Boyd Stephen W. author Columbia University. Computer Science Kc Gaurav S. author Columbia University. Computer Science Locasto Michael E. author Columbia University. Computer Science Keromytis Angelos D. author Columbia University. Computer Science Prevelakis Vassilis author Columbia University. Computer Science originator text Articles 2010 manuscript version English We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that (randomized) environment, causing a runtime exception. Our approach is applicable to machine-language programs and scripting and interpreted languages. We discuss three approaches (protection for Intel x86 executables, Perl scripts, and SQL queries), one from each of the above categories. Our goal is to demonstrate the generality and applicability of ISR as a protection mechanism. Our emulator-based prototype demonstrates the feasibility ISR for x86 executables and should be directly usable on a suitably modified processor. We demonstrate how to mitigate the significant performance impact of emulation-based ISR by using several heuristics to limit the scope of randomized (and interpreted) execution to sections of code that may be more susceptible to exploitation. The SQL prototype consists of an SQL query-randomizing proxy that protects against SQL injection attacks with no changes to database servers, minor changes to CGI scripts, and with negligible performance overhead. Similarly, the performance penalty of a randomized Perl interpreter is minimal. Where the performance impact of our proposed approach is acceptable (i.e., in an already-emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a broad protection mechanism and complement other security mechanisms. Computer science 7 3 255 270 2010 http://dx.doi.org/10.1109/TDSC.2008.58 http://hdl.handle.net/10022/AC:P:10579 NNC NNC 2011-06-23 14:38:22 -0400 2012-12-29 00:28:31 -0500 4528 eng