RIPE: Runtime Intrusion Prevention Evaluator

Despite the plethora of research done in code injection countermeasures, buffer overflows still plague modern software. In 2003, Wilander and Kamkar published a comparative evaluation on runtime buffer overflow prevention technologies using a testbed of 20
attack forms and demonstrated that the best prevention tool missed 50% of the attack forms. Since then, many new prevention tools have been presented using that testbed to show that they performed better, not missing any of the attack forms. At the same time though, there have
been major developments in the ways of buffer overflow exploitation.

In this paper we present RIPE, an extension of Wilander's and Kamkar's testbed which covers 850 attack forms. The main purpose of RIPE is to provide a standard way of testing the coverage of a defense mechanism against buffer overflows. In order to test RIPE we use it to empirically evaluate some of the newer prevention techniques. Our results show that the most popular, publicly available countermeasures cannot prevent all of RIPE's buffer overflow attack forms. ProPolice misses 60%, LibsafePlus+TIED misses 23%, CRED misses 21%, and Ubuntu 9.10 with non-executable memory and stack protection misses 11%.

Author(s):

John Wilander    
Dept. of Computer Science, Linköpings Universitet
Sweden

Nick Nikiforakis    
Katholieke Universiteit Leuven
Belgium

Yves Younan    
Katholieke Universiteit Leuven
Belgium

Wouter Joosen    
Katholieke Universiteit Leuven
Belgium

Miriam Kamkar    
Linköpings Universitet
Sweden