Randomized instruction set emulation to disrupt binary code injection attacks

Elena Gabriela Barrantes, Trek S. Palmer, David H. Ackley, Darko Stefanović, Stephanie Forrest, Dino Dai Zovi

Research output: Contribution to journalConference articlepeer-review

255 Scopus citations


Binary code injection into an executing program is a common form of attack. Most current defenses against this form of attack use a 'guard all doors' strategy, trying to block the avenues by which execution can be diverted. We describe a complementary method of protection, which disrupts foreign code execution regardless of how the code is injected. A unique and private machine instruction set for each executing program would make it difficult for an outsider to design binary attack code against that program and impossible to use the same binary attack code against multiple machines. As a proof of concept, we describe a randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator. The prototype disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. The paper describes the RISE implementation and its limitations, gives evidence demonstrating that RISE defeats common attacks, considers how the dense x86 instruction set affects the method, and discusses potential extensions of the idea.

Original languageEnglish (US)
Pages (from-to)281-289
Number of pages9
JournalProceedings of the ACM Conference on Computer and Communications Security
StatePublished - 2003
Externally publishedYes
EventProceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003 - Washington, DC, United States
Duration: Oct 27 2003Oct 31 2003


  • Automated Diversity
  • Emulation
  • Information Hiding
  • Language Randomization
  • Obfuscation
  • Security

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Randomized instruction set emulation to disrupt binary code injection attacks'. Together they form a unique fingerprint.

Cite this