystem and successfully launch them, bypassing most mechanisms proposed to counter buffer overflows. We propose the holistic adoption of ISR across the software stack, preventing the execution of unauthorized binaries and scripts regardless of their origin. Our approach requires that programs be randomized with different keys during a user-controlled installation, effectively combining the benefits of code whitelisting/signing and runtime program integrity. We discuss how an ISR-enabled environment for binaries can be implemented with little overhead in hardware, and show that higher-overhead softwareonly alternatives are possible. We use Perl and SQL to demonstrate the application of ISR in scripting environments with negligible overhead.

Keywords

Execution Environment Injection Attack Memory Protection Shared Library USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS). (2000) 3–17Google Scholar
  2. 2.
    Spafford, E.H.: The Internet worm program: An analysis. Technical Report CSD-TR-823, Purdue University (1988)Google Scholar
  3. 3.
    CERT: Advisory CA-2001-19: “Code Red” worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/advisories/CA-2001-19.html (2001)Google Scholar
  4. 4.
    CERT: Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/ advisories/CA-2003-04.html (2003)Google Scholar
  5. 5.
    Moore, D., Shanning, C., Claffy, K.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd Internet Measurement Workshop (IMW). (2002) 273–284Google Scholar
  6. 6.
    Zou, C.C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). (2002) 138–147Google Scholar
  7. 7.
    Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Technical report, SRI International (2009)Google Scholar
  8. 8.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier version 1.2. White paper (2010)Google Scholar
  9. 9.
    Adobe: Security advisory for flash player, adobe reader and acrobat. http://www.adobe. com/support/security/advisories/apsa10-01.html (2010)Google Scholar
  10. 10.
    Symantec: Analysis of a zero-day exploit for adobe flash and reader. Symantec Threat Research (2010)Google Scholar
  11. 11.
    Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overflows. IEEE Security & Privacy Magazine 2 (2004) 20–27Google Scholar
  12. 12.
    Aleph One: Smashing the stack for fun and profit. Phrack 7 (1996)Google Scholar
  13. 13.
    M. Conover and w00w00 Security Team: w00w00 on heap overflows. http://www. w00w00.org/files/articles/heaptut.txt (2010)Google Scholar
  14. 14.
    Enumeration, C.W.: CWE-416: use after free. http://cwe.mitre.org/data/ definitions/416.html (2010)Google Scholar
  15. 15.
    PCWorld: Dangling pointers could be dangerous. http://www.pcworld.com/ article/134982/dangling\_pointers\_could\_be\_dangerous.html (2007)Google Scholar
  16. 16.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium. (2001) 201–216Google Scholar
  17. 17.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instructionset randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS). (2003)Google Scholar
  18. 18.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM Conference on Computer and Communications Security. (2003) 281–289Google Scholar
  19. 19.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovi´c, D.: Randomized instruction set emulation. ACM Transactions on Information System Security 8 (2005) 3–40Google Scholar
  20. 20.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? the effectiveness of instruction set randomization. In: Proceedings of the 14th USENIX Security Symposium. (2005) 145–160Google Scholar
  21. 21.
    Microsoft: Microsoft Portable Executable and Common Object File Format Specification. http://www.microsoft.com/whdc/system/platform/firmware/ PECOFF.mspx (2010)Google Scholar
  22. 22.
    Raghuram, S., Chakrabarti, C.: A programmable processor for cryptography. In: Proceedings of the 2000 IEEE International Symposium on Circuits and Systems (ISCAS). Volume 5. (2000) 685–688Google Scholar
  23. 23.
    Rogers, B., Solihin, Y., Prvulovic, M.: Memory Predecryption: Hiding the Latency Overhead of Memory Encryption. In: Proceedings of the Workshop on Architectural Support for Security and Anti-virus (WASSA). (2004) 22–28Google Scholar
  24. 24.
    The Bochs Project: The cross platform IA-32 emulator. http://bochs.sourceforge. net/ (2010)Google Scholar
  25. 25.
    Prevelakis, V., Keromytis, A.D.: Drop-in Security for Distributed and Portable Computing Elements. Internet Research: Electronic Networking, Applications and Policy 13 (2003)Google Scholar
  26. 26.
    Hu, W., Hiser, J., Williams, D., Filipi, A., Davidson, J.W., Evans, D., Knight, J.C., Nguyen- Tuong, A., Rowanhill, J.: Secure and practical defense against code-injection attacks using software dynamic translation. In: Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE). (2006) 2–12Google Scholar
  27. 27.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of Programming Language Design and Implementation (PLDI). (2005) 190–200Google Scholar
  28. 28.
    Hancock, S.: The Perltidy Home Page. http://perltidy.sourceforge.net/ (2009)Google Scholar
  29. 29.
    CERT: Vulnerability Note VU#496064. http://www.kb.cert.org/vuls/id/ 496064 (2002)Google Scholar
  30. 30.
    CERT: Vulnerability Note VU#282403. http://www.kb.cert.org/vuls/id/ 282403 (2002)Google Scholar
  31. 31.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-Variant Systems: A Secretless Framework for Security through Diversity. In: Proceedings of the 15th USENIX Security Symposium. (2005) 105–120Google Scholar
  32. 32.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Vigilante: End-to-end containment of internet worms. In: Proceedings of the ACM Symposium on Systems and Operating Systems Principles (SOSP). (2005)Google Scholar
  33. 33.
    Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 222–234Google Scholar
  34. 34.
    Locasto, M., Wang, K., Keromytis, A., Stolfo, S.: FLIPS: Hybrid Adaptive Intrusion Prevention. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection. (2005) 82–101Google Scholar
  35. 35.
    Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). (2005) 213–222Google Scholar
  36. 36.
    Boyd, S.W., Kc, G.S., Locasto, M.E., Keromytis, A.D., Prevelakis, V.: On the general applicability of instruction-set randomization. IEEE Transactions on Dependable and Secure Computing 99 (2008)Google Scholar
  37. 37.
    Developers, V.: Valgrind user manual – callgrind. http://valgrind.org/docs/ manual/cl-manual.html (2010)Google Scholar
  38. 38.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium. (2003) 105–120Google Scholar
  39. 39.
    The PaX Team: Homepage of The Pax Team. http://pax.grsecurity.net/ (2010)Google Scholar
  40. 40.
    Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS). (2004) 298–307Google Scholar
  41. 41.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium. (2005) 255–270Google Scholar
  42. 42.
    Durden, T.: Bypassing PaX ASLR protection. Phrack 0x0b (2002)Google Scholar
  43. 43.
    DarkReading: Heap spraying: Attackers’ latest weapon of choice. http: //www.darkreading.com/security/vulnerabilities/showArticle. jhtml?articleID=221901428 (2009)Google Scholar
  44. 44.
    Hardware, E.: CPU-based security: The NX bit. http://hardware.earthweb.com/ chips/article.php/3358421 (2004)Google Scholar
  45. 45.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium. (2003) 91–104Google Scholar
  46. 46.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium. (1998)Google Scholar
  47. 47.
    Etoh, J.: GCC extension for protecting applications from stack-smashing attacks. http: //www.trl.ibm.com/projects/security/ssp/ (2000)Google Scholar
  48. 48.
    Bulba, Kil3r: Bypassing StackGuard and StackShield. Phrack 5 (2000)Google Scholar
  49. 49.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy. (2008) 263–277Google Scholar
  50. 50.
    Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27 (2005) 477–526CrossRefGoogle Scholar
  51. 51.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Symposium on Network and Distributed System Security (NDSS). (2005)Google Scholar
  52. 52.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19 (1976) 236– 243MathSciNetzbMATHCrossRefGoogle Scholar
  53. 53.
    Ho, A., Fetterman, M., Clark, C.,Warfield, A., Hand, S.: Practical taint-based protection using demand emulation. In: Proceedings of the 1st ACM EuroSys Conference. (2006) 29–41Google Scholar
  54. 54.
    Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR) Annual Conference. (2006)Google Scholar
  55. 55.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: Proceedings of the 1st ACM EuroSys Conference. (2006)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Network Security LabColumbia UniversityNew YorkUSA

Personalised recommendations