Issue No. 03 - July-September (2010 vol. 7)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2008.58
Stephen W. Boyd , SAS Institute Inc., Pittsburgh
Gaurav S. Kc , Google Inc., New York
Michael E. Locasto , George Mason University, Fairfax
Angelos D. Keromytis , Columbia University, New York
Vassilis Prevelakis , AEGIS Research Center in Information Security, Athens
We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that (randomized) environment, causing a runtime exception. Our approach is applicable to machine-language programs and scripting and interpreted languages. We discuss three approaches (protection for Intel x86 executables, Perl scripts, and SQL queries), one from each of the above categories. Our goal is to demonstrate the generality and applicability of ISR as a protection mechanism. Our emulator-based prototype demonstrates the feasibility ISR for x86 executables and should be directly usable on a suitably modified processor. We demonstrate how to mitigate the significant performance impact of emulation-based ISR by using several heuristics to limit the scope of randomized (and interpreted) execution to sections of code that may be more susceptible to exploitation. The SQL prototype consists of an SQL query-randomizing proxy that protects against SQL injection attacks with no changes to database servers, minor changes to CGI scripts, and with negligible performance overhead. Similarly, the performance penalty of a randomized Perl interpreter is minimal. Where the performance impact of our proposed approach is acceptable (i.e., in an already-emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a broad protection mechanism and complement other security mechanisms.
Interpreters, emulators, buffer overflows, SQL injection, randomization, security, performance.
G. S. Kc, V. Prevelakis, A. D. Keromytis, M. E. Locasto and S. W. Boyd, "On the General Applicability of Instruction-Set Randomization," in IEEE Transactions on Dependable and Secure Computing, vol. 7, no. , pp. 255-270, 2008.