Download - RIPE: Runtime Intrusion Prevention Evaluator
![Page 1: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/1.jpg)
RIPE: Runtime Intrusion Prevention Evaluator
John Wilander, Nick Nikiforakis, Yves Younan,Mariam Kamkar, and Wouter Joosen
![Page 2: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/2.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE is ...
... a deliberately vulnerable C program
... that attacks itself,
... to allow evaluation of countermeasures.
![Page 3: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/3.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE contributions:
850 working buffer overflow attack forms
Evaluation of 8 countermeasures
7% to 89% of attack forms prohibited
![Page 4: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/4.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE download (MIT license):
https://github.com/johnwilander/RIPE
![Page 5: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/5.jpg)
@johnwilander @nicknikiforakis ACSAC’11
A Quick Look at
How RIPE Works
![Page 6: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/6.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE backend
Backend(C)
Performsone attackper execution
Can be runstand-alone, command-line
![Page 7: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/7.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE backend
Backend(C)
Performsone attackper execution
Can be runstand-alone, command-line
./ripe_attack_generator -t direct -i simplenop -c ret -l stack -f strcpy
![Page 8: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/8.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE frontend
Frontend(Python)
Backend(C)
Report
Drives
![Page 9: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/9.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE frontend
Frontend(Python)
Backend(C)
Report
Drivespython ripe_tester.py {direct|indirect|both}number of times to repeat tests
![Page 10: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/10.jpg)
@johnwilander @nicknikiforakis ACSAC’11
RIPE frontend
Frontend(Python)
Backend(C)
Report
Drivespython ripe_tester.py both 5
![Page 11: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/11.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Which Attack Formsare Possible?
![Page 12: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/12.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Target
NDSS ’03 Testbed
20 attack forms
![Page 13: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/13.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed
850 attack forms
![Page 14: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/14.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed•RET•Old base ptr•Func ptr•Longjmp buffer•Struct with buffer & func ptr
![Page 15: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/15.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed
•Direct• Indirect
![Page 16: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/16.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed
•memcpy•str(n)cpy•s(n)printf•str(n)cat•{s|f}scanf• loop equiv of memcpy
![Page 17: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/17.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed
•Stack (local var & param)•Heap•BSS•Data
![Page 18: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/18.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Technique
Location
Targ
etFunction
Attack code
ACSAC ’11 Testbed•Shellcode•Shellcode + NOP•Shellcode + Polym. NOP•Create file•Return-into-libc•ROP
![Page 19: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/19.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Examples ofAttack Forms
![Page 20: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/20.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Optional Attack code Padded Address NNOP sled, (shell code bytes back to usimple or or NOP sled or lpolymorph create file) attack code l
Vulnerable Other variables Target codebuffer pointer
Direct Overflow with Injected Code
./ripe_attack_generator -t direct -i simplenop -c ret -l stack -f strcpy
![Page 21: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/21.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Indirect Overflow
Optional Attack code Padded Address NNOP sled, (shell code bytes back to usimple or or NOP sled or lpolymorph create file) attack code l
Vulnerable Other variables Generalbuffer pointer
Target codepointer
./ripe_attack_generator -t indirect -i nonop -c ret -l stack -f strcpy
![Page 22: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/22.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Overflow Within Struct
Optional Attack code AddressNOP sled, (shell code back tosimple or or NOP sled orpolymorph create file) attack code
Vulnerable Other Functionbuffer variables pointer
Struct
./ripe_attack_generator -t direct -i nonop -c structfuncptrstack -l stack -f strcpy
![Page 23: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/23.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Injected Stackframe
Optional Attack code Fake Address NNOP sled, (shell code stack to fake usimple or or frame stack frame lpolymorph create file) l
Vulnerable Other variables Oldbuffer basepointer
./ripe_attack_generator -t indirect -i polynop -c baseptr -l heap -f fscanf
![Page 24: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/24.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Injected Stackframe
Optional Attack code Fake Address NNOP sled, (shell code stack to fake usimple or or frame stack frame lpolymorph create file) l
Vulnerable Other variables Oldbuffer basepointer
./ripe_attack_generator -t indirect -i polynop -c baseptr -l heap -f fscanf
![Page 25: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/25.jpg)
@johnwilander @nicknikiforakis ACSAC’11
All in all, 850 working attack forms
![Page 26: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/26.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Countermeasures Evaluated
• ProPolice (canary-based, variable reorder)
• CRED (boundary checking, referent object)
• StackShield, Libverify (copy & check)
• Libsafe, LibsafePlus, LibsafePlus+TIED (library wrappers)
• PAE & XD (non-executable memory)
![Page 27: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/27.jpg)
@johnwilander @nicknikiforakis ACSAC’11
ProPolice
Local variables
Local buffers RET
Old Base Ptr
Guard
sorted
![Page 28: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/28.jpg)
@johnwilander @nicknikiforakis ACSAC’11
CRED
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ptr
Referent objects
![Page 29: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/29.jpg)
@johnwilander @nicknikiforakis ACSAC’11
CRED
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ptrAny pointer dereferencinghas to stay within bounds
![Page 30: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/30.jpg)
@johnwilander @nicknikiforakis ACSAC’11
CRED
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ExtentBase
ptr
ValueObjOut-of-bounds object
Pointers allowed to beout of bounds duringartihmetics
![Page 31: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/31.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Stack Shield
Stack frame A
Global RET stack
RET A RET A
![Page 32: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/32.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Stack frame B
Stack Shield
Stack frame A
Global RET stack
RET A
RET B
RET B
![Page 33: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/33.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Stack frame A
Stack frame B
Stack Shield
Global RET stack
RET A
RET B
RET B
![Page 34: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/34.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Stack Shield
Text segment
Data segment
BSS
Heap
Stack
Boundary Function pointershave to point here
![Page 35: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/35.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Libverify
Text segment
Data segment
BSS
Heap
Stack
![Page 36: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/36.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Libverify
Text segment
Data segment
BSS
Heap
Stack
All functions
![Page 37: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/37.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Libverify
Text segment
Data segment
BSS
Heap
Stack
All functions
Copy allfunctionsto theheap
![Page 38: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/38.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Libverify
Text segment
Data segment
BSS
Heap
Stack
All functions
Instrument allfunctions to copytheir RET to acanary stack andcheck it beforereturn
RET A
RET B
![Page 39: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/39.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Libsafe
Parameters
RET
Old base pointerBoundary
Library functions may never overwrite abuffer pass the oldbase pointer
![Page 40: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/40.jpg)
@johnwilander @nicknikiforakis ACSAC’11
LibsafePlus & TIED
Source code
BinaryCompile with -g
Debug info
![Page 41: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/41.jpg)
@johnwilander @nicknikiforakis ACSAC’11
LibsafePlus & TIED
Binary
Debug info
Libsafe-Plus
TIED
![Page 42: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/42.jpg)
@johnwilander @nicknikiforakis ACSAC’11
LibsafePlus & TIED
Binary
Debug info
Libsafe-Plus
TIED
Offset fromframe pointerand size forall buffers
![Page 43: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/43.jpg)
@johnwilander @nicknikiforakis ACSAC’11
LibsafePlus & TIED
Binary
Debug info
Libsafe-Plus
TIED
Offset fromframe pointerand size forall buffers
Instruments all functions to check bounds
![Page 44: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/44.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Non-Executable Memory (XD + PAE)
Text segment
Data segment
BSS
Heap
Stack
W⊻Xwritable XOR executable
W
W
WW
X
![Page 45: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/45.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Empirical Evaluation Results
![Page 46: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/46.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results
Ubuntu 6.06 (no protection)
Libsafe
LibsafePlus
StackShield
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
7%
19%
36%
40%
77%
79%
89%
0%
Effective-ness
91%
79%
63%
59%
20%
20%
9%
99%
Successful attacks
2%
2%
1%
1%
3%
0.5%
1%
1%
Partly successful
7%
19%
36%
40%
77%
79%
89%
0%
Failed attacks
![Page 47: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/47.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results, top 4
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
40%
77%
79%
89%
Effective-ness
59%
20%
20%
9%
Successful attacks
1%
3%
0.5%
1%
Partly successful
40%
77%
79%
89%
Failed attacks
![Page 48: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/48.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results, top 4
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
40%
77%
79%
89%
Effective-ness
59%
20%
20%
9%
Successful attacks
1%
3%
0.5%
1%
Partly successful
40%
77%
79%
89%
Failed attacks
Totally focused on protecting the stack.Indirect, heap/BSS/data-based attacks against longjmp buffers as stack variables or function parameters not fully stable and thus categorized as partly successful.
![Page 49: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/49.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results, top 4
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
40%
77%
79%
89%
Effective-ness
59%
20%
20%
9%
Successful attacks
1%
3%
0.5%
1%
Partly successful
40%
77%
79%
89%
Failed attacks
Doen’t wrap memcpy or loop equivalent of memcpy.Spurious successful attacks abusing wrapped functions explains the fairly high ”Partly successful” figure.
![Page 50: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/50.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results, top 4
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
40%
77%
79%
89%
Effective-ness
59%
20%
20%
9%
Successful attacks
1%
3%
0.5%
1%
Partly successful
40%
77%
79%
89%
Failed attacks
Fails to protect against direct and indirect, stack/BSS/data-based overflows toward function pointers, longjmp buffers, and structs for sprintf(), snprintf(), sscanf(), and fscanf().Attacks against structs also successful for memcpy() and loop equivalent and are the only attacks successful from buffers on the heap.
![Page 51: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/51.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results, top 4
ProPolice
LibsafePlus + TIED
CRED
Ubuntu 9.10 (W⊻X + CRED)
40%
77%
79%
89%
Effective-ness
59%
20%
20%
9%
Successful attacks
1%
3%
0.5%
1%
Partly successful
40%
77%
79%
89%
Failed attacks
All code injection countermeasured. Apart from that:All struct attack forms were successful.All direct attacks against function pointers on the heap and the data segment were successful.Indirect attacks against the old base pointer work in general on the heap, BSS, and data segment for memcpy(), strcpy(), strncpy(), sprintf(), snprintf(), strcat(), strncat(), sscanf(), fscanf(), and loop equivalent.
![Page 52: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/52.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Related Work
![Page 53: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/53.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Dynamic Overflow Detecionby Zhivich, Leek, and Lippmann
![Page 54: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/54.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Two Testbeds
1. ”Variable-overflow”various small overflowssynthesizednot attacks
2. ”Real exploits”modeled from real worlddetectionperformace
![Page 55: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/55.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Seven Countermeasures Evaluated
1. Chaperoncommercial, works with binaries, monitors execution
2. Valgrindfree sw, simulated execution, up to 500% performance hit
3. CCuredfree sw, static analysis of pointers, may require annotationsSAFE = no arithmentic, no castSEQ = arithmeticWILD = arithmetic and cast
![Page 56: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/56.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Seven Countermeasures Evaluated
4. CREDfree sw, bounds checking with referent object
5. Insure++commercial, instruments source code, up to 2500% performace hit
6. ProPolicefree sw, canary-based, reorders stack variables
7. TinyCCfree sw, basic referent object bounds checking
![Page 57: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/57.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results (Zhivich, Leek, and Lippmann)
![Page 58: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/58.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Results (Zhivich, Leek, and Lippmann)
![Page 59: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/59.jpg)
@johnwilander @nicknikiforakis ACSAC’11
Future Work
• Save/load offsets to allow testing of ASLR, probabilistic memory safety
• Other attack forms;Memory mgmt data (free & double free)Heap sprayingNon-control data attacks
• Configurable memory layout model
![Page 60: RIPE: Runtime Intrusion Prevention Evaluator](https://reader034.vdocuments.us/reader034/viewer/2022050614/5a6e615a7f8b9a22298b59bb/html5/thumbnails/60.jpg)
Slides http://www.slideshare.net/johnwilander/ripe-runtime-intrusion-prevention-evaluator