Arbitrary code execution


Arbitrary code execution

In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It's commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another is often referred to as remote code execution.

It is the worst effect a bug can have because it allows an attacker to completely take over the vulnerable process. From there the attacker can potentially take complete control over the machine the process is running on. Arbitrary code execution vulnerabilities are commonly exploited by malware to run on a computer without the owners consent.

Arbitrary code execution is commonly achieved through control over the program counter (also known as the instruction pointer) of a running process. The instruction pointer points to the next instruction in the process that will be executed. Control over the value of the instruction pointer therefore gives control over which instruction is executed next. In order to execute arbitrary code, many exploits inject code into the process and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed.


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Code coverage — is a measure used in software testing. It describes the degree to which the source code of a program has been tested. It is a form of testing that inspects the code directly and is therefore a form of white box testing.[1] Code coverage was among …   Wikipedia

  • Code injection — is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or inject ) code into a computer program to change the course of execution. The results of a code injection… …   Wikipedia

  • Arbitrary-precision arithmetic — In computer science, arbitrary precision arithmetic indicates that calculations are performed on numbers whose digits of precision are limited only by the available memory of the host system. This contrasts with the faster fixed precision… …   Wikipedia

  • Position-independent code — In computing, position independent code (PIC) or position independent executable (PIE) is machine instruction code that executes properly regardless of where in memory it resides. PIC is commonly used for shared libraries, so that the same… …   Wikipedia

  • Source code — For the 2011 film, see Source Code. Not to be confused with source coding. An illustration of Java source code with prologue comments indicated in red, inline comments indicated in green, and program code indicated in blue In computer science,… …   Wikipedia

  • Spaghetti code — is a pejorative term for source code which has a complex and tangled control structure, especially one using many GOTOs, exceptions, threads, or other unstructured branching constructs. It is named such because program flow tends to look like a… …   Wikipedia

  • Windows Metafile vulnerability — The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT based operating systems which has been used in a variety of exploits since late December 2005. The vulnerability was first discussed in the computer security… …   Wikipedia

  • Extended Copy Protection — XCP redirects here. For other uses, see XCP (disambiguation). Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet, (which on 20 November 2006, changed its name to Fortium Technologies Ltd see… …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • Heap spraying — In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements this technique. In general, code that sprays… …   Wikipedia