Open Access  Subscription or Fee Access

To provide a general approach for safeguarding systems against code-injection attack by providing a randomized instruction sets. An attacker who does not know the key to the randomization algorithm will inject code, the invalid format of instruction set for that randomized environment thus it will cause a runtime exception. This approach is applicable to machine-level programs, scripting languages. Hereby providing two prototypes (protection for Intel x86 executable and SQL queries) based on a proxy based approach. The SQL prototype consists of an SQL query-randomizing proxy that protects against SQL injection attacks with no changes to database servers, minor changes to CGI scripts, and with negligible performance overhead. Where the performance impact of our proposed approach is acceptable, it can serve as a broad protection mechanism and complement other security mechanisms.

Proxy, Security, Instruction-set, Randomization

Stephen W. Boyd, Gaurav S. Kc, Michael E. Locasto, Angelos D. Keromytis, and Vassilis Prevelakis,” On the General Applicability of Instruction-Set Randomization”, IEEE Transactions On Dependable And Secure Computing, vol. 6, no. 2, April-June 2009

D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, “A First Step towards Automated Detection of Buffer Overrun Vulnerabilities,” Proc. ISOC Symp. Network and Distributed System Security (SNDSS ’00), pp. 3-17, Feb. 2000.

J. Pincus and B. Baker, “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows,” IEEE Security and Privacy Magazine, vol. 2, no. 4, pp. 20-27, July/Aug. 2004.

Aleph One, “Smashing the Stack for Fun and Profit,” Phrack, vol. 7, no. 49, 1996.

S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer, “Non-Control- Data Attacks Are Realistic Threats,” Proc. 14th USENIX Security Symp., pp. 177-191, Aug. 2005.

D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, “A First Step towards Automated Detection of Buffer Overrun Vulnerabilities,” Proc. ISOC Symp. Network and Distributed System Security (SNDSS ’00), pp. 3-17, Feb. 2000.

A. Smirnov and T. Chiueh, “DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks,” Proc. ISOC Symp. Network and Distributed System Security (SNDSS ’05), Feb. 2005.

G.S. Kc, A.D. Keromytis, and V. Prevelakis, “Countering Code- Injection Attacks with Instruction-Set Randomization,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS ’03), Oct. 2003.

C. Anley, Advanced SQL Injection in SQL Server Applications, 2008.

J. Xu, “Intrusion Prevention Using Control Data Randomization,” Proc. IEEE Int’l Conf. Dependable Systems and Networks (DSN ’03), June 2003.

D. Evans and D. Larochelle, “Improving Security Using Extensible Lightweight Static Analysis,” IEEE Software, Jan./Feb. 2002.

A. Smirnov and T. Chiueh, “DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks,” Proc. ISOC Symp. Network and Distributed System Security (SNDSS ’05), Feb. 2005.

J. Pincus and B. Baker, “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows,” IEEE Security and Privacy Magazine, vol. 2, no. 4, pp. 20-27, July/Aug. 2004..

Michael E. Locasto and Angelos D. Kermytis, “SQL Randomization for the PostgreSQL JDBC Driver” , Proc. 10th ACM Conf. Computer and Comm. Security (CCS ’03), Oct. 2003.