AAU project on runtime software attacks — PoC exploits, a C-FLAT-style control-flow integrity detector, and an evaluation harness. Targets AArch64 / Raspberry Pi 4.
Whitelist
.gitignore: everything is ignored by default. To track new files, add an explicit!rule.
demo-runtime-attacks.mp4
A C-FLAT-style CFI monitor running entirely in userspace over ptrace. Two halves:
- Offline (
tools/build_cfg.py) — disassembles the victim ELF, recovers basic blocks, CFG edges, and legal indirect-call targets; writes<victim>.cfg. - Online (
detector/tracer) — single-steps the victim, validates every control-flow transfer against the CFG and a shadow call stack, and folds each transfer into an FNV-1a 64-bit attestation hash printed at exit.
Detects: hijacked ret (stack-BOF, ROP), illegal blr targets (JOP), and wild br jumps. Does not observe data-only manipulations (see roadmap).
Latest eval — N=50, Raspberry Pi 4 / Cortex-A72, ondemand governor:
| Attack | Dir | Detection | FPR | Overhead |
|---|---|---|---|---|
| Stack buffer overflow | attacks/01-stack-bof/ |
100% | 0% | 2.41× |
| Return-Oriented Programming | attacks/02-rop/ |
100% | 0% | 2.65× |
| Jump-Oriented Programming | attacks/03-jop/ |
100% | 0% | 2.23× |
| Non-control-data (L1 gap) | attacks/04-data-only/ |
0% ✓ | 0% | 3.13× |
The 04-data-only 0% detection is expected — the L1 model has no visibility into data provenance. The attestation hash does differ between benign and attack runs; a verifier with a known-good baseline would catch the divergence.
- L1 — control-flow integrity (shadow stack + CFG edges + path attestation)
- L2 — data-provenance tracking (taint analysis)
- L3 — object-bounds checking (spatial memory safety)
nix develop --command $SHELL # enter dev shell (or: direnv allow)
make build
python3 tools/build_cfg.py attacks/01-stack-bof/victim
echo "hello" | ./detector/tracer attacks/01-stack-bof/victim # benign
python3 attacks/01-stack-bof/exploit.py | ./detector/tracer attacks/01-stack-bof/victim # attackExit codes: 0 clean, 1 tracer error, 2 attack detected.
make test # build + run full matrix
make clean
python3 tools/run_tests.py -v # verbose tracer output
python3 tools/run_tests.py -k 01-stack-bof # filter by namemake build
python3 tools/run_eval.py # N=30, writes eval/raw/ + eval/summary-<date>.md
python3 tools/run_eval.py --n 50 --measure-pwn-startup
python3 tools/run_eval.py --attacks 01-stack-bof,02-rop- Create
attacks/NN-name/withvictim.c,exploit.py,Makefile(mirrorattacks/01-stack-bof/). - Append two entries (
benign+attack) to theTESTSlist intools/run_tests.py. make testbuilds and runs it automatically.
Managed via Nix flake — all GCC/linker hardening is disabled inside the shell so binaries are vulnerable by design.
nix develop --command $SHELL
gcc vuln.c -o vuln && checksec vuln # all protections offWith direnv: direnv allow activates the shell automatically on cd.