Accession Number : ADA465213


Title :   Secure and Practical Defense Against Code-Injection Attacks using Software Dynamic Translation


Descriptive Note : Conference paper


Corporate Author : VIRGINIA UNIV CHARLOTTESVILLE DEPT OF COMPUTER SCIENCE


Personal Author(s) : Hu, Wei ; Hiser, Jason ; Williams, Dan ; Filipi, Adrian ; Davidson, Jack W ; Evans, David ; Knight, John C ; Nguyen-Tuong, Anh ; Rowanhill, Jonathan


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/a465213.pdf


Report Date : 16 Jun 2006


Pagination or Media Count : 12


Abstract : One of the most common forms of security attacks involves exploiting a vulnerability to inject malicious code into an executing application and then cause the injected code to be executed. A theoretically strong approach to defending against any type of code-injection attack is to create and use a process-specific instruction set that is created by a randomization algorithm. Code injected by an attacker who does not know the randomization key will be invalid for the randomized processor effectively thwarting the attack. This paper describes a secure and efficient implementation of instruction-set randomization (ISR) using software dynamic translation. The paper makes three contributions beyond previous work on ISR. First, we describe an implementation that uses a strong cipher algorithm the Advanced Encryption Standard (AES), to perform randomization. AES is generally believed to be impervious to known attack methodologies. Second, we demonstrate that ISR using AES can be implemented practically and efficiently (considering both execution time and code size overheads) without requiring special hardware support. The third contribution is that our approach detects malicious code before it is executed. Previous approaches relied on probabilistic arguments that execution of non-randomized foreign code would eventually cause a fault or runtime exception.


Descriptors :   *DATA PROCESSING SECURITY , COMPUTER PROGRAMS , ALGORITHMS , VULNERABILITY , SYMPOSIA , CRYPTOGRAPHY


Subject Categories : Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE