Post on 28-Dec-2015
transcript
12012/02/07 YLJ@adlab
RIPE:RUNTIME INTRUSION PREVENTION EVALUATORJohn Wilander, Mariam KamkarLinkopings Universitet
Nick Nikiforakis, Yves Younan, Wouter JoosenKatholieke Universiteit Leuven Belgium
ACSAC 2011
2
Agenda
Introduction How RIPE Works Attack Forms Countermeasures Evaluated Result Future Work
2012/02/07 YLJ@adlab
3
Introduction
RIPE A deliberately vulnerable C program that
attacks itself to allow evaluation of countermeasures.
Contributions 850 working buffer overflow attack
forms Evaluation of 8 countermeasures 7% to 89% of attack forms prohibited
2012/02/07 YLJ@adlab
4
How RIPE Works
2012/02/07 YLJ@adlab
Backend
(C)
Can be runstand-alone,command-line
Performsone attackper execution
Frontend
(Python)
Report
Drives
5
Attack Forms
NDSS ’03 Testbed
2012/02/07 YLJ@adlab
Targ
et
Technique
loca
tio
n
20 attack forms
6
Attack Forms
ACSAC ’11 Testbed
2012/02/07 YLJ@adlab
Targ
et
Technique
loca
tio
n
850 attack forms
FunctionAttack
code
20 attack forms
RET Old base ptr Func ptr Longjmp buffer Struct with buffer & func
ptr
Direct Indirect
memcpy str(n)cpy s(n)printf str(n)cat {s|f}scanf loop equiv of memcpy
Stack (local var & param)
Heap
BSS
Data
Shellcode
Shellcode + NOP
Shellcode + Polym. NOP
Return-into-libc
ROP
7
Attack Forms
Example Direct Overflow Indirect Overflow Overflow Within Struct Injected Stackframe
2012/02/07 YLJ@adlab
8
Countermeasures Evaluated
ProPolice (canary-based, variable reorder)
CRED (boundary checking, referent object)
StackShield, Libverify (copy & check)
Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)
PAE & XD (non-executable memory)2012/02/07 YLJ@adlab
9
Result
2012/02/07 YLJ@adlab
10
Future Work
Save/load offsets to allow testing of ASLR,probabilistic memory safety
Other attack forms: Heap spraying Non-control data attacks
2012/02/07 YLJ@adlab
11
Direct Overflow
2012/02/07 YLJ@adlab
12
Indirect Overflow
2012/02/07 YLJ@adlab
13
Overflow Within Struct
2012/02/07 YLJ@adlab
14
Injected Stackframe
2012/02/07 YLJ@adlab
15
ProPolice
2012/02/07 YLJ@adlab
16
CRED(C Range Error Detector)
2012/02/07 YLJ@adlab
17
StackShield
2012/02/07 YLJ@adlab
18
StackShield
2012/02/07 YLJ@adlab
19
Libverify
2012/02/07 YLJ@adlab
All Functions
20
Libsafe
2012/02/07 YLJ@adlab
21
LibsafePlus&TIED
2012/02/07 YLJ@adlab
Source code
Compile
with -g
Binary
Debug info
Offset from frame pointer and size for all buffers
Instruments all functionsto check bounds
22
XD(eXecute-Disable) + PAE(Physical Address Extension)
2012/02/07 YLJ@adlab