Binary Analysis and Reverse Engineering
|
|
- Ira Wilfrid Sullivan
- 5 years ago
- Views:
Transcription
1 Pattern Recognition and Applications Lab Binary Analysis and Reverse Engineering Ing. Davide Maiorca, Ph.D. Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Contents Introduction ELF Structure Introduction to readelf From ELF to Memory Static Analysis Assembly X86 Basics and introduction to objdump Memory analysis during function calls Dynamic Analysis Introduction to gdb Dynamic Analysis of Memory 2
2 Introduction 3 About Me February 2012 Master of Science Electronic Engineering cum laude November 2013 April 2014 Visiting Student Ruhr Universität Bochum (Prof. Dr. Thorsten Holz) March 2016 Ph.D. Doctor Europaeus University of Cagliari CLUSIT (Italian Association For Computer Security) Thesis Prize winner Currently PostDoctoral Fellow University of Cagliari Resarch Topics Malware Analysis and Detection in Documents (PDF, Word, Flash ) Android Malware Analysis and Detection Adversarial Machine Learning Other Activities Mobile Forensics Program Committees for Conferences 4
3 Virtual Machine Runs Ubuntu You can find the files of this lecturer directly on the VM User: sicurezza1718 Password: security Introduction Binary Analysis In Computer Security, we are often interested in finding anomalies in a executable (binary) program: Hidden actions Possible attacks or attempts to steal information Bugs However, we often do not have the source code of the program To analyze a binary, we must therefore resort to reverse engineering techniques This is often the only way to understand something of a program! A very complex art! 6
4 Introduction - Reverse Engineering When you program, you usually switch from source codes to binary files Problem: are you really sure that the binary exactly behaves as you wanted? You already know it is not that simple... We often refer to «bug» when defining a wrong/unexpected behavior of a program Reverse Engineering: analyzing the code of an already compiled program to understand its behavior This means that you are going to see how a program works in a very detailed way Get ready to make your hands dirty! J 7 Challenge! Our lectures will be challenge-driven The idea is acquiring the concepts that will allow you, in practice, to solve the challenge In the virtual machine, you should find a file called sum_number Try to run it... You do not have the source code, so answering the question is at the moment not possible However, thanks to what you learn in these lectures, you will be able to unveil many mysteries 8
5 ELF Structure 9 Creazione di un Eseguibile (Linux) Compiler Linker Source (.c) Object File (.o) ELF Executable 10
6 ELF Executable and Linkable Format Executable for Linux (32 and 64 bit) 32 and 64 bit executables are NOT the same Memory management and specific instructions are different The executable is composed of four parts ELF Header Basic information about the file (e.g., architecture type, addresses, and section sizes) Section Header Describes the position of all sections of the executable (compulsory in.o files) Program Header Describes the executable sections that are loaded in memory during the program execution (segments compulsory in the executable file) Data The real file data 11 ELF (2) Compiler Linker Source (.c) Object File (.o) ELF Executable The Linker changes the addresses of the file sections depending on specific needs (relocation) 12
7 ELF Header ELF files can be analyzed in practice with different tools We start with readelf Can be found in any Linux distribution Provides information on the file structure Let s start... readelf h sum_number Yes, that s the headerexecutable! Magic number Four bytes that define the file type Entry point VIRTUAL memory address that identifies the start of the program Does the program really begin with main? You faith is going to be changed soon...j Provides information about offsets and sizes of the ELF sections 13 Section Header Let s dig deeper in the file readelf S sum_number 35 sections (not all of them are important)! We are considering already relocated sections (complete executable).text Instructions of the process and read-only data Changes to these values-> Segmentation Fault! Read-only data are generally marked.data Initialized static data.bss Non initialized static data 14
8 Section Types and Parameters Types PROGBITS: sections that contain data that are actually used by the program NOTE: extra data that are not useful for the execution of the program SYMTAB/DYNSYM: sections that contain information about symbols. Symbols are names that represent data that are used by machine code STRTAB: section that contains strings that are used by the executable REL: relocation table Other parameters Address: virtual memory address of the section Size: size of the section Offset: starting point inside the file Flag: execution flags You can overlook the other parameters 15 Program Header To access the program header, just type: readelf l sum_number Program Header is composed of segments Each segment is composed of a group of sections LOAD type segments are loaded in memory when the program is run In our example, segment 02 contains the.text section Contains the machine code (flags: Read/Execute) -> This segment is often named.text Segment 03 contains.data e.bss sections.data and.bss represent,respectively,initialized and uninitialized data (flags: Read/Write) When representing memory, sections.data and.bss are considered as separate segments Careful with offsets! PHDR is the program header table (in our example, it starts from offset 52) LOAD starts from offset 0 (from the file start), but only uses the first 0x6a4 bytes, although 0x1000 are loaded (i.e., 4096 aligment value due to memory paging) 16
9 From ELF to Memory Executable Addresses that increment towards the bottom Memory (note how the address of.text is lower than.data) 17 Linux X86 Process in Memory - Structure Note that, in the picture on the left,.text section is on the lower part of the memory, but addresses are growing towards up! Stackframe Base Stack always accumulates towards lower addresses (the opposite of the process)! 18
10 Linux X86 Process in Memory - Stack (2) Heap Dynamically allocated memory Stack Composed of frames Contains information about functions (paramters, return addresses, local variables ) Everytime a function is called, a frame is allocated in memory Function arguments Arguments that the function receives Return address The address to which the function returns at its end Frame pointer It is considered as the «base» of the frame Local variables Variable that are defined in the function 19 Static Analysis 20
11 Disassembling an Executable Until now, we have inspected the structure of the executable Now it s time to understand what the executable does We want to understand which instructions the processor really executes by not executing the file itself (static analysis) This is called disassembling To this end, we can use the tool objdump objdump d sum_number Static Analysis has a lot of advantages: It s usually very fast (especially if made automatically) It immediately provides a lot of information Avoids executing the file! 21 Assembly X86 Basics Intel CISC Complex Instruction Set Computer A lot of instructions! (but we will only use a small subset) AT&T Convention for instructions (opcode, source, destination) Used by Linux (Windows uses the Intel convention, where source and destination are reversed) 32 bit Addressing Little endian! LESS significant bytes go to LOWER addresses Example for word 0x90AB12CD Memory Address Saved Byte AB CD 22
12 Memory Addressing Be VERY careful to little endianess It can be confusing at times! Whenever a pointer refers to a memory block this will ALWAYS point to the LOWEST part of the block Consider two addresses: 0xbfff0000 and 0xbfff0004. On the block pointed by the first address, you save an End of Second Block ARRAY 123 (which is represented, in hex, by 0x31 0x32 0x33), whilst on the second block you save the NUMBER 123 Start of Second Block (represented by 0x7b) End of First Block EACH WORD IS ALWAYS READ BY CONSIDERING 4 BYTES FROM THE BLOCK START 0xbfff0000: 0x Start of First Block 0xbfff0004: 0x B Memory Address Saved Byte 0xbfff xbfff xbfff xbfff0004 0xbfff0003 0xbfff0002 0xbfff0001 0xbfff0000 7B 0x00 0x33 0x32 0x31 23 Assembly X86 Registers and Instructions 8 «General purpose» registers + 1 that points to the next instruction (we are only going to consider the ones used by our example!) EAX, EDX: «Accumulator» registers ESP: Stack Pointer : Pointer to the stackframe base (when a function is called) EIP: Pointer to the next instruction Basic Instructions PUSH: Push a word to the stack POP: Removes a word from the stack MOV: Moves a value from register to register or from register to memory MOVL: Moves a 4 byte word from a register to memory (and viceversa) AND: Logical AND operation ADD/SUB: adds/removes a value from a register LEAVE: Complete some operations on the stack (see next slides) RET: Same as return CALL: Calls a function NOP: Doesnotexecute anything The operation xcgh %ax %ax can be considered similar to a NOP (but we will not add details) 24
13 DISCLAIMER REGISTER VALUES (ebp, esp, eax ) CAN VARY DEPENDING ON THE ARCHITECTURE AND ON THE OPERATING SYSTEMS, AND IN THESE SLIDES YOU WILL ONLY FIND AN EXAMPLE TAKEN FROM AN EXECUTION OF THE FILE IN A VIRTUAL ENVIRONMENT 25 First Look Let s have a look at the section.text retrieved with objdump There are a lot of functions and instructions A C program starts (in its source code) from the function main Let s look for it! What can we intuitively grasp from this function? The first thing we can look for is retrieving other function calls Let s look then for «call» instructions We see that three functions are actively called: sum, printf, puts Puts is like printf without formatting. It is often used to print newlines Therefore, our program calls a function called sum and prints something, along with a newline! 26
14 Static Analysis of Code - main Stackframe (main function) ESP _start Return ADDRESS esp = 0xbffff078 Starting situation Each «block» is composed of 4 bytes Main is always called by a routine called _start (a compiled Assembly program does not start from main ) Before calling a new function, the caller pushes to the stack the return address from which the program resumes its flow 27 Static Analysis of Code - main Stackframe (main function) _start Return ADDRESS ESP push %ebp esp = 0xbffff078 The old stackframe base pointer is saved PUSH FIRST MOVES THE POINTER BY 4 BYTES, THEN IT WRITES THE ELEMENT! 28
15 Static Analysis of Code - Main Stackframe (main function) _start Return ADDRESS ESP esp = 0xbffff078 ebp = 0xbffff078 push %ebp mov %esp %ebp Now the current stackframe base pointer points to the base of the main stackframe (the pointer was located in the _start function) 29 ESP Static Analysis of Code Memory Allocation Stackframe (main function) _start Return ADDRESS push %ebp mov %esp %ebp and 0xffffff0 %esp esp = 0xbffff070 ebp = 0xbffff078 We are preparing the program to free some space to store local variables and parameters This instruction moves ESP to a location whose address is a multiple of 16. Intel Processors feature special instructions which always require that ESP stays in a memory address that is multiple of 16 after the space for variables has been prepared. This preliminary instruction ensures that, when the space is completely ready, ESP always points to an address that is multiple of 16 (see next slide) 30
16 Static Analysis of Code Memory Allocation Stackframe (main function) _start Return ADDRESS push %ebp mov %esp %ebp and 0xffffff0 %esp sub 0x20, %esp esp = 0xbffff050 ebp = 0xbffff078 ESP moves 32 bytes down through the stack (0x20) in order to free some space for local variables, as well as for parameters of another function We are decreasing by a multiple of 16 (see previous slide) ESP PUSH+MOV+(AND)+SUB -> This is typically done when a function wants to call another one! 31 Static Analysis of Code Function Call Stackframe (main function) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff078 push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(esp) 5 After some space has been freed, when a new function is called the caller starts pushing the new function parameters (they ALWAYS go at the end of the stackframe in a reverse order-> The first parameter ALWAYS goes to the bottom). ESP 32
17 Static Analysis of Code Function Call Stackframe (main function) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff078 push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(esp) movl $0x4, (esp) 5 4 ESP The second parameter (the first one in the C code) is pushed. The function takes two parameters whose values are 4 and 5 -> func(4, 5) 33 Static Analysis of Code Function Call Stackframe (main and sum functions) 5 esp = 0xbffff04c 4 main stackframe ebp = 0xbffff048 ESP RETURN ADDRESS Sum stackframe (NOTE: Even if conceptually the passed parameters are part of the new function, it is common to consider the return address as the start of the new stackframe) push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(esp) movl $0x4, (esp) call d <sum> Calling a new function means saving in the stack the return address (which means, the address of the next instruction of the main function) and going to the beginning of the new function 34
18 Static Analysis of Code Sum Function Stackframe (main and sum functions) 5 esp = 0xbffff048 4 main stackframe ebp = 0xbffff048 ESP RETURN ADDRESS main()... movl $0x5, 0x4(esp) movl $0x4, (esp) call d <sum> sum stackframe push ebp mov %esp, %ebp... The new function always loads in its stackframe the of the caller (in this case, the of main is saved) 35 Static Analysis of Code Sum Function Stackframe (main and sum functions) 5 main stackframe esp = 0xbffff04c ebp = 0xbffff078 4 RETURN ADDRESS ESP... movl $0x5, 0x4(esp) movl $0x4, (esp) call d <sum> sum stackframe push ebp mov %esp, %ebp... leave leave completely cleans the stackframe of the leaving function and restores the ebp 36
19 ESP Static Analysis of Code Sum Function Stackframe (main and sum functions) 5 main stackframe esp = 0xbffff030 ebp = 0xbffff movl $0x5, 0x4(esp) movl $0x4, (esp) call d <sum> sum stackframe push ebp mov %esp, %ebp ret loads, by using a POP... instruction (the opposite of leave PUSH, it removes the element ret from the stack and goes 4 bytes back) the return address on eip (next instruction register) 37 Analisi statica del codice Funzione Sum Stack Frame (Per la funzione main) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff ESP push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(esp) movl $0x4, (esp) call d <sum> mov %eax, 0x1c(esp) %eax contains the result of the sum function, which is stored under the location pointed by. The location should be -4, but the alignment instruction (in blue) further moves everything by 8 bytes 38
20 Static Analysis of Code Calling printf Stackframe (main function) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff ESP push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(%esp) movl $0x4, (%esp) call d <sum> mov %eax, 0x1c(%esp) mov %eax, 0x4(%esp) Load parameters for the next call 39 Static Analysis of the Code Calling printf Stackframe (main function) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff078 9 push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(%esp) movl $0x4, (%esp) call d <sum> mov %eax, 0x1c(%esp) mov %eax, 0x4(%esp) movl $0x , (%esp) 9 0x ESP This address refers to a string (which are stored in dedicated sections of the file) 40
21 Static Analysis of the Code Calling printf Stackframe (main function) _start Return ADDRESS esp = 0xbffff050 ebp = 0xbffff078 ESP 9 9 0x push %ebp mov %esp %ebp and $0xffffff0 %esp sub $0x20, %esp movl $0x5, 0x4(%esp) movl $0x4, (%esp) call d <sum> mov %eax, 0x1c(%esp) mov %eax, 0x4(%esp) movl $0x , (%esp) call <printf@plt>... Calls printf (which takes as parameters a string and a value to print) 41 Further notes To fully understand the solution of the challenge, you also have to analyze the sum function The principle is the same as the one of the main function (even simpler!) Can you find the solution to the challenge by using static analysis? Additional question: can you guess the solution of the challenge by only inspecting the mainfunction? 42
22 Dynamic Analysis 43 Dynamic Analysis Static analysis provides valuable information on the executable However, this is often not enough! Some information is only available at runtime Understanding the register values by only using static analysis might be too complex! The executable is obfuscated to complicate Static Analysis To cope with these problems, dynamic analysis can be really helpful Dynamic Analysis monitors the execution of the program, allowing to analyze memory, instructions and the program flow at runtime 44
23 Introduction to GDB GDB = Gnu DeBugger It s the most popular open source program to analyze x86/x64 executables Works on Linux, Windows, OSX A lot of functionality! Allows to stop the execution of the program at a specific instruction (breakpoints) You can analyze memory and registers It also allows to set up conditional breakpoints, which are subjected to the occurrence of certain events GDB allows to spot bugs in a program (or to exploit them to our advantage) 45 Using GDB Let s go back to sum_number gdb sum-number Type run to execute the program From objdump, we see that the function starts from 0x804844d With the x/i command potete vedere l istruzione ad un certo indirizzo If you type x/i 0x804844d you can see the next instruction to execute Let s see what happens inside the function «sum» The address of the first instruction is 0x d break *0x d DO NOT FORGET THE ASTERISK run The execution is stopped BEFORE RUNNING THE INSTRUCTION (Warning: the following slides will continue the execution, so do not stop the execution) 46
24 X Command Very powerfulcommand! X show the content of the memory basing on a certain type of representation (for instance, you can represent a sequence of bytes as istructions or keep them as bytes) If you type x/ni you can see n instructions from a specific address... If you type x/nb you can visualize n bytes starting from the lowest part of the block... Example: x/4b $(ebp+4) shows the address of the return function (the caller of «sum»), given by: 0x This is how it appears: 0x80 0x84 0x04 0x08 (THE LEAST SIGNIFICANT BYTE IS ON THE LEFT) It is more effective to visualize data with words x/w $(ebp+4) shows the same result as word, starting from the most significant byte DO NOT ONLY USE x (without slash), as it will use the viewing style of its last call 47 Memory Analysis with GDB We can obtain information on the loaded stackframes Type frame There is only one available frame (the one of «sum») Select the frame with f 0 info f Shows all the information on the needed registers Shows the current ebp, the previous ebp and the return address (saved eip) Let ssee the register contents! info registers ebp Shows the value of (THE NEW HAS NOT BEEN UPDATED YET, SO YOU ONLY SEE THE LATEST ONE) info registers esp Current pointer to the stack 48
25 Memory Analsysis with GDB GDB can show the memory content Let s see what we can find in the location pointed by esp info registers espreturns «0xbffff04c» So type x/w 0xbffff04c The result is «0x », which is the address of the instruction after the call to sum Esp is therefore pointing to the location that contains the return address This is correct, as we still have to push the new ebp to the stack Let sgo on, instruction by instruction Use the command ni Use it now for three times Sometimes, it is possible to see instructions with some references to the original variables used by the programmer This is because the program contains «debugging» information 49 Memory Analysis with GDB (2) The sum function sums two parameters and store the results in a new variable Sum parameters are stored in the eax and edx registers «mov 0xc(%ebp), %eax», «mov 0x8(%ebp), %edx» How to retrieve the values stored in eax ed edx? First way: info registers ebp -> 0xbffff048 x/b 0xbffff048+(0xc) -> YOU CAN READ MEMORY ALSO AT SPECIFIC OFFSETS! J -> You get 5 (the SECOND parameter) x/b 0xbffff048+(0x8) -> You get 4 (the FIRST parameter) Second way: Type ni two times info registers eax, info registers edx Third way: print a and print b, as the function takes as input a and b Works ONLY if there are debugging information available...j 50
26 Summing up You learnt many things from this lecture Linux executables structure Loading Linux executables to memory Analyzing a Linux executable, by using the fundamentals of assembly x86 and two analysis techniques: Static analysis Dynamic analysis Next question is: what if an attacker is able to exploit such information to his advantage? Stay tuned for the next lesson! 51
Advanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls
CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-23 Sat Young W. Lim Link 2. Object Files 2017-09-23 Sat 1 / 40 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls"
CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationCSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM
CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM February 7, 2008 1 Overview The purpose of this assignment is to introduce you to the assembly language
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More informationIntro x86 Part 3: Linux Tools & Analysis
Intro x86 Part 3: Linux Tools & Analysis Xeno Kovah 2009/2010 xkovah at gmail Approved for Public Release: 10-3348. Distribution Unlimited All materials is licensed under a Creative Commons Share Alike
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationStack Discipline Jan. 19, 2018
15-410 An Experience Like No Other Discipline Jan. 19, 2018 Dave Eckhardt Brian Railing Slides originally stolen from 15-213 1 15-410, S 18 Synchronization Registration The wait list will probably be done
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationOffensive Security My First Buffer Overflow: Tutorial
Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA
More informationInstruction Set Architectures
Instruction Set Architectures ISAs Brief history of processors and architectures C, assembly, machine code Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface contain?
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationMitchell Adair January, 2014
Mitchell Adair January, 2014 Know Owen from our time at Sandia National Labs Currently work for Raytheon Founded UTDallas s Computer Security Group (CSG) in Spring 2010 Reversing, binary auditing, fuzzing,
More informationInstruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
More informationAn Experience Like No Other. Stack Discipline Aug. 30, 2006
15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please
More informationint32_t Buffer[BUFFSZ] = {-1, -1, -1, 1, -1, 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, -1, -1, -1, -1, -1}; int32_t* A = &Buffer[5];
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-20 Wed Young W. Lim Link 2. Object Files 2017-09-20 Wed 1 / 33 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationWhat the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.
C Flow Control David Chisnall February 1, 2011 Outline What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope Disclaimer! These slides contain a lot of
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationA short session with gdb verifies a few facts; the student has made notes of some observations:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationBinghamton University. CS-220 Spring Loading Code. Computer Systems Chapter 7.5, 7.8, 7.9
Loading Code Computer Systems Chapter 7.5, 7.8, 7.9 gcc g o ttt ttt.c ttt.c ttt gcc gcc g o ttt ttt.c ttt.c gcc ttt Pre-Processor Linker Compiler Assembler ttt.s ttt.o What is in a binary executable file?
More informationCS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Warren Hunt, Jr. and Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 1, 2014 at 12:03 CS429 Slideset 6: 1 Topics
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationCS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities
CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread
More informationGDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32
GDB Tutorial Young W. Lim 2017-02-14 Tue Young W. Lim GDB Tutorial 2017-02-14 Tue 1 / 32 Outline 1 Introduction Young W. Lim GDB Tutorial 2017-02-14 Tue 2 / 32 Based on "Self-service Linux: Mastering the
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 Local Variables
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationSimple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:
Simple C Program Helloworld.c Programming and Debugging Assembly under Linux slides by Alexandre Denault int main(int argc, char *argv[]) { } printf("hello World"); Programming and Debugging Assembly under
More informationProfilers and Debuggers. Introductory Material. One-Slide Summary
Profilers and Debuggers #1 Introductory Material First, who doesn t know assembly language? You ll get to answer all the assembly questions. Yes, really. Lecture Style: Sit on the table and pose questions.
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationCompiler Construction D7011E
Compiler Construction D7011E Lecture 8: Introduction to code generation Viktor Leijon Slides largely by Johan Nordlander with material generously provided by Mark P. Jones. 1 What is a Compiler? Compilers
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationx86 assembly CS449 Spring 2016
x86 assembly CS449 Spring 2016 CISC vs. RISC CISC [Complex instruction set Computing] - larger, more feature-rich instruction set (more operations, addressing modes, etc.). slower clock speeds. fewer general
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More information1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables
More informationCSC 8400: Computer Systems. Using the Stack for Function Calls
CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationA Unix process s address space appears to be three regions of memory: a read-only text region (containing executable code); a read-write region
A Unix process s address space appears to be three regions of memory: a read-only text region (containing executable code); a read-write region consisting of initialized data (simply called data), uninitialized
More informationMachine Programming 1: Introduction
Machine Programming 1: Introduction CS61, Lecture 3 Prof. Stephen Chong September 8, 2011 Announcements (1/2) Assignment 1 due Tuesday Please fill in survey by 5pm today! Assignment 2 will be released
More informationSistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T
Sistemi Operativi Lez. 16 Elementi del linguaggio Assembler AT&T Data Sizes Three main data sizes Byte (b): 1 byte Word (w): 2 bytes Long (l): 4 bytes Separate assembly-language instructions E.g., addb,
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationMACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationSystems I. Machine-Level Programming V: Procedures
Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp
More informationSee P&H 2.8 and 2.12, and A.5-6. Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University
See P&H 2.8 and 2.12, and A.5-6 Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University Upcoming agenda PA1 due yesterday PA2 available and discussed during lab section this week
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationCS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri
CS356: Discussion #6 Assembly Procedures and Arrays Marco Paolieri (paolieri@usc.edu) Procedures Functions are a key abstraction in software They break down a problem into subproblems. Reusable functionality:
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationTHEORY OF COMPILATION
Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical
More informationCSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here
CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here x86-64 Assembly Language Assembly language is a human-readable representation of machine code instructions
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationSystems Programming. Fatih Kesgin &Yusuf Yaslan Istanbul Technical University Computer Engineering Department 18/10/2005
Systems Programming Fatih Kesgin &Yusuf Yaslan Istanbul Technical University Computer Engineering Department 18/10/2005 Outline How to assemble and link nasm ld gcc Debugging Using gdb; breakpoints,registers,
More informationGDB Tutorial. Young W. Lim Thr. Young W. Lim GDB Tutorial Thr 1 / 24
GDB Tutorial Young W. Lim 2016-09-29 Thr Young W. Lim GDB Tutorial 2016-09-29 Thr 1 / 24 Outline 1 Introduction Young W. Lim GDB Tutorial 2016-09-29 Thr 2 / 24 Based on "Self-service Linux: Mastering the
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationCS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:
CS-220 Spring 2018 Test 2 Version Practice Apr. 23, 2018 Name: 1. (10 points) For the following, Check T if the statement is true, the F if the statement is false. (a) T F : The main difference between
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationC Compilation Model. Comp-206 : Introduction to Software Systems Lecture 9. Alexandre Denault Computer Science McGill University Fall 2006
C Compilation Model Comp-206 : Introduction to Software Systems Lecture 9 Alexandre Denault Computer Science McGill University Fall 2006 Midterm Date: Thursday, October 19th, 2006 Time: from 16h00 to 17h30
More informationROP It Like It s Hot!
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationECE 498 Linux Assembly Language Lecture 1
ECE 498 Linux Assembly Language Lecture 1 Vince Weaver http://www.eece.maine.edu/ vweaver vincent.weaver@maine.edu 13 November 2012 Assembly Language: What s it good for? Understanding at a low-level what
More informationSubprograms, Subroutines, and Functions
Subprograms, Subroutines, and Functions Subprograms are also called subroutines, functions, procedures and methods. A function is just a subprogram that returns a value; say Y = SIN(X). In general, the
More informationBuffer Overflows Complete
Buffer Overflows Complete 2004/Oct/8 Buffer Overflows Complete By detach at hackaholic.org (Rob klein Gunnewiek) http://hackaholic.org/ This paper is released under the Creative Commons Attribution-NonCommercial-
More informationUsing the GNU Debugger
Using the GNU Debugger 6.828 Fall 2014 September 10, 2014 6.828 Fall 2014 Using the GNU Debugger September 10, 2014 1 / 14 Homework solution From bootasm.s: # Set up the stack pointer and call into C.
More information