Post on 15-Jan-2016
description
Meet Twiggy
http://goatload.com/mt/
Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.
Meet Robbie
http://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/
Evil Is Afoot
http://www.austinpowers.com/http://www.rit.edu/~sli4356/
If only I could modify the action for doAction…
More on Robbie
petAnimal(name)
P E T
doAction(action, name)
name action
Disclaimer: This is simplified
Sparky Senses Danger
petAnimal(name)
S P A R K Y
name action
doAction(action, name)
P E T
http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg
Twiggy to the Rescue
http://kevintdriver.hopto.org/images/squirrel.ski.jpg
P E T
name action
action 3 hash(PET)addr len hash
name - Hash(…)Also stores data for name:
Modify Robbie’s code tomaintain hashes of all buffers:
Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil…
Without Spoiling Your Day
But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.
http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml
Stop That Modification!
petAnimal(name)
doAction(action, name)
S P A R K Y E A T
action 3 hash(PET)
if(hash(_) != _) exit
Check it before use:
Dr. Evil Is Foiled
http://www.cotbn.com/2002_12_01_archive.html
Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key.
But At What Cost?
Hashes and checks can be computationally expensive
Can Robbie feed Twiggy and Sparky on time?
http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm
The StatisticsRobbie Runtime
148000
172000
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
Unmodified Modified
Program (Robbie's Control System)
Cycle
co
un
t (T
ime t
o F
eed
Tw
igg
y a
nd
Sp
ark
y)
Reduce the Cost
Do we need to check all buffers?
What about only checking buffers used as inputs to dangerous
methods?
(That’s all the buffers in our example, but likely far fewer than in
the program)
Can Twiggy use call-graph analysis to find those buffers?
Did It Work?
• Basic defense method protects buffers from modification.
• Aliasing ignored.
• Can we track down critical buffer values?
• We’re still working on that.
• But, for Twiggy, yes (this is supposed to be a happy story)