A System Call Moving Target Defense for Binary Injections

We propose a system call moving target defense (MTD) as a defense method against code injection attacks. The system call MTD limits the processing and resources that an injected program by attackers can perform and access by randomizing the mapping between system call numbers and functions at runtim...

Full description

Saved in:
Bibliographic Details
Published inInternational Symposium on Computing and Networking (Online) pp. 183 - 189
Main Authors Minato, Yuta, Masumoto, Takeshi, Koide, Hiroshi
Format Conference Proceeding
LanguageEnglish
Published IEEE 26.11.2024
Subjects
code injection attack
Codes
Costs
Hardware
information security
Information systems
Internet of Things
Loading
Moving Target Defense
Prevention and mitigation
Runtime
system call randomization
Online AccessGet full text

Cover

More Information
Summary:We propose a system call moving target defense (MTD) as a defense method against code injection attacks. The system call MTD limits the processing and resources that an injected program by attackers can perform and access by randomizing the mapping between system call numbers and functions at runtime. As system calls are the only way for user applications to access system resources, attackers find it more difficult to achieve their goals even when they can inject the program. Randomization techniques, called MTD, can be an effective method against zero-day attacks where attackers exploit the vulnerability before it is patched. MTD increases the diversity of the system by dynamically changing relevant parameters. In this study, we randomize the system call mapping multiple times at runtime. Existing system call randomization techniques once performed randomization before loading the program; however, such methods have no effect when information about randomization is disclosed to attackers. Code injection attacks are one of the most dangerous attacks on information systems, and can even give an attacker a chance to fully compromise the systems by executing arbitrary code. Currently, data execution prevention (DEP) is the main defense method against such code injection attacks. DEP marks each page memory as readable, writable, or executable, and prevents the execution of instructions that violate memory attributes. Although DEP prevents many attacks, still there are challenges such as the fact that there are a few cases where it has been bypassed, and DEP requires hardware support. For example, in cases such as developing IoT devices where low cost is prioritized over many functions, it is possible to select a CPU that does not support DEP. The proposed method does not require hardware support. Our experiments proved that our method can effectively prevent code injection attacks, and this technique can be applied to many existing compiled programs.
ISSN:2379-1896
DOI:10.1109/CANDAR64496.2024.00030