This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
An Architectural Approach to Preventing Code Injection Attacks
October-December 2010 (vol. 7 no. 4)
pp. 351-365
Ryan Riley, Qatar University, Doha
Xuxian Jiang, North Carolina State University, Raleigh
Dongyan Xu, Purdue University, West Lafayette
Code injection attacks, despite being well researched, continue to be a problem today. Modern architectural solutions such as the execute-disable bit and PaX have been useful in limiting the attacks; however, they enforce program layout restrictions and can oftentimes still be circumvented by a determined attacker. We propose a change to the memory architecture of modern processors that addresses the code injection problem at its very root by virtually splitting memory into code memory and data memory such that a processor will never be able to fetch injected code for execution. This virtual split memory system can be implemented as a software-only patch to an operating system and can be used to supplement existing schemes for improved protection. Furthermore, our system is able to accommodate a number of response modes when a code injection attack occurs. Our experiments with both benchmarks and real-world attacks show the system is effective in preventing a wide range of code injection attacks while incurring reasonable overhead.

[1] "A Detailed Description of the Data Execution Prevention (dep) Feature in Windows xp Service Pack 2, Windows xp Tablet pc ed. 2005, and Windows Server 2003," http://support.microsoft.com/kb875352, Dec. 2006.
[2] "Pax Pageexec Documentation," http://pax.grsecurity.net/docspageexec.txt , Dec. 2006.
[3] Intel Corporation, IA-32 Intel Architecture Software Developer's Manual Volume 3A: System Programming Guide, Part 1. Intel Corp., publication number 253668, 2006.
[4] "Buffer Overflow Attacks Bypassing dep (nx/xd bits)—Part 2: Code Injection," http://www.mastropaolo.com?p=13, Dec. 2006.
[5] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seventh USENIX Security Conf., pp. 63-78, http://citeseer.ist.psu.educowan98stackguard.html , 1998.
[6] H. Etoh, "Gcc Extension for Protecting Applications from Stack-Smashing Attacks," http://www.trl.ibm.com/projects/security ssp/, Dec. 2006.
[7] Vendicator "Stack Shield: A 'Stack Smashing' Technique Protection Tool for Linux," http://www.angelfire.com/sk/stackshieldinfo.html , Dec. 2006.
[8] J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. 10th Network and Distributed System Security Symp., pp. 149-162, citeseer.ist.psu.edu/wilander03comparison.html, Feb. 2003.
[9] J. von Neumann, "First, Draft of a Report on the EDVAC," 1945, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 355-364, Springer, 1975.
[10] P.C. van Oorschot, A. Somayaji, and G. Wurster, "Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance," IEEE Trans. Dependable and Secure Computing, vol. 2, no. 2, pp. 82-92, Apr. 2005.
[11] H.H. Aiken, "Proposed Automatic Calculating Machine," 1937, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 191-198, Springer, 1975.
[12] H.H. Aiken and G.M. Hopper, "The Automatic Sequence Controlled Calculator," 1946, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 199-218, Springer, 1975.
[13] "kernelthread.com: Securing Memory," http://www.kernelthread. com/publications/ securitysmemory.html, Dec. 2006.
[14] Skape and Skywing, "Bypassing Windows Hardware-Enforced dep," Uninformed, vol. 2, http:/www.uninformed.org, Sept. 2005.
[15] R. Krishnakumar, "Hugetlb—Large Page Support in the Linux Kernel," Linux Gazette, vol. 155, http://linuxgazette.net/155krishnakumar.html , Oct. 2008.
[16] "Pax aslr Documentation," http://pax.grsecurity.net/docsaslr.txt, Dec. 2006.
[17] S. Bhatkar, D.C. DuVarney, and R. Sekar, "Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits," Proc. 12th USENIX Security Symp., 2003.
[18] S. Bhatkar, R. Sekar, and D.C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. 14th USENIX Security Symp., 2005.
[19] J. Xu, Z. Kalbarczyk, and R.K. Iyer, "Transparent Runtime Randomization for Security," Proc. 22nd Symp. Reliable and Distributed Systems (SRDS), Oct. 2003.
[20] E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanovic, and D.D. Zovi, "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[21] G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[22] S. Sidiroglou, M.E. Locasto, S.W. Boyd, and A.D. Keromytis, "Building a Reactive Immune System for Software Services," Proc. USENIX Ann. Technical Conf., 2005.
[23] L. Lam and T. Chiueh, "Checking Array Bound Violation Using Segmentation Hardware," Proc. Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 388-397, 2005.
[24] "Wind River: Vxworks," http://www.windriver.comvxworks/, Mar. 2007.
[25] S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R. Iyer, "Non-Control-Data Attacks Are Realistic Threats," Proc. USENIX Security Symp., Aug. 2005.
[26] "bochs: The Open Source ia-32 Emulation Project," http:/bochs.sourceforge.net/, Dec. 2006.
[27] P. Venda, "PaX Performance Impact," http://www.pjvenda.org/linux/docpax-performance /, Oct. 2005.
[28] A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi, and V. Roy, "Digsig: Run-Time Authentication of Binaries at Kernel Level," Proc. 18th USENIX Conf. System Administration (LISA '04), pp. 59-66, 2004.
[29] B. Lymn, "Verified Exec—Extending the Security Perimeter," Proc. Australian Unix Users Group Conf. 2004.
[30] "Sebek," http://www.honeynet.org/toolssebek/, 2010.
[31] X. Jiang and X. Wang, "'Out-of-the-Box' Monitoring of VM-Based High Interaction Honeypots," Proc. 10th Recent Advances in Intrusion Detection (RAID '07), Sept. 2007.
[32] G. Portokalidis, A. Slowinska, and H. Bos, "Argos: An Emulator for Fingerprinting Zero-Day Attacks for Advertised Honeypots with Automatic Signature Generation," Proc. ACM SIGOPS/European Conf. Computer Systems (EuroSys '06), pp. 15-27, 2006.
[33] A. Avizienis, J.C. Laprie, and B. Randell, "Fundamental Concepts of Dependability," Proc. Int'l Workshop Information Security (ISW '00), 2000.
[34] "Linux/Unix nbench," http://www.tux.org/mayer/linuxbmark.html , Dec. 2006.
[35] "Unixbench," http://www.tux.org/pub/tux/benchmarks/ System unixbench/, Dec. 2006.
[36] J. Giffin, M. Christodorescu, and L. Kruger, "Strengthening Software Self-Checksumming via Self-Modifying Code," Proc. 21st IEEE Ann. Computer Security Applications Conf. (ACSAC '05), pp. 18-27, Dec. 2005.
[37] R. Riley, X. Jiang, and D. Xu, "An Architectural Approach to Preventing Code Injection Attacks," Proc. 37th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN '07), pp. 30-40, 2007.

Index Terms:
Code injection, secure memory architecture.
Citation:
Ryan Riley, Xuxian Jiang, Dongyan Xu, "An Architectural Approach to Preventing Code Injection Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 4, pp. 351-365, Oct.-Dec. 2010, doi:10.1109/TDSC.2010.1
Usage of this product signifies your acceptance of the Terms of Use.