ABSTRACT
We present a framework to prevent code injection attacks in MS Windows using Native APIs in the operating system. By adopting the idea of diversity, this approach is implemented in a two-tier framework. The first tier permutes the Native API dispatch ID number so that only the Native API calls from legitimate sources are executed. The second tier provides an authentication process in case an attacker guesses the first-tier permutation order. The function call stack is back-traced to verify whether the original caller's return address resides within the legitimate process. The process is terminated and an alert is generated when an attack is suspected. Experiments indicate that our approach poses no significant overhead.
- Bastard disassembler, http://bastard.sourceforge.net/.Google Scholar
- S. Bhatkar, D. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. USENIX Security Symposium, 12(2):291--301, August 2003. Google ScholarDigital Library
- S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Workshop on Hot Topics in Operating Systems, pages 67--72, 1997. Google ScholarDigital Library
- J.Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Proceedings of 22nd Symposium on Reliable and Distributed Systems (SRDS), October 2003.Google Scholar
- G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 272--280, October 2003. Google ScholarDigital Library
- C. Linn, M. Rajagopalan, S. Baker, C. Collberg, H. Hartman, and S. Debray. Protecting against unexpected system calls. Proceedings of the USENIX Security, pages 239--254, 2005. Google ScholarDigital Library
- M. Rajagopalan, M. Hiltunen, T. Jim, and R. Schlichting. Authenticated system calls. International Conference on Dependable Systems and Networks(DSN '05), pages 358--367, 2005. Google ScholarDigital Library
Index Terms
- A framework for diversifying windows native APIs to tolerate code injection attacks
Recommendations
Using web application construction frameworks to protect against code injection attacks
PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for securityIn recent years, the security landscape has changed, with Web applications vulnerabilities becoming more prominent that vulnerabilities stemming from the lack of type safety, such as buffer overruns. Many reports point to code injection attacks such as ...
Defining code-injection attacks
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThis paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Defining code-injection attacks
POPL '12This paper shows that existing definitions of code-injection attacks (e.g., SQL-injection attacks) are flawed. The flaws make it possible for attackers to circumvent existing mechanisms, by supplying code-injecting inputs that are not recognized as ...
Comments