VirISA: Recruiting Virtualization and Reconfigurable Processor ISA for Malicious Code Injection Protection

As users place increasingly more sensitive information in IT products, trusting that a system is not compromised by malicious entities becomes imperative. Code injection is a well-known attack that can directly cause harm by exploiting system vulnerabilities or can constitute the first step of broader, stronger malicious attacks like worm or trojan establishment and distribution. There exist various techniques for dealing with code injection attacks but most of them are either only software oriented or require instruction code encryption, key management elaboration, and the existence of special processor structures. In this paper, we sketch a different approach on protecting a system from such attacks which is based on recoding a single or multicore processor instruction set architecture (ISA) executable code into a randomized ISA subset-based executable code and executing such code in a dedicated ISA-based virtual execution environment. Our scheme, denoted as VirISA, is powered-on before operation system kernel architecture layer and is capable of profiling an executable code, choose a random, dedicated subset of the processor ISA, recode the executable on this ISA, and generate a virtual machine for this recoded executable process where only its dedicated ISA can function. Using this approach, infection vectors that are inserted in the recoded, dedicated ISA, process during memory execution will become obsolete since some of their instructions will not be included in the assigned dedicated ISA subset and will not be executed.

[1]  Jack W. Davidson,et al.  Secure and practical defense against code-injection attacks using software dynamic translation , 2006, VEE '06.

[2]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[3]  Aleksandar Milenkovic,et al.  Hardware support for code integrity in embedded processors , 2005, CASES '05.

[4]  Simon Shiu,et al.  Hardware Encapsulation of Security Services , 2003, ESORICS.

[5]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[6]  Alessandro De Gloria VISA: A variable instruction set architecture , 1990, CARN.

[7]  Zhiwei Xu,et al.  Scalable Parallel Computing: Technology, Architecture, Programming , 1998 .

[8]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[9]  Sergey Bratus,et al.  The cake is a lie: privilege rings as a policy resource , 2009, VMSec '09.

[10]  Mohammad Zulkernine,et al.  Taxonomy and classification of automatic monitoring of program security vulnerability exploitations , 2011, J. Syst. Softw..

[11]  Sergey Bratus,et al.  VM-based security overkill: a lament for applied systems security research , 2010, NSPW '10.

[12]  Chris I. Dalton,et al.  Separating hypervisor trusted computing base supported by hardware , 2010, STC '10.

[13]  Antonio González,et al.  Instruction scheduling for clustered VLIW architectures , 2000, ISSS '00.

[14]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[15]  Dan Boneh,et al.  Address space randomization for mobile devices , 2011, WiSec '11.

[16]  Angelos D. Keromytis,et al.  Fast and practical instruction-set randomization for commodity systems , 2010, ACSAC '10.

[17]  Fred C. Chow,et al.  Variable Instruction Set Architecture and Its Compiler Support , 2003, IEEE Trans. Computers.

[18]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[19]  F. Jesús Sánchez Navarro,et al.  Instruction scheduling for clustered VLIW architectures , 2000 .

[20]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.