Arbitrary Code Execution (ACE): Definition & Defence

An arbitrary code execution (ACE) stems from a flaw in software or hardware. A hacker spots that problem, and then they can use it to execute commands on a target device.

Remote code execution vulnerabilities happen when a hacker can launch malignant code across an entire network rather than on one lone device.

How Does Arbitrary Code Execution Work?

Computers can't differentiate between valid inputs (like a password) and commands (like code). If you tap in the proper sequence of numbers and letters, and the computer is built to accept them, you can transform almost any entry into an attack.

A hacker could trigger a problem that already exists, modify information within a program, load different code, or install a problem to run later.

The target software or device controls the level of access a hacker has, but the hacker’s goal is to escalate their privilege. In essence, the hacker tries to achieve administrator control of the device. If they succeed, that computer could become a zombie device for hackers to exploit in another attack.

ACE incidents can vary in their severity.

In 2014, a gamer used ACE commands and the buttons on a controller to hijack the video game Super Mario World. The exploit was so significant that one writer said, "The fabric of the game's reality comes apart at the seams for a few seconds."

They can have more dramatic consequences than altering a video game, too. Hackers have also used ACE to steal data, run extortion schemes, and otherwise bring a business to its knees. Private text messages and search histories can even be exposed when hackers use ACE.

4 Arbitrary Code Execution Vulnerabilities

A hacker can't just leap into any system and begin to run code. A problem must exist first, and the hacker must find it.

Four known vulnerabilities that can result in remote code execution include:

  • Deserialisation. Programmers use serialisation to convert complex data into an easy-to-send stream. Deserialisation restores the data to its original form. A user could step into this process and send malformed or unexpected data
  • GND ldd arbitrary code execution. The ldd command runs in Linux, and it allows a user to explore dependencies of a shared library. This simple command can allow for ACE. Hackers can put an executable in ~/app/bin/exec and have it loaded by the lib loader. 
  • Memory safety. This means that in all program executions, there is no way to access invalid memory. Violations allow a program to crash unexpectedly, and when that happens, the hacker can step in with executable code. This same issue can also allow for data leakage. 
  • Type confusion. A program's code can be complicated, sometimes allowing for subtle conflicts. At some point, the device may not know exactly what to do, and a hacker can step in with an answer. In 2018, a programmer found this problem within Internet Explorer.

Hackers are innovative, and it's likely many other vulnerabilities exist. But this short list gives you an idea of how widespread this problem can be.

Arbitrary Code Prevention Tips

Defeating a hacker takes imagination. A developer must think about all of the unusual and crazy ways someone might tap into and manipulate software. It's almost impossible for these experts to dream up every issue a hacker might exploit.

Know that any software you use is probably vulnerable. Apply that knowledge by updating your software regularly and devotedly. Don't allow known exploits to ruin your safety.

Invest in antivirus software too. Programs can't catch every ACE issue. (In fact, a vulnerability spotted in the wild about half of virus scanners didn’t detect.) But they offer another layer of critical protection.

Use commonsense safety practices on any device you use, including laptops. Encrypt your data, back it up regularly, and lock down your password data.

At Okta, we offer programs you can use to sign in, authorise, and manage users. We can also help you protect your servers from outside attacks. We'd love to talk with you about your security needs or help you start a free trial of our services. Contact us to start a conversation.

References

How An Emulator-Fueled Robot Reprogrammed Super Mario World On the Fly. (January 2014). Ars Technica.

Fearless Security: Memory Safety. (January 2019). Mozilla Hacks.

This Hugely Popular Android App Could Have Exposed Your Web History and Texts. (June 2021). Express.

Deserialization of Untrusted Data. OWASP.

RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer. (May 2019). Zero Day Initiative.

ldd Arbitrary Code Execution. (2021). Cat On Mat.

Hackers Exploit WinRAR Vulnerability to Deliver Malware. (February 2019). Security Week.