Discretix Technologies Ltd.
Elena Gabriela Barrantes
Universidad de Costa Rica
Instruction Set Randomization (ISR) has been proposed as a form of defense against binary code injection into an executing program. One proof-of-concept implementation is Randomized Instruction Set Emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. Although RISE is effective against attacks that are not RISE-aware, it is vulnerable to pure data and hybrid data-code attacks that target the data structures of RISE, as well to some classes of brute-force guessing. In order to enable the design of a production-ready version, we describe implementation-specific and generic vulnerabilities that can be used to overcome RISE in its current form. We present and discuss attacks and defenses in three categories: known-key attacks that rely on the key being leaked and then used to pre-scramble the attacking code; chosen-key attacks that use implementation weaknesses to allow the attacker to define its own key,or otherwise affect key generation; and key-guessing attacks ("brute-force"), about which we explore the design of minimalistic loaders which can be used to minimize the number of mask bytes required for a successful key-guessing attack. All described attacks, and some of the proposed defenses were tested in real-world scenarios.
Keywords: code injection, buffer overflow, worm propagation, intrusion prevention
Read Paper (in PDF)