This repository holds example implementations of binary transformations implemented over top of GTIRB. See the accompanying GTIRB Tutorial for more information.
Specifically, this example repository implements a transform to apply 'stack stamping' protections to a binary.
Stack stamping is a technique to help mitigate ROP style attacks. This is done by 'stamping' the return address on the stack, thus encrypting it. Before it is popped off the stack and used, it is decrypted by 'un-stamping' it. This can be an efficient protection, as no registers are needed, and while flags are affected, they are only affected at function entry/exits where they do not need to be preserved. By encoding and decoding this return address, an attacker has a more difficult task, since the replacement data would need to be properly encoded, such that when it is un-stamped, it results in the desired address.
This repository contains three implementations of stack-stamping in three different languages:
The Python transform requires some dependencies to be installed:
pip3 install gtirb-capstone gtirb-functions capstone keystone-engineTo starting using it, run:
python3 setup.py developTo invoke the command line utility thus generated:
python3 -m gtirb_stack_stampThis transform depends on the following libraries:
Ensure they are installed before compiling the C++ version of the transform. Building from source also depends on CMake being installed.
We add the filling CMake options during building:
GTIRB_STACK_STAMP_ENABLE_TESTS: Set toOFFto disable the downloading of Google Test and the building of the test executable.ONby default.GTIRB_STACK_STAMP_BUILD_SHARED_LIBS: Set toOFFto build static libraries instead of dybnamic ones.ONby default.
cmake -Bbuild ./
cd build
makeThe generated command-line utility will then be available in build/bin.
Currently, some issues are preventing Keystone from being built on Windows, so the C++ version of gtirb-stack-stamp is buildable on Linux only for the time being.
Our CMake automatically downloads a local copy of Google Test and produces a test executable. To run it:
build/bin/test-gtirb-stack-stampYou will need gtirb-pprinter and ddisasm on your PATH.
The Common Lisp transform requires the following external libraries:
and the following common lisp packages (gtirb, gtirb-functions, gtirb-capstone) which may be installed via QuickLisp:
-
Clone this repository into your
~/quicklisp/local-projectsdirectorygit clone https://github.com/grammatech/gtirb-stack-stamp
-
Load
gtirb-stack-stampand all dependencies.(ql:quickload :gtirb-stack-stamp)
To run the transform at the REPL:
(write-gtirb (stack-stamp (drop-cfi (read-gtirb "in.gtirb"))) "out.gtirb")To build the command line executable:
sbcl --eval '(ql:quickload :gtirb-stack-stamp)' \
--eval '(asdf:make :gtirb-stack-stamp :type :program :monolithic t)'To invoke the command line utility thus generated:
./stack-stamp --helpCopyright (C) 2020 GrammaTech, Inc.
This code is licensed under the MIT license. See the LICENSE file in the project root for license terms.
This project is sponsored by the Office of Naval Research, One Liberty Center, 875 N. Randolph Street, Arlington, VA 22203 under contract # N68335-17-C-0700. The content of the information does not necessarily reflect the position or policy of the Government and no official endorsement should be inferred.