instruction-set randomization “countering code-injection attacks with instruction-set...
TRANSCRIPT
![Page 1: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/1.jpg)
Instruction-Set Randomization
“Countering Code-Injection Attacks With Instruction-Set Randomization”G. Kc, A. Keromytis, and V. Prevelakis
CCS October 2003
“Randomized instruction set emulation to disrupt binary code injection attacks”E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic and D. Zovi
CCS October 2003
Presented by: David AllenNovember 02, 2005
![Page 2: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/2.jpg)
Concept
• Population diversity.
• Every running program has a different instruction set.
• Ideally there is a large instruction space.
• Prevent all network code-injection attacks.
• “Self-Destruct”
• Exploits reduced to DoS vulnerability.
![Page 3: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/3.jpg)
Threats
• Stack- and Heap-based buffer overflow attacks.
• Format string attacks.
• CGI scripts
• SQL scripts
• Perl
![Page 4: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/4.jpg)
Weaknesses
• No protection against logic attacks.
• No protection against data attacks.
• Designed to protect against external attacks.
• May be very weak against internal attack.
![Page 5: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/5.jpg)
Method
• Encode:– During Build.– During Load.
• Decode:– Hardware. (Transmeta Crusoe)– Emulator.– Binary-binary translation. (Valgrind)
![Page 6: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/6.jpg)
Platform
• Implemented on x86 systems due to prevalence.
• Dense instruction space of x86 is an issue.
• Variable instruction size is an issue.
• RISC is easier. Equal size instructions.
• 64-bit RISC is great. Large instruction space.
![Page 7: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/7.jpg)
Method 1: Encoding
• Build code with branches aligned to even addresses.
• 16-bit key. (8-bit too small)• Executable and Linking Format (ELF) separates
program text from read only data.• Use modified objcopy to transform ELF files.• XOR key with program text.• Key is stored in modified executable.
![Page 8: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/8.jpg)
Method 1: Decoding
• New read-only register in process control block (PCB) to hold key.
• Set by privileged instruction.
• Modified Bochs open-source x86 emulator.
• Instructions decoded on fetch.
![Page 9: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/9.jpg)
Method 1: Results
• Emulation is very slow. Should be done in hardware.
• Vulnerable to local attacks on the key.
• Larger keys, small instructions can be used to attack the key piecemeal.
• Requires access to code.
• Libraries must be statically linked.
• Effective against code-injection attacks.
![Page 10: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/10.jpg)
Method 2: Encoding
• Generate a XOR mask same size as text.
• Uses /dev/urandom (SHA1 feedback seeded from true randomness)
• ELF file is encoded during load.
![Page 11: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/11.jpg)
Method 2: Decoding
• Modified Valgrind binary-binary translation program.
• Instructions decoded on fetch.
![Page 12: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/12.jpg)
Method 2: Results
• Valgrind is very slow due to memory checks. Should be replaced.
• Does not need access to code.• Not sensitive to variable instruction size.• Imposes only a modest performance hit.• Libraries can’t be shared. Encoded on loading.• Emulation itself prevents some attacks.• Effective against code-injection attacks.
![Page 13: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/13.jpg)
Method 3: Encoding
• Perl scripting.
• Randomized tag added to all:– Keywords– Operators– Function calls
• Tag is Perl with a command line argument.
![Page 14: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/14.jpg)
Method 3: Decoding
• Tag is given to Perl with a command line argument.
• Modification of Perl’s lexical analzer.
![Page 15: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/15.jpg)
Method 3: Results
• Script size greatly increased.
• No real performance penalty.
• Effective against code-injection attacks.
• Result should apply to other scripting systems as well.
![Page 16: Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October](https://reader035.vdocuments.site/reader035/viewer/2022071709/56649d155503460f949eb3d5/html5/thumbnails/16.jpg)
Conclusions
• Performance issues with additional layers.
• Binary-binary translation method appears superior.