The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2009 vol.7)
pp: 18-25
Angelos D. Keromytis , Columbia University
The author describes past research and future directions on instruction set randomization (ISR), a general technique for protecting against code-injection attacks. Such attacks are commonly encountered in a variety of application domains, remotely targeting program binaries, Web application and database backends, and Web browsers. Collectively, they represent the vast majority of reported attacks in bug- and incident-tracking repositories for the past decade, with no sign of abatement. ISR provides for a separation of code from data by randomizing the execution environment of legitimate code, which has to be suitably transformed using a key shared with the execution environment. This article describes the motivation behind ISR, the high-level concept, its use in two different application domains (binary code injection and SQL injection attacks), the author's findings and experiences (including several limitations, both of the technique and of prototypes), and future directions for improvements and application of ISR. Although he tries to provide broad coverage of the topic, the primary focus is on the research conducted at the Network Security Laboratory at Columbia.
randomized runtimes and languages, code injection, code randomization, SQL injection, cross-site scripting, artificial diversity, IT Monoculture
Angelos D. Keromytis, "Randomized Instruction Sets and Runtime Environments Past Research and Future Directions", IEEE Security & Privacy, vol.7, no. 1, pp. 18-25, January/February 2009, doi:10.1109/MSP.2009.15
1. S. Forrest, A. Somayaji, and D.H. Ackley, "Building Diverse Computer Systems," Proc. HotOS, 1997, pp. 67–72.
2. G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code-Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Int'l Conf. Computer and Comm. Security, ACM Press, 2003, pp. 272–280.
3. E.G. Barrantes et al., "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Int'l Conf. Computer and Comm. Security, ACM Press, 2003, pp. 281–289.
4. A. Sovarel, D. Evans, and N. Paul, "Where's the FEEB?: The Effectiveness of Instruction Set Randomization," Proc. Usenix Security Symp., Usenix Assoc., 2005, pp. 145–160.
5. Y. Weiss and E.G. Barrantes, "Known/Chosen Key Attacks against Software Instruction Set Randomization," Proc. Annual Computer Security Applications Conf. (ACSAC), ACSA, 2006, pp. 349–360.
6. W. Hu et al., "Secure and Practical Defense against Code-Injection Attacks Using Software Dynamic Translation," Proc. 2nd ACM/Usenix Int'l Conf. Virtual Execution Environments, Usenix Assoc., 2006, pp. 2–12.
7. X. Jiang et al., "RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization," Proc. IEEE Symp. Reliable Distributed Systems, IEEE CS Press, 2007, pp. 209–218.
8. H. Shacham et al., "On the Effectiveness of Address-Space Randomization," Proc. 11th ACM Int'l Conf. Computer and Comm. Security, ACM Press, 2004, pp. 298–307.
9. E.G. Barrantes et al., "Randomized Instruction Set Emulation," ACM Trans. Information and System Security, vol. 8, no. 1, 2005, pp. 3–40.
10. M.E. Locasto et al., "FLIPS: Hybrid Adaptive Intrusion Prevention," Proc. 8th Int'l Symp. Recent Advances in Intrusion Detection, Springer, 2005, pp. 82–101.
11. S. Sidiroglou et al., "Building a Reactive Immune System for Software Services," Proc. Usenix Ann. Technical Conf., Usenix Assoc., 2005, pp. 149–161.
12. S.W. Boyd and A.D. Keromytis, "SQLrand: Preventing SQL Injection Attacks," Proc. 2nd Int'l Conf. Applied Cryptography and Network Security, Springer, 2004, pp. 292–302.
13. W. Halfond, A. Orso, and P. Manolios, "Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks," Proc. 14th ACM SIGSOFT Int'l Symp. Foundations of Software Eng., ACM Press, 2006, pp. 175–185.
14. M. Emmi, R. Majumdar, and K. Sen, "Dynamic Test Input Generation for Database Applications," Proc. Int'l Symp. Software Testing and Analysis, 2007, pp. 151–162.
15. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)," Proc. IEEE Symp. Security and Privacy, IEEE CS Press, 2006, pp. 258–263.
16. M.E. Locasto, S. Sidiroglou, and A.D. Keromytis, "Software Self-Healing Using Collaborative Application Communities," Proc. ISOC Symp. Network and Distributed Systems Security, Internet Soc., 2006, pp. 95–106.
17. R. Pucella and F.B. Schneider, "Independence from Obfuscation: A Semantic Framework for Diversity," Proc. Computer Security Foundations Workshop, IEEE CS Press, 2006, pp. 230–241.
104 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool