Code Injection Prevention

This work presents a code injection prevention technique based on the observation that code injection attacks require a von Neumann memory architecture (that is, an architecture where code and data can come from the same memory space) in order to be successful. We modify the Linux kernel to produce a Harvard architecture (one where code and data are separated) on a per process basis, hence preventing code injection attempts. This work is most similar to the NX-bit in modern processors. (In fact, non-executable pages are a subset of that protection this work provides.)

• “An Architectural Approach to Preventing Code Injection Attacks.” Ryan Riley, Xuxian Jiang, and Dongyan Xu. In Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2007).
  • Paper in PDF format.
  • Presentation as a Flash video.

• “An Architectural Approach to Preventing Code Injection Attacks.” Ryan Riley, Xuxian Jiang, and Dongyan Xu. To appear in IEEE Transactions on Dependable and Secure Computing (TDSC), Special Issue on DSN'07.

The system is primarily a patch for Linux 2.6.13. The code, such as it is, is available for download. Feel free to grab a copy from here. There is a bit of documentation inside. If you make improvements, find problems, etc. please pass it along to us.

• Ryan Riley
• Xuxian Jiang
• Dongyan Xu