Presentation is loading. Please wait.

Presentation is loading. Please wait.

2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.

Published byClement Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven."— Presentation transcript:

1 2012/02/07 YLJ@adlab 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven Belgium ACSAC 2011

2 Agenda  Introduction  How RIPE Works  Attack Forms  Countermeasures Evaluated  Result  Future Work 2012/02/07 YLJ@adlab 2

3 Introduction  RIPE RIPE  A deliberately vulnerable C program that attacks itself to allow evaluation of countermeasures.  Contributions  850 working buffer overflow attack forms  Evaluation of 8 countermeasures  7% to 89% of attack forms prohibited 2012/02/07 YLJ@adlab 3

4 How RIPE Works 2012/02/07 YLJ@adlab 4 Backend (C) Can be run stand-alone, command-line Performs one attack per execution Frontend (Python) Report Drives

5 Attack Forms  NDSS ’03 Testbed 2012/02/07 YLJ@adlab 5 Target Technique location 20 attack forms

6 Attack Forms  ACSAC ’11 Testbed 2012/02/07 YLJ@adlab 6 Target Technique location 850 attack forms Function Attack code 20 attack forms  RET  Old base ptr  Func ptr  Longjmp buffer  Struct with buffer & func ptr  Direct  Indirect  memcpy  str(n)cpy  s(n)printf  str(n)cat  {s|f}scanf  loop equiv of memcpy  Stack (local var & param)  Heap  BSS  Data  Shellcode  Shellcode + NOP  Shellcode + Polym. NOP  Return-into-libc  ROP

7 Attack Forms  Example  Direct Overflow Direct Overflow  Indirect Overflow Indirect Overflow  Overflow Within Struct Overflow Within Struct  Injected Stackframe Injected Stackframe 2012/02/07 YLJ@adlab 7

8 Countermeasures Evaluated  ProPolice (canary-based, variable reorder) ProPolice  CRED (boundary checking, referent object)CRED  StackShield, Libverify (copy & check) StackShieldLibverify  Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)Libsafe LibsafePlus+TIED  PAE & XD (non-executable memory)PAE & XD 2012/02/07 YLJ@adlab 8

9 Result 2012/02/07 YLJ@adlab 9 Doesn’t wrap memcpy or loop equivalent of memcpy. All code injection countermeasured. Apart from that: All struct attack forms were successful. All direct attacks against function pointers on the heap and the data segment were successful. Indirect attacks against the old base pointer work in general on the heap, BSS, and data segment for memcpy(), strcpy(), strncpy(), sprintf(), snprintf(), strcat(), strncat(), sscanf(), fscanf(), and loop equivalent Fails to protect against direct and indirect, stack/BSS/ data-based overflows toward function pointers, longjmp buffers, and structs for sprintf(), snprintf(), sscanf(), and fscanf(). Attacks against structs also successful for memcpy() and loop equivalent and are the only attacks successful from buffers on the heap Totally focused on protecting the stack.

10 Future Work  Save/load offsets to allow testing of ASLR,probabilistic memory safety  Other attack forms:  Heap spraying  Non-control data attacks 2012/02/07 YLJ@adlab 10

11 Direct Overflow 2012/02/07 YLJ@adlab 11

12 Indirect Overflow 2012/02/07 YLJ@adlab 12

13 Overflow Within Struct 2012/02/07 YLJ@adlab 13

14 Injected Stackframe 2012/02/07 YLJ@adlab 14

15 ProPolice 2012/02/07 YLJ@adlab 15

16 CRED(C Range Error Detector) 2012/02/07 YLJ@adlab 16

17 StackShield 2012/02/07 YLJ@adlab 17

18 StackShield 2012/02/07 YLJ@adlab 18

19 Libverify 2012/02/07 YLJ@adlab 19 All Functions

20 Libsafe 2012/02/07 YLJ@adlab 20

21 LibsafePlus&TIED 2012/02/07 YLJ@adlab 21 Source code Compile with -g Binary Debug info Offset from frame pointer and size for all buffers Instruments all functions to check bounds

22 XD(eXecute-Disable) + PAE(Physical Address Extension) 2012/02/07 YLJ@adlab 22

Download ppt "2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Unit 10 Miscellaneous Advanced Topics Introduction to C Programming.

Unit 10 Miscellaneous Advanced Topics Introduction to C Programming.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.

Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
The Attack and Defense of Computers Dr. 許 富 皓 Attacking Program Bugs.

The Attack and Defense of Computers Dr. 許 富 皓 Attacking Program Bugs.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last words on buffer overflows Overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last words on buffer overflows Overview.

Similar presentations

Ads by Google