Article

Secure and practical defense against code-injection attacks using software dynamic translation

Authors:

Jack W. Davidson,

John C. Knight,

Anh Nguyen-Tuong,

Jonathan RowanhillAuthors Info & Claims

VEE '06: Proceedings of the 2nd international conference on Virtual execution environments

Pages 2 - 12

https://doi.org/10.1145/1134760.1134764

Published: 14 June 2006 Publication History

Abstract

One of the most common forms of security attacks involves exploiting a vulnerability to inject malicious code into an executing application and then cause the injected code to be executed. A theoretically strong approach to defending against any type of code-injection attack is to create and use a process-specific instruction set that is created by a randomization algorithm. Code injected by an attacker who does not know the randomization key will be invalid for the randomized processor effectively thwarting the attack. This paper describes a secure and efficient implementation of instruction-set randomization (ISR) using software dynamic translation. The paper makes three contributions beyond previous work on ISR. First, we describe an implementation that uses a strong cipher algorithm--the Advanced Encryption Standard (AES), to perform randomization. AES is generally believed to be impervious to known attack methodologies. Second, we demonstrate that ISR using AES can be implemented practically and efficiently (considering both execution time and code size overheads) without requiring special hardware support. The third contribution is that our approach detects malicious code before it is executed. Previous approaches relied on probabilistic arguments that execution of non-randomized foreign code would eventually cause a fault or runtime exception.

References

[1]

ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity. In Microsoft Research Technical Report MSF-TR-05-18 (2005).]]

Digital Library

[2]

BARRANTES, E. G., ACKLEY, D. H., FORREST, S., AND STEFANOVIC, D. Randomized instruction set emulation. ACM Transactions on Information System Security. 8, 1 (2005), 3--40.]]

Digital Library

[3]

BARRANTES, E. G., ACKLEY, D. H., PALMER, T. S., STEFANOVIC, D., AND ZOVI, D. D. Randomized instruction set emulation to disrupt binary code injection attacks. In CCS '03: Proceedings of the 10th ACM Conference on Computer and Communications Security (New York, NY, USA, 2003), ACM Press, pp. 281--289.]]

Digital Library

[4]

BUS, B. D., SUTTER, B. D., PUT, L. V., CHANET, D., AND BOSSCHERE, K. D. Link-time optimization of ARM binaries. ACM SIGPLAN Notices 39, 7 (July 2004), 211--220.]]

Digital Library

[5]

CHEN, S., XU, J., SEZER, E., GAURIAR, P., AND IYER, R. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium (Berkeley, CA, USA, 2005), USENIX Association,pp. 177--192.]]

Digital Library

[6]

COWAN, C., BARRINGER, M., BEATTIE, S., AND KROAH-HARTMAN, G. Formatguard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th USENIX Security Symposium (August 2001).]]

Digital Library

[7]

COWAN, C., BEATTIE, S., JOHANSEN, J., AND WAGLE, P. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium (Aug. 2003), USENIX, pp. 91--104.]]

Digital Library

[8]

COWAN, C., PU, C., MAIER, D., HINTON, H., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., AND ZHANG, Q. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 1998 USENIX Security Symposium (January 1998).]]

Digital Library

[9]

KC, G. S., KEROMYTIS, A. D., AND PREVELAKIS, V. Countering code-injection attacks with instruction-set randomization. In CCS '03: Proceedings of the 10th ACM Conference on Computer and Communications Security (New York, NY, USA, 2003), ACM Press, pp. 272--280.]]

Digital Library

[10]

KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002), USENIX Association, pp. 191--206.]]

Digital Library

[11]

KIROVSKI, D., DRINIC, M., AND POTKONJAK, M. Enabling trusted software integrity. In ASPLOS-X: Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (New York, NY, USA, 2002), ACM Press, pp. 108--120.]]

Digital Library

[12]

KUMAR, N., AND CHILDERS, B. Flexible instrumentation for software dynamic translation. In Workshop on Exploring the Trace Space, International Conference on Supercomputing (2003).]]

[13]

KUPERMAN, B. A., BRODLEY, C. E., OZDOGANOGLU, H., VIJAYKUMAR, T. N., AND JALOTE, A. Detection and prevention of stack buffer overflow attacks. Communications of the ACM 48, 11 (2005), 50--56.]]

Digital Library

[14]

LAWTON, K. P. Bochs: A portable pc emulator for Unix/X. Linux J. 1996, 29es (1996), 7.]]

Digital Library

[15]

LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2005), ACM Press, pp. 190--200.]]

Digital Library

[16]

MILENKOVIC, M., MILENKOVIC, A., AND JOVANOV, E. Using instruction block signatures to counter code injection attacks. SIGARCH Computer Architecture News 33, 1 (2005), 108--117.]]

Digital Library

[17]

NETHERCOTE, N. Dynamic binary analysis and instrumentation. Tech. Rep. UCAM-CL-TR-606, University of Cambridge, Computer Laboratory, Nov. 2004.]]

[18]

THE COMMITTEE ON NATIONAL SECURITY SYSTEMS, T. C. National policy on the use of the advanced encryption standard (AES) to protect national security systems and national security information. Tech. rep., National Security Agency, 2003.]]

[19]

PINCUS, J., AND BAKER, B. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security & Privacy 2, 4 (July/August 2004), 20--27.]]

Digital Library

[20]

PRASAD, M., AND CHIUEH, T. A binary rewriting defense against stack-based buffer overflow attacks. In Proceedings of the 2003 USENIX Annual Technical Conference (June 2003), pp. 211--224.]]

[21]

SCOTT, K., AND DAVIDSON, J. Strata: A software dynamic translation infrastructure. In IEEE Workshop on Binary Translation (September 2001).]]

Digital Library

[22]

SCOTT, K., AND DAVIDSON, J. W. Safe virtual execution using software dynamic translation. In Proceedings of the 18th Annual Computer Security Applications Conference (Las Vegas, NV, December 2002), pp. 209--218.]]

Digital Library

[23]

SCOTT, K., KUMAR, N., VELUSAMY, S., CHILDERS, B. R., DAVIDSON, J. W., AND SOFFA, M. L. Retargetable and reconfigurable software dynamic translation. In International Symposium on Code Generation and Optimization (San Francisco, CA, Mar. 2003), IEEE Computer Society, pp. 36--47.]]

Digital Library

[24]

SHOGAN, S., AND CHILDERS, B. Compact binaries with code compression in a software dynamic translator. In Design Automation and Test in Europe (2004).]]

Digital Library

[25]

SOVAREL, N., EVANS, D., AND PAUL, N. Where's the feeb? the effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Conference (2005).]]

Digital Library

[26]

THE PAX TEAM. http://pax.grsecurity.net.]]

[27]

THIMBLEBY, H. Can viruses ever be useful? Computers and Security 10, 2 (1991), 111--114.]]

Digital Library

Cited By

Kucab MBoryło PChołda P(2023)Hardware-Assisted Static and Runtime Attestation for Cloud DeploymentsIEEE Transactions on Cloud Computing10.1109/TCC.2023.332729011:4(3750-3765)Online publication date: Oct-2023
https://doi.org/10.1109/TCC.2023.3327290
Ren TWilliams RGanguly SDe Carli LLu L(2023)Breaking Embedded Software Homogeneity with Protocol MutationsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_40(770-790)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_40
Mishra TChantem TGerdes R(2022)Survey of Control-flow Integrity Techniques for Real-time Embedded SystemsACM Transactions on Embedded Computing Systems10.1145/353827521:4(1-32)Online publication date: 4-Oct-2022
https://dl.acm.org/doi/10.1145/3538275
Show More Cited By

Index Terms

Secure and practical defense against code-injection attacks using software dynamic translation
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software notations and tools
    1. Compilers
      1. Interpreters
      2. Runtime environments

Recommendations

Defining code-injection attacks
POPL '12

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Moving Target Defense Against Injection Attacks
Algorithms and Architectures for Parallel Processing
Abstract
With the development of network technology, web services become more convenient and popular. However, web services are also facing serious security threats, especially SQL injection attack(SQLIA). Due to the diversity of attack techniques and the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '06: Proceedings of the 2nd international conference on Virtual execution environments

June 2006

194 pages

ISBN:1595933328

DOI:10.1145/1134760

General Chair:
Hans-J. Boehm
HP Labs, USA
,
Program Chair:
David Grove
IBM Research, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

VEE06

Sponsor:

VEE06: Second International Conference on Virtual Execution Environments

June 14 - 16, 2006

Ontario, Ottawa, Canada

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

86
Total Citations
View Citations
1,100
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kucab MBoryło PChołda P(2023)Hardware-Assisted Static and Runtime Attestation for Cloud DeploymentsIEEE Transactions on Cloud Computing10.1109/TCC.2023.332729011:4(3750-3765)Online publication date: Oct-2023
https://doi.org/10.1109/TCC.2023.3327290
Ren TWilliams RGanguly SDe Carli LLu L(2023)Breaking Embedded Software Homogeneity with Protocol MutationsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_40(770-790)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_40
Mishra TChantem TGerdes R(2022)Survey of Control-flow Integrity Techniques for Real-time Embedded SystemsACM Transactions on Embedded Computing Systems10.1145/353827521:4(1-32)Online publication date: 4-Oct-2022
https://dl.acm.org/doi/10.1145/3538275
Zhang QMohammed AWan ZCho JMoore T(2022)Diversity-by-Design for Dependable and Secure Cyber-Physical Systems: A SurveyIEEE Transactions on Network and Service Management10.1109/TNSM.2021.309139119:1(706-728)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3091391
TAŞ OKİANİ F(2021)Nesnelerin İnterneti (IoT) ve Kablosuz Algılayıcı Ağların Güvenliğine Yapılan Saldırıların Tespit Edilmesi ve ÖnlenmesiDetection and Prevention of Attacks on the Internet of Things (IoT) and Wireless Sensor NetworksPoliteknik Dergisi10.2339/politeknik.62782524:1(219-235)Online publication date: 1-Mar-2021
https://doi.org/10.2339/politeknik.627825
Pierazzi FCristalli SBruschi DColajanni MMarchetti MLanzi A(2021)Glyph: Efficient ML-Based Detection of Heap Spraying AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.301792516(740-755)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3017925
Christou GVasiliadis GPapaefstathiou VPapadogiannakis AIoannidis S(2020)On Architectural Support for Instruction Set RandomizationACM Transactions on Architecture and Code Optimization10.1145/341984117:4(1-26)Online publication date: 10-Nov-2020
https://dl.acm.org/doi/10.1145/3419841
Martinez FDawson MTaveras P(2020)Assessment of National Crime Reporting System: Detailed Analysis of the Desktop Application17th International Conference on Information Technology–New Generations (ITNG 2020)10.1007/978-3-030-43020-7_11(73-78)Online publication date: 12-May-2020
https://doi.org/10.1007/978-3-030-43020-7_11
Raheb KStergiou MKatifori AIoannidis Y(2019)Dance Interactive Learning SystemsACM Computing Surveys10.1145/332333552:3(1-37)Online publication date: 18-Jun-2019
https://dl.acm.org/doi/10.1145/3323335
Wenzl MMerzdovnik GUllrich JWeippl E(2019)From Hack to Elaborate Technique—A Survey on Binary RewritingACM Computing Surveys10.1145/331641552:3(1-37)Online publication date: 18-Jun-2019
https://dl.acm.org/doi/10.1145/3316415
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents