5 - RUNTIME COUNTERMEASURES

What are runtime countermeasures?

Defensive mechanisms active during program execution that prevent, detect, or limit code injection attacks in C/C++ programs.

Why are C/C++ programs vulnerable?

Because they lack built-in memory safety, allowing attackers to exploit implementation errors like buffer overflows and dangling pointers.

What are the main goals of runtime countermeasures?

To prevent attackers from injecting or executing malicious code by enforcing memory safety, control-flow integrity, or execution constraints.

What are the four main types of countermeasure actions?

Detection (D), Prevention (P), Mitigation (M), and Containment (C).

What does Detection (D) mean?

Identifies exploitation attempts and reacts at runtime without preventing vulnerabilities.

What does Prevention (P) mean?

Eliminates vulnerabilities before execution, making exploitation impossible.

What does Mitigation (M) mean?

Makes exploitation more difficult but doesn’t detect or stop attacks outright.

What does Containment (C) mean?

Limits the damage after a successful attack.

What are the main categories of runtime countermeasures?

Safe languages, bounds checkers, probabilistic countermeasures, separators/replicators, VMM-based defenses, execution monitors, hardened libraries, and taint tracking.

What are safe languages?

Modified versions of C that enforce memory safety and prevent vulnerabilities like buffer overflows or dangling pointers.

What are bounds checkers?

Mechanisms that ensure pointers and arrays do not access memory outside their allocated bounds.

What are probabilistic countermeasures?

Defenses using randomness (e.g., stack canaries, ASLR, instruction randomization) to make attacks unreliable.

What are separators and replicators?

Countermeasures that separate or duplicate critical control data to prevent overwriting or verify integrity.

What are VMM-based countermeasures?

Defenses leveraging virtual memory mechanisms like non-executable memory or guard pages.

What are execution monitors?

Systems that observe runtime events (like system calls) to detect or prevent malicious behavior.

What are hardened libraries?

Modified standard libraries that perform extra validation checks on parameters to prevent unsafe behavior.

What is runtime taint tracking?

Technique marking external input as “tainted” and detecting unsafe use of that data in control flow or memory operations.

What is a stack-based buffer overflow?

An overflow on the call stack that overwrites control data such as return addresses, redirecting program execution.

What is a heap-based buffer overflow?

An overflow in dynamically allocated memory that overwrites heap metadata or function pointers.

What is a dangling pointer?

A pointer referencing memory that has already been freed, which can be exploited to corrupt new data in that location.

What is a format string vulnerability?

Occurs when user input is unsafely used as a format string (e.g., printf(user_input)), allowing stack reads/writes.

What is a return-to-libc or ROP attack?

An advanced exploitation technique that reuses existing code fragments instead of injecting new code.

What is Address Space Layout Randomization (ASLR)?

A probabilistic defense that randomizes memory addresses to make code injection less predictable.

What is a stack canary?

A random value placed before a return address on the stack; if modified, it signals a buffer overflow attack.

What is instruction set randomization (ISR)?

Encrypts program instructions with a secret key so injected code cannot execute correctly.

What is non-executable (NX) memory?

Prevents code execution in data regions like the stack or heap to block injected payloads.

What are guard pages?

Memory pages placed after buffers to trigger a crash if out-of-bounds writes occur.

What is policy enforcement?

Execution monitoring technique that limits programs to predefined safe actions (principle of least privilege).

What is anomaly detection?

Execution monitoring approach that detects deviations from normal program behavior.

What is fault isolation?

Technique ensuring one program or module’s failure cannot corrupt others, typically using memory separation.

What are the trade-offs among countermeasures?

They differ in effectiveness, runtime cost, compatibility, implementation effort, and susceptibility to false positives.