RIPE:Runtime Intrusion Prevention Evaluator
description
Transcript of RIPE:Runtime Intrusion Prevention Evaluator
![Page 1: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/1.jpg)
12012/02/07 YLJ@adlab
RIPE:RUNTIME INTRUSION PREVENTION EVALUATORJohn Wilander, Mariam KamkarLinkopings Universitet
Nick Nikiforakis, Yves Younan, Wouter JoosenKatholieke Universiteit Leuven Belgium
ACSAC 2011
![Page 2: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/2.jpg)
2
Agenda
Introduction How RIPE Works Attack Forms Countermeasures Evaluated Result Future Work
2012/02/07 YLJ@adlab
![Page 3: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/3.jpg)
3
Introduction RIPE
A deliberately vulnerable C program that attacks itself to allow evaluation of countermeasures.
Contributions 850 working buffer overflow attack forms Evaluation of 8 countermeasures 7% to 89% of attack forms prohibited
2012/02/07 YLJ@adlab
![Page 4: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/4.jpg)
4
How RIPE Works
2012/02/07 YLJ@adlab
Backend
(C)
Can be runstand-alone,command-line
Performsone attackper execution
Frontend
(Python)
Report
Drives
![Page 5: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/5.jpg)
5
Attack Forms
NDSS ’03 Testbed
2012/02/07 YLJ@adlab
Targ
et
Technique
locati
o
n
20 attack forms
![Page 6: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/6.jpg)
6
Attack Forms
ACSAC ’11 Testbed
2012/02/07 YLJ@adlab
Targ
et
Technique
locati
o
n
850 attack forms
FunctionAttack code
20 attack forms
RET Old base ptr Func ptr Longjmp buffer Struct with buffer & func ptr
Direct Indirect
memcpy str(n)cpy s(n)printf str(n)cat {s|f}scanf loop equiv of memcpy
Stack (local var & param)
Heap BSS Data
Shellcode Shellcode + NOP Shellcode + Polym. NOP Return-into-libc ROP
![Page 7: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/7.jpg)
7
Attack Forms
Example Direct Overflow Indirect Overflow Overflow Within Struct Injected Stackframe
2012/02/07 YLJ@adlab
![Page 8: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/8.jpg)
8
Countermeasures Evaluated
ProPolice (canary-based, variable reorder)
CRED (boundary checking, referent object)
StackShield, Libverify (copy & check)
Libsafe, LibsafePlus, LibsafePlus+TIED(library wrappers)
PAE & XD (non-executable memory)2012/02/07 YLJ@adlab
![Page 9: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/9.jpg)
9
Result
2012/02/07 YLJ@adlab
![Page 10: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/10.jpg)
10
Future Work
Save/load offsets to allow testing of ASLR,probabilistic memory safety
Other attack forms: Heap spraying Non-control data attacks
2012/02/07 YLJ@adlab
![Page 11: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/11.jpg)
11
Direct Overflow
2012/02/07 YLJ@adlab
![Page 12: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/12.jpg)
12
Indirect Overflow
2012/02/07 YLJ@adlab
![Page 13: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/13.jpg)
13
Overflow Within Struct
2012/02/07 YLJ@adlab
![Page 14: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/14.jpg)
14
Injected Stackframe
2012/02/07 YLJ@adlab
![Page 15: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/15.jpg)
15
ProPolice
2012/02/07 YLJ@adlab
![Page 16: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/16.jpg)
16
CRED(C Range Error Detector)
2012/02/07 YLJ@adlab
![Page 17: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/17.jpg)
17
StackShield
2012/02/07 YLJ@adlab
![Page 18: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/18.jpg)
18
StackShield
2012/02/07 YLJ@adlab
![Page 19: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/19.jpg)
19
Libverify
2012/02/07 YLJ@adlab
All Functions
![Page 20: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/20.jpg)
20
Libsafe
2012/02/07 YLJ@adlab
![Page 21: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/21.jpg)
21
LibsafePlus&TIED
2012/02/07 YLJ@adlab
Source code
Compile
with -g
BinaryDebug info
Offset from frame pointer and size for all buffers
Instruments all functionsto check bounds
![Page 22: RIPE:Runtime Intrusion Prevention Evaluator](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816180550346895dd110a6/html5/thumbnails/22.jpg)
22
XD(eXecute-Disable) + PAE(Physical Address Extension)
2012/02/07 YLJ@adlab