Countering code-injection attacks with instruction-set randomization

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[3]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[4]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[5]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[6]  Angelos D. Keromytis,et al.  Drop-in security for distributed and portable computing elements , 2003, Internet Res..

[7]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX Annual Technical Conference.

[8]  Todd C. Miller,et al.  strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation , 1999, USENIX Annual Technical Conference, FREENIX Track.

[9]  A. Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Applications , 1999 .

[10]  Daniel F. Sterne,et al.  Confining Root Programs with Domain and Type Enforcement , 1996, USENIX Security Symposium.

[11]  John Wilander,et al.  A Comparison of Publicly Available Tools for Static Intrusion Prevention , 2002 .

[12]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[13]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[14]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[15]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[16]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[17]  Alain J. Mayer,et al.  Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[18]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[19]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[20]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[21]  Barbara Gengler Reports: Trusted Computing Platform Alliance , 2001 .

[22]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[23]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[24]  Steve J. Chapin,et al.  Type-Assisted Dynamic Buffer Overflow Detection , 2002, USENIX Security Symposium.

[25]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[26]  Klaus Erik Schauser,et al.  Consh: Confined Execution Environment for Internet Computations , 1998 .

[27]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[28]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[29]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[30]  Angelos D. Keromytis,et al.  The Design of the {OpenBSD} Cryptographic Framework , 2003, USENIX Annual Technical Conference, General Track.

[31]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[32]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[33]  R. M. Balzer,et al.  Mediating connectors: a non-bypassable process wrapping technology , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[34]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[35]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[36]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[37]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[38]  Ralph Howard,et al.  Data Encryption Standard , 1987, Definitions.

[39]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[40]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[41]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[42]  Andrew Berman,et al.  TRON: Process-Specific File Protection for the UNIX Operating System , 1995, USENIX.

[43]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[44]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[45]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[46]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[47]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[48]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[49]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[50]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[51]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[52]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[53]  Ian Goldberg,et al.  A secure environment for untrusted helper applications confining the Wily Hacker , 1996 .