Isolating JavaScript in dynamic code environments
APLWACA '10 Proceedings of the 2010 Workshop on Analysis and Programming Languages for Web Applications and Cloud Applications
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
An architecture for enforcing javascript randomization in web2.0 applications
ISC'10 Proceedings of the 13th international conference on Information security
Proceedings of the 2013 Research in Adaptive and Convergent Systems
| Hi-index | 0.00 |
The author describes past research and future directions on instruction set randomization (ISR), a general technique for protecting against code-injection attacks. Such attacks are commonly encountered in a variety of application domains, remotely targeting program binaries, Web application and database backends, and Web browsers. Collectively, they represent the vast majority of reported attacks in bug- and incident-tracking repositories for the past decade, with no sign of abatement. ISR provides for a separation of code from data by randomizing the execution environment of legitimate code, which has to be suitably transformed using a key shared with the execution environment. This article describes the motivation behind ISR, the high-level concept, its use in two different application domains (binary code injection and SQL injection attacks), the author's findings and experiences (including several limitations, both of the technique and of prototypes), and future directions for improvements and application of ISR. Although he tries to provide broad coverage of the topic, the primary focus is on the research conducted at the Network Security Laboratory at Columbia.