Instruction-Set Randomization

“Countering Code-Injection Attacks With Instruction-Set Randomization”G. Kc, A. Keromytis, and V. Prevelakis

CCS October 2003

“Randomized instruction set emulation to disrupt binary code injection attacks”E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic and D. Zovi

CCS October 2003

Presented by: David AllenNovember 02, 2005

Concept

• Population diversity.

• Every running program has a different instruction set.

• Ideally there is a large instruction space.

• Prevent all network code-injection attacks.

• “Self-Destruct”

• Exploits reduced to DoS vulnerability.

Threats

• Stack- and Heap-based buffer overflow attacks.

• Format string attacks.

• CGI scripts

• SQL scripts

• Perl

Weaknesses

• No protection against logic attacks.

• No protection against data attacks.

• Designed to protect against external attacks.

• May be very weak against internal attack.

Method

• Encode:– During Build.– During Load.

• Decode:– Hardware. (Transmeta Crusoe)– Emulator.– Binary-binary translation. (Valgrind)

Platform

• Implemented on x86 systems due to prevalence.

• Dense instruction space of x86 is an issue.

• Variable instruction size is an issue.

• RISC is easier. Equal size instructions.

• 64-bit RISC is great. Large instruction space.

Method 1: Encoding

• Build code with branches aligned to even addresses.

• 16-bit key. (8-bit too small)• Executable and Linking Format (ELF) separates

program text from read only data.• Use modified objcopy to transform ELF files.• XOR key with program text.• Key is stored in modified executable.

Method 1: Decoding

• New read-only register in process control block (PCB) to hold key.

• Set by privileged instruction.

• Modified Bochs open-source x86 emulator.

• Instructions decoded on fetch.

Method 1: Results

• Emulation is very slow. Should be done in hardware.

• Vulnerable to local attacks on the key.

• Larger keys, small instructions can be used to attack the key piecemeal.

• Requires access to code.

• Libraries must be statically linked.

• Effective against code-injection attacks.

Method 2: Encoding

• Generate a XOR mask same size as text.

• Uses /dev/urandom (SHA1 feedback seeded from true randomness)

• ELF file is encoded during load.

Method 2: Decoding

• Modified Valgrind binary-binary translation program.

• Instructions decoded on fetch.

Method 2: Results

• Valgrind is very slow due to memory checks. Should be replaced.

• Does not need access to code.• Not sensitive to variable instruction size.• Imposes only a modest performance hit.• Libraries can’t be shared. Encoded on loading.• Emulation itself prevents some attacks.• Effective against code-injection attacks.

Method 3: Encoding

• Perl scripting.

• Randomized tag added to all:– Keywords– Operators– Function calls

• Tag is Perl with a command line argument.

Method 3: Decoding

• Tag is given to Perl with a command line argument.

• Modification of Perl’s lexical analzer.

Method 3: Results

• Script size greatly increased.

• No real performance penalty.

• Effective against code-injection attacks.

• Result should apply to other scripting systems as well.

Conclusions

• Performance issues with additional layers.

• Binary-binary translation method appears superior.