The elf in ELF. use 0-day(s) to cheat all disassemblers 1. 1
|
|
- Alexis Lane
- 5 years ago
- Views:
Transcription
1 The elf in ELF use 0-day(s) to cheat all disassemblers HITCON CMT
2 david942j Who Am I Linux 2. 1
3 This talk 3 tricks to cheat disassemblers objdump, IDA Pro, etc. 3. 1
4 IDA Pro's bug Linux kernel 0-day bug Cheating ELF interpreter (ld.so) 3. 2
5 What you see is NOT how it runs / scanner anti-reverse-engineering 3. 3
6 Introduction to ELF 4. 1
7 ELF Executable and Linkable Format Linux 4. 2
8 Header ELF header Program header Section header 4. 3
9 4. 4
10 ELF header ELF class: 32/64-bit arch: x86/arm/mips.. program/section header 4. 5
11 Program header Needed Libraries, Segment Permissions, etc. 4. 6
12 Section header Compile ELF.text,.rodata, etc. (static linker) 4. 7
13 In brief ELF header mandatory Program header Runtime Section header Compile time 4. 8
14 5. 1
15 Idea Section header can be removed can be forged 5. 2
16 Forge section header Cheating objdump Cheating IDA Pro 5. 3
17 IDA Pro considers sections 5. 4
18 .text 5. 5
19 .text user IDA Pro code.text 5. 6
20 .text 5. 7
21 Shrink.text 5. 8
22 ) ) 5. 9
23 But
24 code code 5. 11
25 : binary 5. 12
26 .init_array/.fini_array 5. 13
27 INIT / FINI_ARRAY Array of function pointers before / after main 5. 14
28 #include <stdio.h> attribute ((constructor)) void before() { puts("before main"); } attribute ((destructor)) void after() { puts("after main"); } int main() { puts("hi"); return 0; } 5. 15
29 In program header dynamic_tag 5. 16
30 In section header 5. 17
31 .text 5. 18
32 Shrink.fini_array's size 5. 19
33 1. code.text 2. FINI_ARRAY entry code 3..text &.fini_array 4. main 5. 20
34 Demo? 5. 21
35 IDA Pro 5. 22
36 Try newer version of IDA Pro 5. 23
37 (T T) 5. 24
38 IDA Pro
39 IDA Pro 7.0 uses LOAD instead of.text Bug xed QQ 5. 26
40 is dead IDA Pro 6.x IDA Pro
41 2 6. 1
42 IDA Pro relocation.init_array/.fini_array
43 Relocation? 6. 3
44 Relocation phdr DYNAMIC 6. 4
45 FINI_ARRAY PIE (position-independent executable) FINI_ARRAY ld.so relocation table function FINI_ARRAY 6. 5
46 Relocation of FINI_ARRAY ELF File RELA put base+0xab0 at base+0x200db0... FINI_ARRAY 0xab0 Memory base+0xab0 base base+0x200db0 6. 6
47 Relocation of FINI_ARRAY ELF File RELA put base+0xab0 at base+0x200db0... FINI_ARRAY 0xab0 Memory base+0xab0 base base+0x200db0 6. 7
48 Value of FINI_ARRAY means nothing relocation is the boss 6. 8
49 2 IDA Pro only uses value on FINI_ARRAY! 6. 9
50 IDA Pro (!) 6. 10
51 But
52 IDA Pro 7.0 LOAD 6. 12
53 We have arbitrary function call 6. 13
54 Where to put malicious code? 6. 14
55 (?) section code.eh_frame Error Handling Who care error handling 0x100 byte #func Nice to hide code 6. 15
56 Normal.eh_frame looks like 6. 16
57 2 1..eh_frame 2. relocation table FINI_ARRAY 3. main 6. 17
58 HITCON CTF Quals 2017 void 6. 18
59 The Linux 0-day bug 7. 1
60 PT_LOAD 7. 2
61 PT_LOAD ELF memory PT_LOAD entry 7. 3
62 PT_LOAD 7. 4
63 Memory mapping 0x0 ELF file ELF header In memory 0x program header many tables.. executable code executable 0xe08.rodata.eh_frame.init_array/.fini_array.dynamic.data/.bss... 0x400e08 0x x600e08 data 7. 5
64 execve 7. 6
65 linux/fs/binfmt_elf.c#load_elf_binary 7. 7
66 #load_elf_binary Read and check ELF header Parse program header PT_INTERP PT_LOAD PT_GNU_STACK Setup AUXV 7. 8
67 AUXV AUXiliary Vector interpreter(ld.so) AT_PHDR AT_ENTRY AT_UID
68 Flow of execve execve("a.out",...) load_elf_binary kernel space mmap(pt_loads) load_elf_interp (ld.so) create_elf_tables (AUXV) ld.so#dl_main *phdr, phnum, *entry, *auxv load_libraries elf_dynamic_do_rela (relocation) 7. 10
69 Bug Kernel AT_PHDR 7. 11
70 binfmt_elf.c#create_elf_tables 7. 12
71 Normally load_addr exec->e_phoff 0x x40 0x
72 load_addr is The rst LOADed address 7. 14
73 0x0 ELF file ELF header In memory 0x program header many tables.. executable code executable 0xe08.rodata.eh_frame.init_array/.fini_array.dynamic.data/.bss... 0x400e08 0x x600e08 data 7. 15
74 Nobody promises PHDR is located in the rst PT_LOAD 7. 16
75 Put PHDR in the second PT_LOAD 7. 17
76 0x0 ELF file In memory 0x ELF header many tables.. load_addr executable code.eh_frame 0x4000.init_array/.fini_array fake program header... 0x e_phoff.data fake prog. hdr 0x program header.data program header 0x
77 Effect Kernel loads binary correctly While kernel cheats ld.so address of PHDR 7. 19
78 ld.so 7. 20
79 ld.so? Load shared libraries Process dynamic relocation 7. 21
80 Dynamic 7. 22
81 Forge relocation on INIT_ARRAY/FINI_ARRAY
82 7. 24
83 Relocation library printf/scanf 7. 25
84 relocation table scanf 7. 26
85 lea mov call lea lea rdi,[rip+0xba] eax,0x0 5f0 rdx,[rbp 0xe0] rax,[rbp 0x70] int ret = scanf(args); if(trigger(args)) backdoor(); return ret; 7. 27
86 Demo 7. 28
87 Let's play ld.so 8. 1
88 PT_PHDR in PHDR 8. 2
89 PT_PHDR points to itself ELF file ELF header program header PT_PHDR PT_LOAD PT_LOAD
90 glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 8. 4
91 Forge PT_PHDR ld.so will completely misunderstand base of binary! 8. 5
92 Program header for kernel for ld.so 8. 6
93 ? ld.so binary 8. 7
94 program header PT_PHDR PT_LOAD PT_LOAD PT_DYNAMIC... main_map->l_addr = phdr - ph->p_vaddr main_map->l_ld = main_map->l_addr + ph->p_vaddr 8. 8
95 Use two PT_PHDR 8. 9
96 glibc/elf/rtld.c#1147 for (ph = phdr; ph < &phdr[phnum]; ++ph) switch (ph->p_type) { case PT_PHDR: /* Find out the load address. */ main_map->l_addr = phdr - ph->p_vaddr; break; case PT_DYNAMIC: /* This tells us where to find the dynamic section, which tells us everything we need to do. */ main_map->l_ld = main_map->l_addr + ph->p_vaddr; break; 8. 10
97 PT_PHDR PT_DYNAMIC PT_PHDR PT_LOAD PT_LOAD... main_map->l_addr = phdr - ph->p_vaddr main_map->l_ld = main_map->l_addr + ph->p_vaddr main_map->l_addr = phdr - ph->p_vaddr 8. 11
98 dynamic INIT_ARRAY/FINI_ARRAY/Relocation 8. 12
99 Conclusion 9. 1
100 1. IDA Pro trusts section header 2. Not using relocation for INIT/FINI_ARRAY 9. 2
101 Kernel calculates PHDR incorrectly ld.so get wrong address 9. 3
102 ld.so using PT_PHDR for calculating base address Nobody checks correctness of PT_PHDR 9. 4
103 9. 5
104 Demo Give me two ELFs Looks like A in IDA pro but actually B 9. 6
105
Operating Systems CMPSC 473. Process Management January 29, Lecture 4 Instructor: Trent Jaeger
Operating Systems CMPSC 473 Process Management January 29, 2008 - Lecture 4 Instructor: Trent Jaeger Last class: Operating system structure and basics Today: Process Management Why Processes? We have programs,
More informationMy ld.so. Version 1 5 December Epita systems/security laboratory 2018
My ld.so Version 1 5 December 2016 Epita systems/security laboratory 2018 1 I Copyright This document is for internal use only at EPITA http://www.epita.fr/. Copyright 2016/2017
More informationThe Darker Sides of Assembly
The Darker Sides of Assembly We've seen it. Alex Radocea, Andrew Zonenberg Moments in History Thompson's Compiler Backdoor http://cm.bell-labs.com/who/ken/trust.html I am a programmer. On my 1040 form,
More informationRuntime Process Insemination
Runtime Process Insemination Shawn lattera Webb SoldierX https://www.soldierx.com/ Who Am I? Just another blogger Professional Security Analyst Twelve-year C89 programmer Member of SoldierX, BinRev, and
More informationCS16 Exam #1 7/17/ Minutes 100 Points total
CS16 Exam #1 7/17/2012 75 Minutes 100 Points total Name: 1. (10 pts) Write the definition of a C function that takes two integers `a` and `b` as input parameters. The function returns an integer holding
More informationELF (1A) Young Won Lim 3/24/16
ELF (1A) Copyright (c) 21-216 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version
More informationThe Process Model (1)
The Process Model (1) L41 Lecture 3 Dr Robert N. M. Watson 15 November 2016 Reminder: last time DTrace The probe effect The kernel: Just a C program? A little on kernel dynamics: How work happens L41 Lecture
More informationSoumava Ghosh The University of Texas at Austin
Soumava Ghosh The University of Texas at Austin Agenda Overview of programs that perform I/O Linking, loading and the x86 model Modifying programs to perform I/O on the x86 model Interpreting and loading
More informationProcess Address Spaces and Binary Formats
Process Address Spaces and Binary Formats Don Porter Background We ve talked some about processes This lecture: discuss overall virtual memory organizafon Key abstracfon: Address space We will learn about
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-20 Wed Young W. Lim Link 2. Object Files 2017-09-20 Wed 1 / 33 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationProtecting Against Unexpected System Calls
Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan
More informationLinux on zseries ABI and Linkage Format SHARE 102 Session 9236
Linux on zseries ABI and Linkage Format SHARE 102 Session 9236 Dr. Ulrich Weigand Linux on zseries Development, IBM Lab Böblingen Ulrich.Weigand@de.ibm.com Agenda Compiling, linking, and loading Function
More informationAdvances in Linux process forensics with ECFS
Advances in Linux process forensics with ECFS Quick history Wanted to design a process snapshot format native to VMA Vudu http://www.bitlackeys.org/#vmavudu ECFS proved useful for other projects as well
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-23 Sat Young W. Lim Link 2. Object Files 2017-09-23 Sat 1 / 40 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationLink 4. Relocation. Young W. Lim Wed. Young W. Lim Link 4. Relocation Wed 1 / 22
Link 4. Relocation Young W. Lim 2017-09-13 Wed Young W. Lim Link 4. Relocation 2017-09-13 Wed 1 / 22 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationTeensy Tiny ELF Programs
Teensy Tiny ELF Programs inspired by Brian Raiter Roland Hieber Stratum 0 e. V. March 15, 2013 1 / 14 Hello World # include int main ( int argc, char ** argv ) { printf (" Hello World!\n"); return
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationOutline. Outline. Common Linux tools to explore object/executable files. Revealing Internals of Loader. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Revealing Internals of Loader Zhiqiang Lin Department of Computer Science University of Texas at Dallas March 28 th, 2012 Common Linux tools to explore
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationU Reverse Engineering
U23 2016 - Reverse Engineering Andy andy@koeln.ccc.de November 15, 2016 Introduction Static program analysis Dynamic program analysis Tools strings objdump IDA Hopper gdb Live Reversing Exercises Section
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationint32_t Buffer[BUFFSZ] = {-1, -1, -1, 1, -1, 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, -1, -1, -1, -1, -1}; int32_t* A = &Buffer[5];
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationJuly 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.
EPITA Systems/Security Laboratory (LSE) July 14, 2017 1 / 34 2 / 34 What do we want? Limit usage of some resources such as system calls and shared object functions But not from the whole program (we trust
More informationAndroid Dynamic Linker - Marshmallow
Android Dynamic Linker - Marshmallow WANG Zhenhua, i@jackwish.net Abstract Dynamic linker, links shared libraries together to be able to run, has been a fundamental mechanism in modern operating system
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationA short session with gdb verifies a few facts; the student has made notes of some observations:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationFixing/Making Holes in Binaries
Fixing/Making Holes in Binaries The Easy, The Hard, The Time Consuming Shaun Clowes Ð shaun@securereality.com.au What are we doing? Changing the behaviour of programs Directly modifying the program in
More informationProcess Address Spaces and Binary Formats
Process Address Spaces and Binary Formats Don Porter CSE 506 Binary Formats RCU Memory Management Logical Diagram File System Memory Threads Allocators Today s Lecture System Calls Device Drivers Networking
More informationExecutables and Linking. CS449 Spring 2016
Executables and Linking CS449 Spring 2016 Remember External Linkage Scope? #include int global = 0; void foo(); int main() { foo(); printf( global=%d\n, global); return 0; } extern int
More informationIntroduction to C An overview of the programming language C, syntax, data types and input/output
Introduction to C An overview of the programming language C, syntax, data types and input/output Teil I. a first C program TU Bergakademie Freiberg INMO M. Brändel 2018-10-23 1 PROGRAMMING LANGUAGE C is
More informationL41 - Lecture 3: The Process Model (1)
L41 - Lecture 3: The Process Model (1) Dr Robert N. M. Watson 2 March 2015 Dr Robert N. M. Watson L41 - Lecture 3: The Process Model (1) 2 March 2015 1 / 18 Introduction Reminder: last time 1. DTrace 2.
More informationget.c get.o extern int a[]; int get_a(int i) { return a[i]; }
get.c get.o extern int a[]; int get_a(int i) { return a[i]; } get.o get get.o get.so ELF ELF segments sections https://en.wikipedia.org/wiki/executable_and_linkable_format ELF https://en.wikipedia.org/wiki/executable_and_linkable_format
More informationDynamic libraries explained
Dynamic libraries explained as seen by a low-level programmer I.Zhirkov 2017 1 Exemplary environment Intel 64 aka AMD64 aka x86_64. GNU/Linux Object file format: ELF files. Languages: C, Assembly (NASM)
More informationImportant From Last Time
Important From Last Time Embedded C Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Inline assembly Today Advanced C What C programs mean How to create C programs that mean nothing
More informationAnother introduction into radare2. {condret Lukas}
Another introduction into radare2 {condret Lukas} Overview Features Components Api examples Introduction into Esil Problems Features Radare2 is not just one tool or a conglomeration of several tools. It
More informationImportant From Last Time
Important From Last Time Embedded C Ø Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Inline assembly Today Advanced C What C programs mean How to create C programs that mean nothing
More informationA Security Microcosm Attacking and Defending Shiva
A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun Clowes Presented by Shaun Clowes shaun@securereality.com.au What is Shiva? Shiva is an executable encryptor Encrypted
More informationBinary Analysis and Reverse Engineering
Pattern Recognition and Applications Lab Binary Analysis and Reverse Engineering Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic
More informationLink 4. Relocation. Young W. Lim Thr. Young W. Lim Link 4. Relocation Thr 1 / 26
Link 4. Relocation Young W. Lim 2017-09-14 Thr Young W. Lim Link 4. Relocation 2017-09-14 Thr 1 / 26 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationFaculty of Computer Science Institute for System Architecture, Operating Systems Group. Memory Management & Program Loading
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Memory Management & Program Loading Course Goal Pong Server Paddle Client 1 Paddle Client 2 Keyboard Driver Memory
More informationGiridhar Ravipati University of Wisconsin, Madison. The Deconstruction of Dyninst: Part 1- the SymtabAPI
The Deconstruction of Dyninst Part 1: The SymtabAPI Giridhar Ravipati University of Wisconsin, Madison April 2007 Motivation Binary tools are increasingly common Two categories of operation Analysis :
More informationUnpacking the Packed Unpacker
Unpacking the Packed Unpacker Reversing an Android Anti-Analysis Native Library Maddie Stone @maddiestone BlackHat USA 2018 Who am I? - Maddie Stone Reverse Engineer on Google s Android Security Team 5+
More informationPost exploitation techniques on OSX and Iphone. Vincenzo Iozzo
Post exploitation techniques on OSX and Iphone Vincenzo Iozzo vincenzo.iozzo@zynamics.com Who I am Student at Politecnico di Milano Security Consultant at Secure Network srl Reverse Engineer at zynamics
More informationELF (1A) Young Won Lim 10/22/14
ELF (1A) Copyright (c) 2010-2014 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version
More informationStudy and Analysis of ELF Vulnerabilities in Linux
Study and Analysis of ELF Vulnerabilities in Linux Biswajit Sarma Assistant professor, Department of Computer Science and Engineering, Jorhat Engineering College, Srishti Dasgupta Final year student, Department
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationReversing Basics A Practical Approach
Reversing Basics A Practical Approach Author: Amit Malik (DouBle_Zer0) E-Mail: m.amit30@gmail.com Note: Keep Out of Reach of Children/Danger-Software Poison. Download EXE/Crackme: https://sites.google.com/site/hacking1now/crackmes
More informationCSE 374 Programming Concepts & Tools
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2017 Lecture 8 C: Miscellanea Control, Declarations, Preprocessor, printf/scanf 1 The story so far The low-level execution model of a process (one
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationCSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization
Spring 2013 CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization Kitty Reeves TWRF 8:00-8:55am 1 Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing,
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationDepartment of Computer Science and Engineering Yonghong Yan
Appendix A and Chapter 2.12: Compiler, Assembler, Linker and Program Execution CSCE 212 Introduction to Computer Architecture, Spring 2019 https://passlab.github.io/csce212/ Department of Computer Science
More informationReverse Engineering Swift Apps. Michael Gianarakis Rootcon X 2016
Reverse Engineering Swift Apps Michael Gianarakis Rootcon X 2016 # whoami @mgianarakis Director of SpiderLabs APAC at Trustwave SecTalks Organiser (@SecTalks_BNE) Flat Duck Justice Warrior #ducksec Motivation
More informationShared Libraries: The Dynamic Linker
Building and Using Shared Libraries on Linux Shared Libraries: The Dynamic Linker Michael Kerrisk, man7.org c 2017 mtk@man7.org November 2017 Outline 3 Operation of the Dynamic Linker 3-1 3.1 Rpath: specifying
More informationC03c: Linkers and Loaders
CISC 3320 MW3 C03c: Linkers and Loaders Hui Chen Department of Computer & Information Science CUNY Brooklyn College 2/4/2019 CUNY Brooklyn College: CISC 3320 OS 1 Outline Linkers and linking Loaders and
More informationAssembly Language Programming Linkers
Assembly Language Programming Linkers November 14, 2017 Placement problem (relocation) Because there can be more than one program in the memory, during compilation it is impossible to forecast their real
More informationAPI for Auxiliary Processing Unit
API for Auxiliary Processing Unit TRACE32 Online Help TRACE32 Directory TRACE32 Index TRACE32 Documents... Misc... API for Auxiliary Processing Unit... 1 Introduction... 3 Release Information 3 Features
More informationCompiler Drivers = GCC
Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing, compilation, assembly and linking, as needed, on behalf of the user accepts options and file names as operands % gcc O1 -g -o
More informationCS 550 Operating Systems Spring Process I
CS 550 Operating Systems Spring 2018 Process I 1 Process Informal definition: A process is a program in execution. Process is not the same as a program. Program is a passive entity stored in the disk Process
More informationCS 3214 Computer Systems. Do not start the test until instructed to do so! printed
Instructions: Print your name in the space provided below. This examination is closed book and closed notes, aside from the permitted one-page formula sheet. No calculators or other computing devices may
More informationMy memcheck. Version 1 7 December Epita systems/security laboratory 2017
My memcheck Version 1 7 December 2015 Epita systems/security laboratory 2017 1 I Copyright This document is for internal use only at EPITA http://www.epita.fr/. Copyright c 2015/2016
More informationAn Evil Copy: How the Loader Betrays You
An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c
More informationDraft. Chapter 1 Program Structure. 1.1 Introduction. 1.2 The 0s and the 1s. 1.3 Bits and Bytes. 1.4 Representation of Numbers in Memory
Chapter 1 Program Structure In the beginning there were 0s and 1s. GRR 1.1 Introduction In this chapter we will talk about memory: bits, bytes and how data is represented in the computer. We will also
More informationDRuntime and You David Nadlinger ETH Zurich
DRuntime and You David Nadlinger (@klickverbot) ETH Zurich Agenda Warmup: TypeInfo and ModuleInfo Exception handling Garbage collection Thread-local storage Fibers Interlude: C program startup Shared
More informationECE 471 Embedded Systems Lecture 4
ECE 471 Embedded Systems Lecture 4 Vince Weaver http://www.eece.maine.edu/ vweaver vincent.weaver@maine.edu 12 September 2013 Announcements HW#1 will be posted later today For next class, at least skim
More informationCS 240 Data Structure Spring 2018 Exam I 03/01/2018
CS 240 Data Structure Spring 2018 Exam I 03/01/2018 This exam contains three section A) Code: (basic data type, pointer, ADT) a. Reading: Trace the code to predict the output of the code b. Filling: Fill
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationLINKING. Jo, Heeseung
LINKING Jo, Heeseung PROGRAM TRANSLATION (1) A simplistic program translation scheme m.c ASCII source file Translator p Binary executable object file (memory image on disk) Problems: - Efficiency: small
More informationExecutables and Linking. CS449 Fall 2017
Executables and Linking CS449 Fall 2017 Remember External Linkage Scope? #include int global = 0; void foo(); int main() { } foo(); printf( global=%d\n, global); return 0; extern int
More informationImplementation of Breakpoints in GDB for Sim-nML based Architectures
Implementation of Breakpoints in GDB for Sim-nML based Architectures CS499 Report by Amit Gaurav Y3036 under the guidance of Prof. Rajat Moona Department of Computer Science and Engineering Indian Institute
More informationExperiences from Andes Technology. Alan Kao, Zong Li Andes Technology LPC'18
Experiences from Andes Technology Alan Kao, Zong Li Andes Technology 2018/11/15 @ LPC'18 About us A company in Taiwan since 2005 (went public in 2017) A pure-play IP vendor with 140+ licenses >2.5B Andes-Embedded
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationexecutable-only-memory-switch (XOM-Switch)
executable-only-memory-switch (XOM-Switch) Hiding Your Code From Advanced Code Reuse Attacks in One Shot Mingwei Zhang, Ravi Sahita (Intel Labs) Daiping Liu (University of Delaware) 1 [Short BIO of Speaker]
More informationCSC 405 Computer Security Reverse Engineering Part 1
CSC 405 Computer Security Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Introduction Reverse engineering process of analyzing a system understand its structure and functionality used
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationLinkers and Loaders. CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved.
Linkers and Loaders CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved. Does Location Matter? int main(int argc, char *[ ]) { return(argc); } main: pushl %ebp ; push frame pointer movl
More informationMaking Address Spaces Smaller
ICS332 Operating Systems Spring 2018 Smaller Address Spaces Having small address spaces is always a good idea This is good for swapping: don t swap as often (because if address spaces are small, then RAM
More informationZipr++: Exceptional Binary Rewriting
Zipr++: Exceptional Binary Rewriting Jason Hiser, Anh Nguyen-Tuong, William Hawkins, Matthew McGill, Michele Co, Jack Davidson University of Virginia Motivation Why do binary rewriters care about EH? Required
More informationDebugging for production systems
Debugging for production systems February, 2013 Tristan Lelong Adeneo Embedded tlelong@adeneo-embedded.com Embedded Linux Conference 2013 1 Who am I? Software engineer at Adeneo Embedded (Bellevue, WA)
More informationDistribution Kernel Security Hardening with ftrace
Distribution Kernel Security Hardening with ftrace Because sometimes your OS vendor just doesn't have the security features that you want. Written by: Corey Henderson Exploit Attack Surface Hardening system
More informationSystems Programming. Fatih Kesgin &Yusuf Yaslan Istanbul Technical University Computer Engineering Department 18/10/2005
Systems Programming Fatih Kesgin &Yusuf Yaslan Istanbul Technical University Computer Engineering Department 18/10/2005 Outline How to assemble and link nasm ld gcc Debugging Using gdb; breakpoints,registers,
More informationGetting started. Roel Jordans
Getting started Roel Jordans Goal Translate a program from a high level language into something the processor can execute efficiently So before we start we need to know how this processor executes a program
More informationThis is an example C code used to try out our codes, there several ways to write this but they works out all the same.
...._ _... _.;_/ [_) (_]\_ [ )(_](_. \.net._ "LINUX SHELLCODING REFERENCE" Author: Nexus Email: nexus.hack@gmail.com Website: http://www.playhack.net Introduction ------------- One of the most important
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationCS16 Week 2 Part 2. Kyle Dewey. Thursday, July 5, 12
CS16 Week 2 Part 2 Kyle Dewey Overview Type coercion and casting More on assignment Pre/post increment/decrement scanf Constants Math library Errors Type Coercion / Casting Last time... Data is internally
More informationLink 7. Static Linking
Link 7. Static Linking Young W. Lim 2018-12-21 Fri Young W. Lim Link 7. Static Linking 2018-12-21 Fri 1 / 41 Outline 1 Linking - 7. Static Linking Based on Static Library Examples Linking with Static Libraries
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationVariables Data types Variable I/O. C introduction. Variables. Variables 1 / 14
C introduction Variables Variables 1 / 14 Contents Variables Data types Variable I/O Variables 2 / 14 Usage Declaration: t y p e i d e n t i f i e r ; Assignment: i d e n t i f i e r = v a l u e ; Definition
More informationExercise Session 6 Computer Architecture and Systems Programming
Systems Group Department of Computer Science ETH Zürich Exercise Session 6 Computer Architecture and Systems Programming Herbstsemester 2016 Agenda GDB Outlook on assignment 6 GDB The GNU Debugger 3 Debugging..
More informationLink 3. Symbols. Young W. Lim Mon. Young W. Lim Link 3. Symbols Mon 1 / 42
Link 3. Symbols Young W. Lim 2017-09-11 Mon Young W. Lim Link 3. Symbols 2017-09-11 Mon 1 / 42 Outline 1 Linking - 3. Symbols Based on Symbols Symbol Tables Symbol Table Examples main.o s symbol table
More informationA Fast Review of C Essentials Part I
A Fast Review of C Essentials Part I Structural Programming by Z. Cihan TAYSI Outline Program development C Essentials Functions Variables & constants Names Formatting Comments Preprocessor Data types
More informationIntroduction to RISC-V
Introduction to RISC-V Jielun Tan, James Connolly February, 2019 Overview What is RISC-V Why RISC-V ISA overview Software environment Beta testing What is RISC-V RISC-V (pronounced risk-five ) is an open,
More informationMemory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.
Memory Management Page 1 Memory Management Wednesday, October 27, 2004 4:54 AM Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory. Two kinds
More informationFirst order of Business
First order of Business First order of Business You probably feel like this MBE TA s Hardware Enforced Model 0: Privileged, Kernelspace 3: Restricted, Userspace Hardware Enforced Model 0: Privileged,
More informationPlaying Hide and Seek with Dalvik Executables
Playing Hide and Seek with Dalvik Executables Axelle Apvrille Hack.Lu, October 2013 Hack.Lu 2013 - A. Apvrille 2/20 Who am i? whoami #!/usr/bin/perl -w my $self = { realname => Axelle Apvrille, nickname
More information