Download presentation
Presentation is loading. Please wait.
Published byClement Morrison Modified over 9 years ago
1
2012/02/07 YLJ@adlab 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven Belgium ACSAC 2011
2
Agenda Introduction How RIPE Works Attack Forms Countermeasures Evaluated Result Future Work 2012/02/07 YLJ@adlab 2
3
Introduction RIPE RIPE A deliberately vulnerable C program that attacks itself to allow evaluation of countermeasures. Contributions 850 working buffer overflow attack forms Evaluation of 8 countermeasures 7% to 89% of attack forms prohibited 2012/02/07 YLJ@adlab 3
4
How RIPE Works 2012/02/07 YLJ@adlab 4 Backend (C) Can be run stand-alone, command-line Performs one attack per execution Frontend (Python) Report Drives
5
Attack Forms NDSS ’03 Testbed 2012/02/07 YLJ@adlab 5 Target Technique location 20 attack forms
6
Attack Forms ACSAC ’11 Testbed 2012/02/07 YLJ@adlab 6 Target Technique location 850 attack forms Function Attack code 20 attack forms RET Old base ptr Func ptr Longjmp buffer Struct with buffer & func ptr Direct Indirect memcpy str(n)cpy s(n)printf str(n)cat {s|f}scanf loop equiv of memcpy Stack (local var & param) Heap BSS Data Shellcode Shellcode + NOP Shellcode + Polym. NOP Return-into-libc ROP
7
Attack Forms Example Direct Overflow Direct Overflow Indirect Overflow Indirect Overflow Overflow Within Struct Overflow Within Struct Injected Stackframe Injected Stackframe 2012/02/07 YLJ@adlab 7
8
Countermeasures Evaluated ProPolice (canary-based, variable reorder) ProPolice CRED (boundary checking, referent object)CRED StackShield, Libverify (copy & check) StackShieldLibverify Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)Libsafe LibsafePlus+TIED PAE & XD (non-executable memory)PAE & XD 2012/02/07 YLJ@adlab 8
9
Result 2012/02/07 YLJ@adlab 9 Doesn’t wrap memcpy or loop equivalent of memcpy. All code injection countermeasured. Apart from that: All struct attack forms were successful. All direct attacks against function pointers on the heap and the data segment were successful. Indirect attacks against the old base pointer work in general on the heap, BSS, and data segment for memcpy(), strcpy(), strncpy(), sprintf(), snprintf(), strcat(), strncat(), sscanf(), fscanf(), and loop equivalent Fails to protect against direct and indirect, stack/BSS/ data-based overflows toward function pointers, longjmp buffers, and structs for sprintf(), snprintf(), sscanf(), and fscanf(). Attacks against structs also successful for memcpy() and loop equivalent and are the only attacks successful from buffers on the heap Totally focused on protecting the stack.
10
Future Work Save/load offsets to allow testing of ASLR,probabilistic memory safety Other attack forms: Heap spraying Non-control data attacks 2012/02/07 YLJ@adlab 10
11
Direct Overflow 2012/02/07 YLJ@adlab 11
12
Indirect Overflow 2012/02/07 YLJ@adlab 12
13
Overflow Within Struct 2012/02/07 YLJ@adlab 13
14
Injected Stackframe 2012/02/07 YLJ@adlab 14
15
ProPolice 2012/02/07 YLJ@adlab 15
16
CRED(C Range Error Detector) 2012/02/07 YLJ@adlab 16
17
StackShield 2012/02/07 YLJ@adlab 17
18
StackShield 2012/02/07 YLJ@adlab 18
19
Libverify 2012/02/07 YLJ@adlab 19 All Functions
20
Libsafe 2012/02/07 YLJ@adlab 20
21
LibsafePlus&TIED 2012/02/07 YLJ@adlab 21 Source code Compile with -g Binary Debug info Offset from frame pointer and size for all buffers Instruments all functions to check bounds
22
XD(eXecute-Disable) + PAE(Physical Address Extension) 2012/02/07 YLJ@adlab 22
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.