2012/02/07 ylj@adlab 1 john wilander, mariam kamkar linkopings universitet nick nikiforakis, yves...

12012/02/07 YLJ@adlab

RIPE:RUNTIME INTRUSION PREVENTION EVALUATORJohn Wilander, Mariam KamkarLinkopings Universitet

Nick Nikiforakis, Yves Younan, Wouter JoosenKatholieke Universiteit Leuven Belgium

ACSAC 2011

2

Agenda

Introduction How RIPE Works Attack Forms Countermeasures Evaluated Result Future Work

2012/02/07 YLJ@adlab

3

Introduction

RIPE A deliberately vulnerable C program that

attacks itself to allow evaluation of countermeasures.

Contributions 850 working buffer overflow attack

forms Evaluation of 8 countermeasures 7% to 89% of attack forms prohibited


https://github.com/johnwilander/RIPE

4

How RIPE Works


Backend

(C)

Can be runstand-alone,command-line

Performsone attackper execution

Frontend

(Python)

Report

Drives

5

Attack Forms

NDSS ’03 Testbed


Targ

et

Technique

loca

tio

n

20 attack forms

6

Attack Forms

ACSAC ’11 Testbed


Targ

et

Technique

loca

tio

n

850 attack forms

FunctionAttack

code

20 attack forms

RET Old base ptr Func ptr Longjmp buffer Struct with buffer & func

ptr

Direct Indirect

memcpy str(n)cpy s(n)printf str(n)cat {s|f}scanf loop equiv of memcpy

Stack (local var & param)

Heap

BSS

Data

Shellcode

Shellcode + NOP

Shellcode + Polym. NOP

Return-into-libc

ROP

7

Attack Forms

Example Direct Overflow Indirect Overflow Overflow Within Struct Injected Stackframe


8

Countermeasures Evaluated

ProPolice (canary-based, variable reorder)

CRED (boundary checking, referent object)

StackShield, Libverify (copy & check)

Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)

PAE & XD (non-executable memory)2012/02/07 YLJ@adlab

9

Result


10

Future Work

Save/load offsets to allow testing of ASLR,probabilistic memory safety

Other attack forms: Heap spraying Non-control data attacks


11

Direct Overflow


12

Indirect Overflow


13

Overflow Within Struct


14

Injected Stackframe


15

ProPolice


16

CRED(C Range Error Detector)


17

StackShield


18

StackShield


19

Libverify


All Functions

20

Libsafe


21

LibsafePlus&TIED


Source code

Compile

with -g

Binary

Debug info

Offset from frame pointer and size for all buffers

Instruments all functionsto check bounds

22

XD(eXecute-Disable) + PAE(Physical Address Extension)


2012/02/07 ylj@adlab 1 john wilander, mariam kamkar linkopings universitet nick nikiforakis, yves...

Documents

testbed20120207 ylj

executable memory20120207

adlab22 22result20120207

attack formsndss

attacks successful

indirect attacks

evaluation of countermeasures

function pointers