Presentation is loading. Please wait.

Presentation is loading. Please wait.

2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.

Similar presentations


Presentation on theme: "2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven."— Presentation transcript:

1 2012/02/07 YLJ@adlab 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven Belgium ACSAC 2011

2 Agenda  Introduction  How RIPE Works  Attack Forms  Countermeasures Evaluated  Result  Future Work 2012/02/07 YLJ@adlab 2

3 Introduction  RIPE RIPE  A deliberately vulnerable C program that attacks itself to allow evaluation of countermeasures.  Contributions  850 working buffer overflow attack forms  Evaluation of 8 countermeasures  7% to 89% of attack forms prohibited 2012/02/07 YLJ@adlab 3

4 How RIPE Works 2012/02/07 YLJ@adlab 4 Backend (C) Can be run stand-alone, command-line Performs one attack per execution Frontend (Python) Report Drives

5 Attack Forms  NDSS ’03 Testbed 2012/02/07 YLJ@adlab 5 Target Technique location 20 attack forms

6 Attack Forms  ACSAC ’11 Testbed 2012/02/07 YLJ@adlab 6 Target Technique location 850 attack forms Function Attack code 20 attack forms  RET  Old base ptr  Func ptr  Longjmp buffer  Struct with buffer & func ptr  Direct  Indirect  memcpy  str(n)cpy  s(n)printf  str(n)cat  {s|f}scanf  loop equiv of memcpy  Stack (local var & param)  Heap  BSS  Data  Shellcode  Shellcode + NOP  Shellcode + Polym. NOP  Return-into-libc  ROP

7 Attack Forms  Example  Direct Overflow Direct Overflow  Indirect Overflow Indirect Overflow  Overflow Within Struct Overflow Within Struct  Injected Stackframe Injected Stackframe 2012/02/07 YLJ@adlab 7

8 Countermeasures Evaluated  ProPolice (canary-based, variable reorder) ProPolice  CRED (boundary checking, referent object)CRED  StackShield, Libverify (copy & check) StackShieldLibverify  Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)Libsafe LibsafePlus+TIED  PAE & XD (non-executable memory)PAE & XD 2012/02/07 YLJ@adlab 8

9 Result 2012/02/07 YLJ@adlab 9 Doesn’t wrap memcpy or loop equivalent of memcpy. All code injection countermeasured. Apart from that: All struct attack forms were successful. All direct attacks against function pointers on the heap and the data segment were successful. Indirect attacks against the old base pointer work in general on the heap, BSS, and data segment for memcpy(), strcpy(), strncpy(), sprintf(), snprintf(), strcat(), strncat(), sscanf(), fscanf(), and loop equivalent Fails to protect against direct and indirect, stack/BSS/ data-based overflows toward function pointers, longjmp buffers, and structs for sprintf(), snprintf(), sscanf(), and fscanf(). Attacks against structs also successful for memcpy() and loop equivalent and are the only attacks successful from buffers on the heap Totally focused on protecting the stack.

10 Future Work  Save/load offsets to allow testing of ASLR,probabilistic memory safety  Other attack forms:  Heap spraying  Non-control data attacks 2012/02/07 YLJ@adlab 10

11 Direct Overflow 2012/02/07 YLJ@adlab 11

12 Indirect Overflow 2012/02/07 YLJ@adlab 12

13 Overflow Within Struct 2012/02/07 YLJ@adlab 13

14 Injected Stackframe 2012/02/07 YLJ@adlab 14

15 ProPolice 2012/02/07 YLJ@adlab 15

16 CRED(C Range Error Detector) 2012/02/07 YLJ@adlab 16

17 StackShield 2012/02/07 YLJ@adlab 17

18 StackShield 2012/02/07 YLJ@adlab 18

19 Libverify 2012/02/07 YLJ@adlab 19 All Functions

20 Libsafe 2012/02/07 YLJ@adlab 20

21 LibsafePlus&TIED 2012/02/07 YLJ@adlab 21 Source code Compile with -g Binary Debug info Offset from frame pointer and size for all buffers Instruments all functions to check bounds

22 XD(eXecute-Disable) + PAE(Physical Address Extension) 2012/02/07 YLJ@adlab 22


Download ppt "2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven."

Similar presentations


Ads by Google