The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - October-December (2010 vol.7)
pp: 351-365
Ryan Riley , Qatar University, Doha
Xuxian Jiang , North Carolina State University, Raleigh
Dongyan Xu , Purdue University, West Lafayette
ABSTRACT
Code injection attacks, despite being well researched, continue to be a problem today. Modern architectural solutions such as the execute-disable bit and PaX have been useful in limiting the attacks; however, they enforce program layout restrictions and can oftentimes still be circumvented by a determined attacker. We propose a change to the memory architecture of modern processors that addresses the code injection problem at its very root by virtually splitting memory into code memory and data memory such that a processor will never be able to fetch injected code for execution. This virtual split memory system can be implemented as a software-only patch to an operating system and can be used to supplement existing schemes for improved protection. Furthermore, our system is able to accommodate a number of response modes when a code injection attack occurs. Our experiments with both benchmarks and real-world attacks show the system is effective in preventing a wide range of code injection attacks while incurring reasonable overhead.
INDEX TERMS
Code injection, secure memory architecture.
CITATION
Ryan Riley, Xuxian Jiang, Dongyan Xu, "An Architectural Approach to Preventing Code Injection Attacks", IEEE Transactions on Dependable and Secure Computing, vol.7, no. 4, pp. 351-365, October-December 2010, doi:10.1109/TDSC.2010.1
REFERENCES
[1] "A Detailed Description of the Data Execution Prevention (dep) Feature in Windows xp Service Pack 2, Windows xp Tablet pc ed. 2005, and Windows Server 2003," http://support.microsoft.com/kb875352, Dec. 2006.
[2] "Pax Pageexec Documentation," http://pax.grsecurity.net/docspageexec.txt , Dec. 2006.
[3] Intel Corporation, IA-32 Intel Architecture Software Developer's Manual Volume 3A: System Programming Guide, Part 1. Intel Corp., publication number 253668, 2006.
[4] "Buffer Overflow Attacks Bypassing dep (nx/xd bits)—Part 2: Code Injection," http://www.mastropaolo.com?p=13, Dec. 2006.
[5] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seventh USENIX Security Conf., pp. 63-78, http://citeseer.ist.psu.educowan98stackguard.html , 1998.
[6] H. Etoh, "Gcc Extension for Protecting Applications from Stack-Smashing Attacks," http://www.trl.ibm.com/projects/security ssp/, Dec. 2006.
[7] Vendicator "Stack Shield: A 'Stack Smashing' Technique Protection Tool for Linux," http://www.angelfire.com/sk/stackshieldinfo.html , Dec. 2006.
[8] J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. 10th Network and Distributed System Security Symp., pp. 149-162, citeseer.ist.psu.edu/wilander03comparison.html, Feb. 2003.
[9] J. von Neumann, "First, Draft of a Report on the EDVAC," 1945, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 355-364, Springer, 1975.
[10] P.C. van Oorschot, A. Somayaji, and G. Wurster, "Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance," IEEE Trans. Dependable and Secure Computing, vol. 2, no. 2, pp. 82-92, Apr. 2005.
[11] H.H. Aiken, "Proposed Automatic Calculating Machine," 1937, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 191-198, Springer, 1975.
[12] H.H. Aiken and G.M. Hopper, "The Automatic Sequence Controlled Calculator," 1946, reprinted in, The Origins of Digital Computers Selected Papers, second ed., pp. 199-218, Springer, 1975.
[13] "kernelthread.com: Securing Memory," http://www.kernelthread. com/publications/ securitysmemory.html, Dec. 2006.
[14] Skape and Skywing, "Bypassing Windows Hardware-Enforced dep," Uninformed, vol. 2, http:/www.uninformed.org, Sept. 2005.
[15] R. Krishnakumar, "Hugetlb—Large Page Support in the Linux Kernel," Linux Gazette, vol. 155, http://linuxgazette.net/155krishnakumar.html , Oct. 2008.
[16] "Pax aslr Documentation," http://pax.grsecurity.net/docsaslr.txt, Dec. 2006.
[17] S. Bhatkar, D.C. DuVarney, and R. Sekar, "Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits," Proc. 12th USENIX Security Symp., 2003.
[18] S. Bhatkar, R. Sekar, and D.C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. 14th USENIX Security Symp., 2005.
[19] J. Xu, Z. Kalbarczyk, and R.K. Iyer, "Transparent Runtime Randomization for Security," Proc. 22nd Symp. Reliable and Distributed Systems (SRDS), Oct. 2003.
[20] E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanovic, and D.D. Zovi, "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[21] G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[22] S. Sidiroglou, M.E. Locasto, S.W. Boyd, and A.D. Keromytis, "Building a Reactive Immune System for Software Services," Proc. USENIX Ann. Technical Conf., 2005.
[23] L. Lam and T. Chiueh, "Checking Array Bound Violation Using Segmentation Hardware," Proc. Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 388-397, 2005.
[24] "Wind River: Vxworks," http://www.windriver.comvxworks/, Mar. 2007.
[25] S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R. Iyer, "Non-Control-Data Attacks Are Realistic Threats," Proc. USENIX Security Symp., Aug. 2005.
[26] "bochs: The Open Source ia-32 Emulation Project," http:/bochs.sourceforge.net/, Dec. 2006.
[27] P. Venda, "PaX Performance Impact," http://www.pjvenda.org/linux/docpax-performance /, Oct. 2005.
[28] A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi, and V. Roy, "Digsig: Run-Time Authentication of Binaries at Kernel Level," Proc. 18th USENIX Conf. System Administration (LISA '04), pp. 59-66, 2004.
[29] B. Lymn, "Verified Exec—Extending the Security Perimeter," Proc. Australian Unix Users Group Conf. 2004.
[30] "Sebek," http://www.honeynet.org/toolssebek/, 2010.
[31] X. Jiang and X. Wang, "'Out-of-the-Box' Monitoring of VM-Based High Interaction Honeypots," Proc. 10th Recent Advances in Intrusion Detection (RAID '07), Sept. 2007.
[32] G. Portokalidis, A. Slowinska, and H. Bos, "Argos: An Emulator for Fingerprinting Zero-Day Attacks for Advertised Honeypots with Automatic Signature Generation," Proc. ACM SIGOPS/European Conf. Computer Systems (EuroSys '06), pp. 15-27, 2006.
[33] A. Avizienis, J.C. Laprie, and B. Randell, "Fundamental Concepts of Dependability," Proc. Int'l Workshop Information Security (ISW '00), 2000.
[34] "Linux/Unix nbench," http://www.tux.org/mayer/linuxbmark.html , Dec. 2006.
[35] "Unixbench," http://www.tux.org/pub/tux/benchmarks/ System unixbench/, Dec. 2006.
[36] J. Giffin, M. Christodorescu, and L. Kruger, "Strengthening Software Self-Checksumming via Self-Modifying Code," Proc. 21st IEEE Ann. Computer Security Applications Conf. (ACSAC '05), pp. 18-27, Dec. 2005.
[37] R. Riley, X. Jiang, and D. Xu, "An Architectural Approach to Preventing Code Injection Attacks," Proc. 37th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN '07), pp. 30-40, 2007.
27 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool