Skip to content

cooparo/runtime-attacks

Repository files navigation

Runtime Attack Research

AAU project on runtime software attacks — PoC exploits, a C-FLAT-style control-flow integrity detector, and an evaluation harness. Targets AArch64 / Raspberry Pi 4.

Whitelist .gitignore: everything is ignored by default. To track new files, add an explicit ! rule.

What the detector does

demo-runtime-attacks.mp4

A C-FLAT-style CFI monitor running entirely in userspace over ptrace. Two halves:

  • Offline (tools/build_cfg.py) — disassembles the victim ELF, recovers basic blocks, CFG edges, and legal indirect-call targets; writes <victim>.cfg.
  • Online (detector/tracer) — single-steps the victim, validates every control-flow transfer against the CFG and a shadow call stack, and folds each transfer into an FNV-1a 64-bit attestation hash printed at exit.

Detects: hijacked ret (stack-BOF, ROP), illegal blr targets (JOP), and wild br jumps. Does not observe data-only manipulations (see roadmap).

Attack matrix & results

Latest eval — N=50, Raspberry Pi 4 / Cortex-A72, ondemand governor:

Attack Dir Detection FPR Overhead
Stack buffer overflow attacks/01-stack-bof/ 100% 0% 2.41×
Return-Oriented Programming attacks/02-rop/ 100% 0% 2.65×
Jump-Oriented Programming attacks/03-jop/ 100% 0% 2.23×
Non-control-data (L1 gap) attacks/04-data-only/ 0% ✓ 0% 3.13×

The 04-data-only 0% detection is expected — the L1 model has no visibility into data provenance. The attestation hash does differ between benign and attack runs; a verifier with a known-good baseline would catch the divergence.

Roadmap

  • L1 — control-flow integrity (shadow stack + CFG edges + path attestation)
  • L2 — data-provenance tracking (taint analysis)
  • L3 — object-bounds checking (spatial memory safety)

Quick start

nix develop --command $SHELL   # enter dev shell (or: direnv allow)
make build
python3 tools/build_cfg.py attacks/01-stack-bof/victim
echo "hello" | ./detector/tracer attacks/01-stack-bof/victim   # benign
python3 attacks/01-stack-bof/exploit.py | ./detector/tracer attacks/01-stack-bof/victim  # attack

Exit codes: 0 clean, 1 tracer error, 2 attack detected.

Testing

make test        # build + run full matrix
make clean
python3 tools/run_tests.py -v               # verbose tracer output
python3 tools/run_tests.py -k 01-stack-bof  # filter by name

Evaluation

make build
python3 tools/run_eval.py                          # N=30, writes eval/raw/ + eval/summary-<date>.md
python3 tools/run_eval.py --n 50 --measure-pwn-startup
python3 tools/run_eval.py --attacks 01-stack-bof,02-rop

Adding a new attack

  1. Create attacks/NN-name/ with victim.c, exploit.py, Makefile (mirror attacks/01-stack-bof/).
  2. Append two entries (benign + attack) to the TESTS list in tools/run_tests.py.
  3. make test builds and runs it automatically.

Dev environment

Managed via Nix flake — all GCC/linker hardening is disabled inside the shell so binaries are vulnerable by design.

nix develop --command $SHELL
gcc vuln.c -o vuln && checksec vuln   # all protections off

With direnv: direnv allow activates the shell automatically on cd.

About

We break AArch64 programs in every way imaginable (BOF, ROP, JOP, data-only), then catch ourselves doing it. Batteries included

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Contributors