Issue No. 01 - January/February (2009 vol. 7)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.15
Angelos D. Keromytis , Columbia University
The author describes past research and future directions on instruction set randomization (ISR), a general technique for protecting against code-injection attacks. Such attacks are commonly encountered in a variety of application domains, remotely targeting program binaries, Web application and database backends, and Web browsers. Collectively, they represent the vast majority of reported attacks in bug- and incident-tracking repositories for the past decade, with no sign of abatement. ISR provides for a separation of code from data by randomizing the execution environment of legitimate code, which has to be suitably transformed using a key shared with the execution environment. This article describes the motivation behind ISR, the high-level concept, its use in two different application domains (binary code injection and SQL injection attacks), the author's findings and experiences (including several limitations, both of the technique and of prototypes), and future directions for improvements and application of ISR. Although he tries to provide broad coverage of the topic, the primary focus is on the research conducted at the Network Security Laboratory at Columbia.
randomized runtimes and languages, code injection, code randomization, SQL injection, cross-site scripting, artificial diversity, IT Monoculture
A. D. Keromytis, "Randomized Instruction Sets and Runtime Environments Past Research and Future Directions," in IEEE Security & Privacy, vol. 7, no. , pp. 18-25, 2009.