Presentation is loading. Please wait.

Presentation is loading. Please wait.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Published byLaurel Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October."— Presentation transcript:

1 Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October 2003 “Randomized instruction set emulation to disrupt binary code injection attacks” E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic and D. Zovi CCS October 2003 Presented by: David Allen November 02, 2005

2 Concept Population diversity. Every running program has a different instruction set. Ideally there is a large instruction space. Prevent all network code-injection attacks. “Self-Destruct” Exploits reduced to DoS vulnerability.

3 Threats Stack- and Heap-based buffer overflow attacks. Format string attacks. CGI scripts SQL scripts Perl

4 Weaknesses No protection against logic attacks. No protection against data attacks. Designed to protect against external attacks. May be very weak against internal attack.

5 Method Encode: –During Build. –During Load. Decode: –Hardware. (Transmeta Crusoe) –Emulator. –Binary-binary translation. (Valgrind)

6 Platform Implemented on x86 systems due to prevalence. Dense instruction space of x86 is an issue. Variable instruction size is an issue. RISC is easier. Equal size instructions. 64-bit RISC is great. Large instruction space.

7 Method 1: Encoding Build code with branches aligned to even addresses. 16-bit key. (8-bit too small) Executable and Linking Format (ELF) separates program text from read only data. Use modified objcopy to transform ELF files. XOR key with program text. Key is stored in modified executable.

8 Method 1: Decoding New read-only register in process control block (PCB) to hold key. Set by privileged instruction. Modified Bochs open-source x86 emulator. Instructions decoded on fetch.

9 Method 1: Results Emulation is very slow. Should be done in hardware. Vulnerable to local attacks on the key. Larger keys, small instructions can be used to attack the key piecemeal. Requires access to code. Libraries must be statically linked. Effective against code-injection attacks.

10 Method 2: Encoding Generate a XOR mask same size as text. Uses /dev/urandom (SHA1 feedback seeded from true randomness) ELF file is encoded during load.

11 Method 2: Decoding Modified Valgrind binary-binary translation program. Instructions decoded on fetch.

12 Method 2: Results Valgrind is very slow due to memory checks. Should be replaced. Does not need access to code. Not sensitive to variable instruction size. Imposes only a modest performance hit. Libraries can’t be shared. Encoded on loading. Emulation itself prevents some attacks. Effective against code-injection attacks.

13 Method 3: Encoding Perl scripting. Randomized tag added to all: –Keywords –Operators –Function calls Tag is Perl with a command line argument.

14 Method 3: Decoding Tag is given to Perl with a command line argument. Modification of Perl’s lexical analzer.

15 Method 3: Results Script size greatly increased. No real performance penalty. Effective against code-injection attacks. Result should apply to other scripting systems as well.

16 Conclusions Performance issues with additional layers. Binary-binary translation method appears superior.

Download ppt "Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October."

Similar presentations

Chapter 2: Data Manipulation

Chapter 2: Data Manipulation
Central Processing Unit

Central Processing Unit
1 ITCS 3181 Logic and Computer Systems B. Wilkinson Slides9.ppt Modification date: March 30, 2015 Processor Design.

1 ITCS 3181 Logic and Computer Systems B. Wilkinson Slides9.ppt Modification date: March 30, 2015 Processor Design.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
1 Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel.

1 Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel.
Memory Management (II)

Memory Management (II)
Securing Software Systems Gaurav S. Kc Programming Systems Lab 9 th April, 2003.

Securing Software Systems Gaurav S. Kc Programming Systems Lab 9 th April, 2003.
Chapter 3.2 : Virtual Memory

Chapter 3.2 : Virtual Memory
Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.

Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.
Computer Organization and Architecture

Computer Organization and Architecture
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Part II: Addressing Modes

Part II: Addressing Modes
Layers and Views of a Computer System Operating System Services Program creation Program execution Access to I/O devices Controlled access to files System.

Layers and Views of a Computer System Operating System Services Program creation Program execution Access to I/O devices Controlled access to files System.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google