Countering Code Injection Attacks With Instruction Set Randomization

Gaurav S. Kc; Angelos D. Keromytis; Vassilis Prevelakis; Vijay Atluri

Countering Code Injection Attacks With Instruction Set Randomization
Kc, Gaurav S.
Keromytis, Angelos D.
Prevelakis, Vassilis
Atluri, Vijay
Computer Science
Permanent URL:
Book/Journal Title:
Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), October 2003, Washington, DC.
ACM Press
We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.
Computer science
Publisher DOI:
Item views:
text | xml
Suggested Citation:
Gaurav S. Kc, Angelos D. Keromytis, Vassilis Prevelakis, Vijay Atluri, 2003, Countering Code Injection Attacks With Instruction Set Randomization, Columbia University Academic Commons, http://hdl.handle.net/10022/AC:P:13854.

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use | Copyright