Adoption Challenges of Code Randomization

Abstract

Languages in the C family are distinguished by their efficiency, maturity, and their lack of guardrails compared to other mainstream language in use today. Their efficiency properties kept these languages relevant as new ones appeared. Their lack of memory safety and the resulting vulnerabilities is an ongoing challenge. Code randomization, a moving target defense technique, is one among many competing answers to this challenge. Many techniques have been proposed and evaluated extensively in academic conferences but adoption in the field is lagging. The goal of this paper is to highlight why adoption is so hard and what can be done about it. Code randomization techniques offer much flexibility in their design and implementation. We encourage research that investigates the complex trade-offs between security and many equally important concerns that must be made for enhanced code randomization defenses to make their way into production.