Randomized instruction set emulation to disrupt binary code injection attacks

Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary method of protection, which disrupts foreign code execution regardless of how the code is injected. A unique and private machine instruction set for each executing program would make it difficult for an outsider to design binary attack code against that program and impossible to use the same binary attack code against multiple machines. As a proof of concept, we describe a randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. The prototype disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. The paper describes the RISE implementation and its limitations, gives evidence demonstrating that RISE defeats common attacks, considers how the dense x86 instruction set affects the method, and discusses potential extensions of the idea.

[1]  Darko Stefanovic,et al.  SIND: A Framework for Binary Translation , 2001 .

[2]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[3]  Gerardo Richarte Four dierent tricks to bypass StackShield and StackGuard protection , 2002, WWW 2002.

[4]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[5]  Calton Pu,et al.  A Specialization Toolkit to Increase the Diversity of Operating Systems , 1996 .

[6]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[7]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[8]  M. Kuhn The TrustNo 1 Cryptoprocessor Concept , 1997 .

[9]  theEuroFj2 JoFj2 fo the InfoMj> ProMj>00 published bimoshed at j Puu0y0y , 2003 .

[10]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[11]  Calton Pu,et al.  The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques , 2000 .

[12]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[13]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[14]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[15]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[16]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[17]  William A. Arbaugh,et al.  Improving the TCPA Specification , 2002, Computer.

[18]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[19]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[20]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[21]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[22]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[23]  Evelyn Duesterwald,et al.  Design and implementation of a dynamic optimization framework for windows , 2000 .