Randomized instruction set emulation

Injecting binary code into a running program is a common form of attack. Most defenses employ a “guard the doors” approach, blocking known mechanisms of code injection. Randomized instruction set emulation (RISE) is a complementary method of defense, one that performs a hidden randomization of an application's machine code. If foreign binary code is injected into a program running under RISE, it will not be executable because it will not know the proper randomization. The paper describes and analyzes RISE, describing a proof-of-concept implementation built on the open-source Valgrind IA32-to-IA32 translator. The prototype effectively disrupts binary code injection attacks, without requiring recompilation, linking, or access to application source code. Under RISE, injected code (attacks) essentially executes random code sequences. Empirical studies and a theoretical model are reported which treat the effects of executing random code on two different architectures (IA32 and PowerPC). The paper discusses possible extensions and applications of the RISE technique in other contexts.

[1]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[2]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[3]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[4]  Jun Xu,et al.  Architecture Support for Defending Against Buffer Overflow Attacks , 2002 .

[5]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[6]  Avishai Wool,et al.  Install-time vaccination of Windows executables to defend against stack smashing attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[7]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[8]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[9]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[10]  Deepak Gupta,et al.  TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection , 2004, USENIX Security Symposium.

[11]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[12]  M. Kuhn The TrustNo 1 Cryptoprocessor Concept , 1997 .

[13]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[14]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[15]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[16]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[17]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[18]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[19]  Evelyn Duesterwald,et al.  Design and implementation of a dynamic optimization framework for windows , 2000 .

[20]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[21]  William A. Arbaugh,et al.  Improving the TCPA Specification , 2002, Computer.

[22]  Aleksandar Milenkovic,et al.  A framework for trusted instruction execution via basic block signature verification , 2004, ACM-SE 42.

[23]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[24]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[25]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[26]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[27]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[28]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[29]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[30]  Calton Pu,et al.  The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques , 2000 .

[31]  Navjot Singh,et al.  Libsafe 2.0: Detection of Format String Vulnerability Exploits , 2003 .

[32]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[33]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[34]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[35]  Calton Pu,et al.  A Specialization Toolkit to Increase the Diversity of Operating Systems , 1996 .

[36]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[37]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[38]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[39]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[40]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[41]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[42]  Brian Randell System structure for software fault tolerance , 1975 .

[43]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[44]  Steve J. Chapin,et al.  Type-Assisted Dynamic Buffer Overflow Detection , 2002, USENIX Security Symposium.

[45]  theEuroFj2 JoFj2 fo the InfoMj> ProMj>00 published bimoshed at j Puu0y0y , 2003 .

[46]  Avishai Wool,et al.  Install-time Vaccination of Windows Executables to Defend Against Stack Smashing Attacks , 2004, SEC.