Where's the FEEB?
The Effectiveness of Instruction Set Randomization

David Evans

Purdue University
Center for Education and Research in Informations Assurance and Security (CERIAS)
9 March 2005


Instruction Set Randomization (ISR) has been proposed as a promising defense against code injection attacks. It defuses all standard code injection attacks since the attacker does not know the instruction set of the target machine. A motivated attacker, however, may be able to circumvent ISR by determining the randomization key. In this talk, I will describe a remote attack for determining an ISR key using an incremental guessing strategy and present a method for injecting a worm in an ISR-protected network. The attack is plausible under a variety of realistic conditions and can infect an ISR-protected server in under 6 minutes. Our results provide insights into properties necessary for ISR implementations to be secure and suggest ways to improve to ISR designs. I will speculate on more general architectures for using diversity that can avoid the need to keep secrets from potential attacker that is inherent in previous diversity-based defenses such as ISR and memory address randomization.

CERIAS Seminar Page
RealVideo Stream of Presentation

Slides: [PPT, 39 slides] [PDF, 7 pages]
Paper: [PDF, 16 pages] [HTML]

Genesis Project