From 11c88694c702264aec402cd5b9551b4455c92b43 Mon Sep 17 00:00:00 2001
From: mc2zk <mc2zk@git.zephyr-software.com>
Date: Thu, 4 Aug 2011 18:50:40 +0000
Subject: [PATCH] Adding backup ILR (???) and heaprand demonstrations.
---
.gitattributes | 3 ++
demos/demo.aug_9_2011/Makefile | 12 ++++-
demos/demo.aug_9_2011/demo_heaprand.sh | 40 +++++++++++++++++
demos/demo.aug_9_2011/demo_ilr.sh | 29 ++++++++++++
demos/demo.aug_9_2011/malloc.c | 61 ++++++++++++++++++++++++++
demos/demo.aug_9_2011/ps_demo.sh | 24 +++++-----
6 files changed, 156 insertions(+), 13 deletions(-)
create mode 100755 demos/demo.aug_9_2011/demo_heaprand.sh
create mode 100755 demos/demo.aug_9_2011/demo_ilr.sh
create mode 100644 demos/demo.aug_9_2011/malloc.c
diff --git a/.gitattributes b/.gitattributes
index 59c90e850..f1592c001 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -4,6 +4,8 @@ chopzero_src/Makefile -text
chopzero_src/chopzero.c -text
demos/Makefile -text
demos/demo.aug_9_2011/Makefile -text
+demos/demo.aug_9_2011/demo_heaprand.sh -text
+demos/demo.aug_9_2011/demo_ilr.sh -text
demos/demo.aug_9_2011/dumbledore.c -text
demos/demo.aug_9_2011/dumbledore.exploits/Makefile -text
demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeA.dynamic.no_strata.c -text
@@ -21,6 +23,7 @@ demos/demo.aug_9_2011/dumbledore.exploits/badB.txt -text
demos/demo.aug_9_2011/dumbledore.good_inputs/good.txt -text
demos/demo.aug_9_2011/heap_overflow.c -text
demos/demo.aug_9_2011/help.txt -text
+demos/demo.aug_9_2011/malloc.c -text
demos/demo.aug_9_2011/ps_demo.sh -text
demos/demo.aug_9_2011/sample.txt -text
demos/demo.jan_21_2011/Makefile -text
diff --git a/demos/demo.aug_9_2011/Makefile b/demos/demo.aug_9_2011/Makefile
index 65a811a92..e2c988d74 100644
--- a/demos/demo.aug_9_2011/Makefile
+++ b/demos/demo.aug_9_2011/Makefile
@@ -1,6 +1,14 @@
TOOLBASE=${PEASOUP_HOME}/tools
-all: dumbledore.original dumbledore.protected heap_overflow.original heap_overflow.protected
+all: dumbledore.original dumbledore.protected heap_overflow.original heap_overflow.protected malloc.protected
+
+malloc.original: malloc.c
+ gcc -w malloc.c -O -o malloc.original
+
+malloc.protected: malloc.original
+ TVHEADLESS=1 sh ${SMPSA_HOME}/SMP-analyze.sh malloc.original
+ # stratafy
+ sh ${STRATA}/tools/pc_confinement/stratafy_with_pc_confine.sh malloc.original malloc.protected
heap_overflow.original: heap_overflow.o
gcc -g heap_overflow.o -o heap_overflow.original
@@ -22,5 +30,7 @@ dumbledore.protected: dumbledore.original
clean:
rm -f *.o heap_overflow.original heap_overflow.protected dumbledore.original dumbledore_cmd.original dumbledore.protected dumbledore_cmd.protected tmp
rm -Rf peasoup_executable_directory.*
+ # clean up heaprand demo intermediate files
+ rm -f malloc.original* malloc.protected *.asm *.idb stratafier.o.exe output
# clean up IRDB and reset tables
if [ ! "X" = "X"${PGUSER} ]; then sh ${TOOLBASE}/db/drop_my_tables.sh; sh ${TOOLBASE}/db/pdb_setup.sh; fi
diff --git a/demos/demo.aug_9_2011/demo_heaprand.sh b/demos/demo.aug_9_2011/demo_heaprand.sh
new file mode 100755
index 000000000..20e726227
--- /dev/null
+++ b/demos/demo.aug_9_2011/demo_heaprand.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Demonstration of HeapRand
+
+# A pause function
+Pause()
+{
+ key=""
+ echo -n "\nPress any key to continue...\n"
+ echo
+ stty -icanon
+ key=`dd count=1 2>/dev/null`
+ stty icanon
+}
+
+clear
+echo "HEAP RANDOMIZATION demonstration"
+echo "Sample program: Towers of Hanoi"
+Pause
+clear
+
+# First, display the program
+cat malloc.c |less
+
+Pause
+clear
+echo "Running malloc.original"
+./malloc.original 3
+
+Pause
+clear
+echo "Running malloc.protected with randomizing log messages on."
+Pause
+# run program
+STRATA_PC_CONFINE=1 STRATA_ANNOT_FILE=malloc.original.annot STRATA_LOG=heaprand STRATA_HEAPRAND=1 ./malloc.protected 3 > output 2>&1
+
+# Show output in pretty form?
+cat output |less
+
+
diff --git a/demos/demo.aug_9_2011/demo_ilr.sh b/demos/demo.aug_9_2011/demo_ilr.sh
new file mode 100755
index 000000000..61d6327b4
--- /dev/null
+++ b/demos/demo.aug_9_2011/demo_ilr.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Author: Michele Co, mc2zk@virginia.edu
+#
+# Demonstrate operation of Instruction Layout Randomization
+# by turning on some Strata log messages
+
+# A pause function
+Pause()
+{
+ key=""
+ echo -n "\nPress any key to continue...\n"
+ echo
+ stty -icanon
+ key=`dd count=1 2>/dev/null`
+ stty icanon
+}
+
+echo "PEASOUP-protected dumbledore on good input"
+STRATA_LOG=spri ./dumbledore.protected < dumbledore.good_inputs/good.txt
+
+echo
+echo
+Pause
+clear
+
+echo "PEASOUP-protected dumbledore on malicious input"
+STRATA_LOG=spri ./dumbledore.protected < dumbledore.exploits/badB.dynamic.txt
+
diff --git a/demos/demo.aug_9_2011/malloc.c b/demos/demo.aug_9_2011/malloc.c
new file mode 100644
index 000000000..d5c1e3de8
--- /dev/null
+++ b/demos/demo.aug_9_2011/malloc.c
@@ -0,0 +1,61 @@
+/** The Towers Of Hanoi * C * Copyright (C) 1998 Amit Singh. All Rights Reserved. **/
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <assert.h>
+
+
+#define FROM 1
+#define TO 3
+#define USING 2
+
+void dohanoi(int N, int from, int to, int using)
+{
+ static int count=0;
+ static int *malloc_ptr=NULL;
+
+ if(malloc_ptr){
+ free(malloc_ptr);
+ malloc_ptr=0;
+ }
+ else {
+ malloc_ptr=malloc(((1+N)*(from+1)*(1+to)*(1+using)) << 4);
+ }
+
+ if (N > 0) {
+ dohanoi(N-1, from, using, to);
+ dohanoi(N-1, using, to, from);
+ }
+ else {
+ int j;
+ }
+}
+
+int main (int argc, char **argv) {
+ long int N;
+ long int i;
+ int j;
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s N\n", argv[0]); exit(1);
+ }
+ N = strtol(argv[1], (char **)NULL, 10); /* a bit of error checking, LONG_XXX should be there in limits.h */
+
+ if (N == LONG_MIN || N == LONG_MAX || N <= 0) {
+ fprintf(stderr, "illegal value for number of disks\n");
+ exit(2);
+ }
+
+ for(i=0;i<N;i++) {
+
+ printf("Hanoi %d ... \n", i);
+ fflush(stdout);
+ dohanoi(N, FROM, TO, USING);
+
+ printf("Hanoi %d\n", i);
+ fflush(stdout);
+ }
+
+ exit(0);
+}
+
diff --git a/demos/demo.aug_9_2011/ps_demo.sh b/demos/demo.aug_9_2011/ps_demo.sh
index 7b96623c0..7a238c5b3 100755
--- a/demos/demo.aug_9_2011/ps_demo.sh
+++ b/demos/demo.aug_9_2011/ps_demo.sh
@@ -54,13 +54,13 @@ clear
echo "Running dumbledore.original with CODE INJECTION input.\nReported grade will be changed from D to A.\n"
-bad_input=`cat dumbledore.exploits/badA.txt`
+bad_input=`cat dumbledore.exploits/badA.dynamic.txt`
echo "Input: ${bad_input}\n\n"
-echo "./dumbledore.original < dumbledore.exploits/badA.txt\n"
+echo "./dumbledore.original < dumbledore.exploits/badA.dynamic.txt\n"
Pause
-./dumbledore.original < dumbledore.exploits/badA.txt
+./dumbledore.original < dumbledore.exploits/badA.dynamic.txt
Pause
clear
@@ -70,13 +70,13 @@ echo "At 6-month review: Instruction Set Randomization"
echo "Running PEASOUP-protected dumbledore on CODE INJECTION input.\n"
echo "PEASOUP detects the code injection.\n"
-bad_input=`cat dumbledore.exploits/badA.txt`
+bad_input=`cat dumbledore.exploits/badA.dynamic.txt`
echo "Input: ${bad_input}\n\n"
-echo "./dumbledore.protected < dumbledore.exploits/badA.txt\n"
+echo "./dumbledore.protected < dumbledore.exploits/badA.dynamic.txt\n"
Pause
-./dumbledore.protected < dumbledore.exploits/badA.txt
+./dumbledore.protected < dumbledore.exploits/badA.dynamic.txt
Pause
# clear the screen
@@ -86,13 +86,13 @@ clear
echo "Running dumbledore.original with ARC INJECTION input\n"
echo "Input will cause username check to be bypassed."
echo "Reported grade will be B, instead of the expected D.\n"
-bad_input=`cat dumbledore.exploits/badB.txt`
+bad_input=`cat dumbledore.exploits/badB.dynamic.txt`
echo "Input: ${bad_input}\n\n"
-echo "./dumbledore.original < dumbledore.exploits/badB.txt\n"
+echo "./dumbledore.original < dumbledore.exploits/badB.dynamic.txt\n"
Pause
-./dumbledore.original < dumbledore.exploits/badB.txt
+./dumbledore.original < dumbledore.exploits/badB.dynamic.txt
Pause
clear
@@ -100,13 +100,13 @@ clear
# 5) Run dumbledore.protected on bad input #2, show that we did not defeat the exploit
echo "NEW since 6-month review: Instruction Layout Randomization"
echo "Running PEASOUP-protected dumbledore with arc injection attack input\n\n"
-badBinput=`cat dumbledore.exploits/badB.txt`
+badBinput=`cat dumbledore.exploits/badB.dynamic.txt`
echo "Input: ${badBinput}\n\n"
-echo "./dumbledore.protected < dumbledore.exploits/badB.txt\n"
+echo "./dumbledore.protected < dumbledore.exploits/badB.dynamic.txt\n"
Pause
-./dumbledore.protected < dumbledore.exploits/badB.txt
+./dumbledore.protected < dumbledore.exploits/badB.dynamic.txt
Pause
--
GitLab