TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley
|
|
- Kerry Gray
- 6 years ago
- Views:
Transcription
1 TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley
2 Reverse engineering on binary programs! 1.Code structure 2.Data abstractions TIE 2
3 Goal: Reconstruct data abstractions conservatively and accurately 3
4 Goal: Reconstruct data abstractions conservatively and accurately 4
5 All types are lost. 5
6 Compilation Source code unsigned int foo(!!char *buf,!!unsigned int *out)! {! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree types Assign variables to memory slots Translate into machine code Binary code push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)!? c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! 6
7 Source code unsigned int foo(!!char *buf,!!unsigned int *out)! {! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree types Assign variables to memory slots Translate into machine code unsigned 32-bit! int foo(! 32-bit!!char *buf,!!unsigned 32-bit! int *out)! {! unsigned 32-bit! int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Binary code 7
8 Source code unsigned 32-bit! int foo(! 32-bit!!char *buf,!!unsigned 32-bit! int *out)! {! unsigned 32-bit! int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree out [+12] types buf [+8] Assign variables c to memory [- 12] slots Translate into machine code unsigned 32-bit! int foo(! 32-bit!!char *[+8],!!unsigned 32-bit! int *[+12])! {! unsigned 32-bit! int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];! }! Binary code 8
9 Source code unsigned 32-bit! int foo(! 32-bit!!char *[+8],!!unsigned 32-bit! int *[+12])! {! unsigned 32-bit! int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];! }! Type checking Ree types Assign variables to memory slots Translate into machine code Binary code push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! 9
10 Make a stackframe c = 0 if (buf) FuncPon call strlen subtracpon return push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! No types, no variables 10
11 TIE! 1 Variable recovery Ree types 2 Type inference Assign variables to memory slots 11
12 1. Variable Recovery! Binary Program read %eax = - 0x4(%ebp) write - 0x8(%ebp) = 0x1 read %edx = - 0x8(%ebp) memory Analyze the value of addresses A variant of VSA (Value Set Analysis) [Balakrishnan, 2007] 12
13 push %ebp %esp,%ebp sub $0x28,%esp l $0x0,- 0xc(%ebp) cmpl $0x0,0x8(%ebp) je d <foo+0x2e> 0x8(%ebp),%eax %eax,(%esp) call c <strlen@plt> 0xc(%ebp),%edx %eax,(%edx) 0xc(%ebp),%eax (%eax),%eax sub $0x1,%eax %eax,- 0xc(%ebp) - 0xc(%ebp),%eax leave ret 1. Variable Recovery! A B 13
14 2. Type Inference! Source Binary Program code signed division add a + 3, %eax dereferencing addipon idiv a /%eax - 3 a : int32_t bit signed idiv, b /%edx - 3 division *b 4, = (%edx) 3 Behavior has not changed! b 32 : char bit * 14
15 ANALYZE the behavior on variables COLLECT the clues INFER the type of variables 15
16 Goal: Reconstruct data abstractions conservatively and accurately 16
17 No single answer (vs. general types) 17
18 Multiple types are possible! int sum(int a, int b)! {! int c;! c = a + b;! return c;! }! char * advance(char * str,!!unsigned int m)! {! char * tmp;! tmp = str + m;! return tmp;! }! Make a stackframe 1 st arg + 2 nd arg Return the result push %ebp! %esp,%ebp! sub $0x10,%esp! 0xc(%ebp),%eax! 0x8(%ebp),%edx! add %edx,%eax! %eax,-0x4(%ebp)! -0x4(%ebp),%eax! leave! ret! int, uint, pointer of 18
19 GUESS! int uint pointer 19
20 Tell the type as it is TIE uint int pointer Expressive type system Type interval 20
21 TIE type system! allows us to express the type of variables as they are used reg32 num32 C-types int32 uint32 pointer 21
22 Type lattice! Basic types reg32_t reg16_t reg8_t reg1_t num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t uint8_t 22
23 Type specificity! A <: B A is a subtype of B A is more specific than B Ex) int32 <: num32 23
24 Type interval! How much does a binary program tell us about a variable? reg32 reg32 num32 uint32 uint32 24
25 Type interval! T reg32 reg32 num32 num32 uint32 uint32 [, T] [,reg32] [uint32,num32] [uint32,uint32] refined as we know more about the variable 25
26 Conservativeness of result! Is the real type within the inferred type interval? Conservative Inferred type: [uint32_t, reg32_t] reg32_t reg16_t reg8_t num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t Real type: uint32_t 26
27 Goal: Reconstruct data abstractions conservatively and accurately 27
28 ANALYZE the behavior on variables COLLECT every clue INFER the type of variables 28
29 ANALYZE the behavior on variables COLLECT Type constraints every clue generation rules GENERATE type constraints SOLVE type constraints 29
30 Type Constraints from Usage Clues! l (e 1 ), e 2 Usage clue value = load(index,s) Memory load Type Constraint index is a pointer of value and the size of value is s. type variable for e 1 e 2 = load( e 1,32) [e 1 ] = ptr([e 2 ]) [e 2 ] <: reg32 t Equality Subtype relaponship conjuncpve 30
31 Type Constraints from Usage Clues! Usage clue c = a + 32 b 32- bit addipon Type constraint ( a : number, b : number, c :number) or ( a : pointer, b : number, c :pointer) or ( a : number, b : pointer, c :pointer) disjuncpve e 3 = e e 2 ([e 1 ] <: ptr(α) [e 2 ] <: num32 t ptr(β) <: [e 3 ]) ([e 1 ] <: num32 t [e 2 ] <: ptr(α) ptr(β) <: [e 3 ]) conjuncpve 31
32 Inter-procedural Type Inference! Type of passing arguments = Type of passed arguments FuncPon f1 () var2 = var3 call f2 (var1, var2) FuncPon f2 (arg1, arg2) var4 = arg2 [var1] = [arg1] [var2] = [arg2] 32
33 Type Constraints from Well-known Functions! a = strlen(b) uint32_t char * [a] = uint32_t [b] = char * strcpy(d, s) char * [d] = char * [s] = char * 33
34 ANALYZE the behavior on variables COLLECT every clue GENERATE type constraints SOLVE type constraints 34
35 Solving type constraints! Equality, A = B Unification Subtype relationship, A <: B Closure algorithm Conjunctive, A B Solve all Disjunctive, A B Merge compatible terms 35
36 Equality constraints! (unification)! [a] = ptr( uint32 [c] [b] ) uint32 [b] [c] = uint32 [c] uint32 [c] = uint32 36
37 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] <: num32_t T T reg32 num32 [a] [b] int32 37
38 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] <: num32_t [a] <: [b] <: num32_t reg32 num32 num32 num32 int32 [a] [b] 38
39 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] [a] <: [b] int32_t <: [a] <: [b] <: num32_t <: num32_t reg32 num32 int32 num32 [a] int32 num32 [b] int32 39
40 Rest of the talk! Limitations Related work Evaluation 40
41 Limitations! Works on regular programs compiled from C code Not very informative for irregular programs Infers types as what is in the TIE type system only Extendable 41
42 Related work! Hex- Rays? TIE Principled reverse engineering - Well defined process - Type theory - - REWARDS Dynamic analysis only Type propagapon from type sinks (unificapon) - - TIE StaPc + dynamic Type inference with more expressive type system (unificapon + closure alg.) Boomerang [RE2005] Laika[OSDI2008] Tupni[CCS2008] 42
43 Evaluation 43
44 Hex-Rays! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! return? Source types Hex- Rays buf char * char * out c unsigned int * unsigned int int int 44
45 REWARDS! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! buf = 0 return Source types buf char * out c unsigned int * unsigned int REWARDS (buf=0) unsigned int unsigned int unsigned int 45
46 TIE! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! return Source types TIE buf char * char * out c unsigned int * unsigned int unsigned int * unsigned int 46
47 % of variables conservatively typed! Static Rate of conservatively inferred types Hex-Rays on 87 programs in coreutil % 100% 90% TIE 90% 80% 80% 70% 40%+ 70% 60% 60% 50% 50% Hex-Rays 40% 40% 30% 30% 20% 20% 10% 10% 0% Hex-Rays TIE 0% (Higher is better) Dynamic REWARDS TIE REWARDS on single execute trace chroot df groups hostid users 47
48 Accuracy! Distance to real types Difference of level between a real type and an inferred type (selected form type interval) Inferred type reg32_t reg16_t reg8_t reg distance = 2 num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t uint8_t Real type 48
49 Distance to real types! Static Difference in levels to real types Hex-Rays on 87 programs in coreutil Hex-Rays % TIE Hex-Rays TIE 0.25 (Lower is better) Dynamic REWARDS TIE REWARDS on single execute trace chroot df groups hostid users 49
50 REWARDS-c! (Special thanks to Zhiqiang Lin, Dongyan Xu) 100% 90% 80% 70% REWARDS-c TIE % % % 30% 20% REWARDS-c TIE 10% % chroot df groups hostid users 0.25 chroot df groups hostid users Conservativeness Distance 50
51 Structural types! {l i : T i } Record types Conservativeness 100% 90% 80% 70% 60% 50% 40% 30% 20% Hex-Rays TIE struct {!!int a;!!int* b;!!short c;!!short d;! }! 0 4 int32 int32 * 8 int16 int16 10% 0% Hex-Rays {0 : int32, 4 : int32 *,! 8 : int16, 10 : int16}! Distance TIE 0 51
52 Conclusion! Type inference with a rich type system Well-defined process, Theoretical foundation Static and dynamic binary analysis TIE: Principled! Reverse Engineering of Types! in Binary Programs 52
53 Thank you! Questions?! 53
Overview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationHelping Johnny To Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study
Helping Johnny To Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study Khaled Yakdan University of Bonn Fraunhofer FKIE Sergej Dechand University of Bonn Elmar Gerhards-Padilla
More informationCS , Spring 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Spring 2004 Exam 1 February 26, 2004 Instructions: Make sure that your exam is not missing any sheets (there should be 15), then write your full name and Andrew login
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls
CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the
More informationCS/ECE 354 Practice Midterm Exam Solutions Spring 2016
CS/ECE 354 Practice Midterm Exam Solutions Spring 2016 C Programming 1. The reason for using pointers in a C program is a. Pointers allow different functions to share and modify their local variables.
More informationEECS 213 Introduction to Computer Systems Dinda, Spring Homework 3. Memory and Cache
Homework 3 Memory and Cache 1. Reorder the fields in this structure so that the structure will (a) consume the most space and (b) consume the least space on an IA32 machine on Linux. struct foo { double
More informationComputer Systems Organization V Fall 2009
Computer Systems Organization V22.0201 Fall 2009 Sample Midterm Exam ANSWERS 1. True/False. Circle the appropriate choice. (a) T (b) F At most one operand of an x86 assembly instruction can be an memory
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationCS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill
CS 3214 # Problem Points Min Max Average Median SD Grader 1 Memory Layout and Locality 25 2 25 14.2 14 5.7 Bill 2 Stack 25 3 22 12.6 13 4.2 Peter 3 Compilation and Linking 25 0 19 7.6 6 4.7 Maggie 4 Execution
More informationCS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed
Instructions: Print your name in the space provided below. This examination is closed book and closed notes, aside from the permitted one-page formula sheet. No calculators or other electronic devices
More informationCS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed
Instructions: Print your name in the space provided below. This examination is closed book and closed notes, aside from the permitted one-page formula sheet. No calculators or other electronic devices
More informationint32_t Buffer[BUFFSZ] = {-1, -1, -1, 1, -1, 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, -1, -1, -1, -1, -1}; int32_t* A = &Buffer[5];
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-23 Sat Young W. Lim Link 2. Object Files 2017-09-23 Sat 1 / 40 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationCS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed
Instructions: Print your name in the space provided below. This examination is closed book and closed notes, aside from the permitted one-page formula sheet. No calculators or other electronic devices
More informationA short session with gdb verifies a few facts; the student has made notes of some observations:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More information15-213/18-243, Fall 2010 Exam 1 - Version A
Andrew login ID: Full Name: Section: 15-213/18-243, Fall 2010 Exam 1 - Version A Tuesday, September 28, 2010 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew login
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationCMSC 313 Fall2009 Midterm Exam 2 Section 01 Nov 11, 2009
CMSC 313 Fall2009 Midterm Exam 2 Section 01 Nov 11, 2009 Name Score out of 70 UMBC Username Notes: a. Please write clearly. Unreadable answers receive no credit. b. For TRUE/FALSE questions, write the
More informationCS , Fall 2001 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2001 Exam 1 October 9, 2001 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front. Write
More informationCS , Fall 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationBinghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11
X86 Debug Computer Systems Section 3.11 GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it
More informationSystems I. Machine-Level Programming I: Introduction
Systems I Machine-Level Programming I: Introduction Topics Assembly Programmerʼs Execution Model Accessing Information Registers IA32 Processors Totally Dominate General Purpose CPU Market Evolutionary
More informationWar Industries Presents: An Introduction to Programming for Hackers Part V - Functions. By Lovepump, Visit:
War Industries Presents: An Introduction to Programming for Hackers Part V - Functions By Lovepump, 2004 Visit: www.warindustries.com Goals: At the end of Part IV, you should be able to competently code
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More information1 /* file cpuid2.s */ 4.asciz "The processor Vendor ID is %s \n" 5.section.bss. 6.lcomm buffer, section.text. 8.globl _start.
1 /* file cpuid2.s */ 2.section.data 3 output: 4.asciz "The processor Vendor ID is %s \n" 5.section.bss 6.lcomm buffer, 12 7.section.text 8.globl _start 9 _start: 10 movl $0, %eax 11 cpuid 12 movl $buffer,
More informationUW CSE 351, Winter 2013 Midterm Exam
Full Name: Student ID: UW CSE 351, Winter 2013 Midterm Exam February 15, 2013 Instructions: Make sure that your exam is not missing any of the 9 pages, then write your full name and UW student ID on the
More informationCS , Fall 2002 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2002 Exam 1 October 8, 2002 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front. Write
More informationLecture Notes on Decompilation
Lecture Notes on Decompilation 15411: Compiler Design Maxime Serrano Lecture 20 October 31, 2013 1 Introduction In this lecture, we consider the problem of doing compilation backwards - that is, transforming
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More information15-213/18-213, Fall 2011 Exam 1
Andrew ID (print clearly!): Full Name: 15-213/18-213, Fall 2011 Exam 1 Tuesday, October 18, 2011 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew ID and full name
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-20 Wed Young W. Lim Link 2. Object Files 2017-09-20 Wed 1 / 33 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationMachine-Level Programming I: Introduction Jan. 30, 2001
15-213 Machine-Level Programming I: Introduction Jan. 30, 2001 Topics Assembly Programmer s Execution Model Accessing Information Registers Memory Arithmetic operations IA32 Processors Totally Dominate
More informationMachine Programming 4: Structured Data
Machine Programming 4: Structured Data CS61, Lecture 6 Prof. Stephen Chong September 20, 2011 Announcements Assignment 2 (Binary bomb) due Thursday We are trying out Piazza to allow class-wide questions
More informationCSC 8400: Computer Systems. Using the Stack for Function Calls
CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationLink 4. Relocation. Young W. Lim Wed. Young W. Lim Link 4. Relocation Wed 1 / 22
Link 4. Relocation Young W. Lim 2017-09-13 Wed Young W. Lim Link 4. Relocation 2017-09-13 Wed 1 / 22 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationSample Exam I PAC II ANSWERS
Sample Exam I PAC II ANSWERS Please answer questions 1 and 2 on this paper and put all other answers in the blue book. 1. True/False. Please circle the correct response. a. T In the C and assembly calling
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls"
CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing
More information15-213/18-213, Fall 2011 Final Exam
Andrew ID (print clearly!): Full Name: 15-213/18-213, Fall 2011 Final Exam Friday, December 16, 2011 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew ID and full
More informationInstructor: Alvin R. Lebeck
X86 Assembly Programming with GNU assembler Lecture 7 Instructor: Alvin R. Lebeck Some Slides based on those from Randy Bryant and Dave O Hallaron Admin Reading: Chapter 3 Note about pointers: You must
More informationCredits and Disclaimers
Credits and Disclaimers 1 The examples and discussion in the following slides have been adapted from a variety of sources, including: Chapter 3 of Computer Systems 2 nd Edition by Bryant and O'Hallaron
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationCSE351 Autumn 2012 Midterm Exam (5 Nov 2012)
CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove to
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationFull Name: CISC 360, Fall 2008 Example of Exam
Full Name: CISC 360, Fall 2008 Example of Exam Page 1 of 0 Problem 1. (12 points): Consider the following 8-bit floating point representation based on the IEEE floating point format: There is a sign bit
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2016 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
More informationTurning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p
Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationCS 201 Winter 2014 (Karavanic) Final Exam
CS 201 Winter 2014 (Karavanic) Final Exam Your Name: (1 point) Instructions: - Be sure to write your name on the first sheet. - All answers, and all work submitted in support of answers, should be written
More informationPage 1. Condition Codes CISC 360. Machine-Level Programming II: Control Flow Sep 17, Setting Condition Codes (cont.)
CISC 360 Condition Codes Machine-Level Programming II: Control Flow Sep 17, 2009 class06 2 Setting Condition Codes (cont.) Setting Condition Codes (cont.) 3 4 Page 1 Reading Condition Codes Reading Condition
More informationChronomorphic Programs: Using Runtime Diversity to Prevent Code Reuse Attacks
Chronomorphic Programs: Using Runtime Diversity to Prevent Code Reuse Attacks Scott E. Friedman, David J. Musliner, and Peter K. Keller Smart Information Flow Technologies (SIFT) Minneapolis, USA email:
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More information15-213/18-243, Spring 2011 Exam 1
Andrew login ID: Full Name: Section: 15-213/18-243, Spring 2011 Exam 1 Thursday, March 3, 2011 (v1) Instructions: Make sure that your exam is not missing any sheets, then write your Andrew login ID, full
More informationMachine- Level Programming III: Switch Statements and IA32 Procedures
Machine- Level Programming III: Switch Statements and IA32 Procedures 15-213: Introduc;on to Computer Systems 6 th Lecture, Sep. 9, 2010 Instructors: Randy Bryant and Dave O Hallaron Today Switch statements
More informationCISC 360. Machine-Level Programming II: Control Flow Sep 17, class06
CISC 360 Machine-Level Programming II: Control Flow Sep 17, 2009 class06 Condition Codes 2 Setting Condition Codes (cont.) 3 Setting Condition Codes (cont.) 4 Reading Condition Codes SetX Condition Description
More information1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationRecovering Types from Binaries
Recovering Types from Binaries Teodora Baluta Shiqi Shen Alexandros Dimos Advised by prof. Prateek Saxena School of Computing, NUS {teobaluta, shensq04, alexandros.dimos95}@gmail.com Decompilation Load
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013 CONST POINTERS CONST POINTERS 4 ways to declare pointers in combination with const:!! int *ptr! const int *ptr!
More informationCMSC 313 Lecture 12 [draft] How C functions pass parameters
CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an
More informationTHEORY OF COMPILATION
Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical
More informationLink 4. Relocation. Young W. Lim Thr. Young W. Lim Link 4. Relocation Thr 1 / 26
Link 4. Relocation Young W. Lim 2017-09-14 Thr Young W. Lim Link 4. Relocation 2017-09-14 Thr 1 / 26 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationMeet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : TODAY!! 5-6 pm Where : 3rd Floor Atrium, CIT
Meet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : TODAY!! 5-6 pm Where : 3rd Floor Atrium, CIT CS33 Intro to Computer Systems XI 1 Copyright 2017 Thomas
More informationCIT Week13 Lecture
CIT 3136 - Week13 Lecture Runtime Environments During execution, allocation must be maintained by the generated code that is compatible with the scope and lifetime rules of the language. Typically there
More informationHomework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1
Homework In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, 361-367 Practice Exam 1 1 In-line Assembly Code The gcc compiler allows you to put assembly instructions in-line
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationCSCI 2021: x86-64 Control Flow
CSCI 2021: x86-64 Control Flow Chris Kauffman Last Updated: Mon Mar 11 11:54:06 CDT 2019 1 Logistics Reading Bryant/O Hallaron Ch 3.6: Control Flow Ch 3.7: Procedure calls Goals Jumps and Control flow
More informationControl flow. Condition codes Conditional and unconditional jumps Loops Switch statements
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Familiar C constructs l l l l l l if else while do while for break continue Two
More informationCS / ECE , Spring 2010 Exam 1
Andrew login ID: Full Name: Recitation Section: CS 15-213 / ECE 18-243, Spring 2010 Exam 1 Version 1100101 Tuesday, March 2nd, 2010 Instructions: Make sure that your exam is not missing any sheets, then
More informationCS , Fall 2009 Exam 1
Andrew login ID: Full Name: Recitation Section: CS 15-213, Fall 2009 Exam 1 Thurs, September 24, 2009 Instructions: Make sure that your exam is not missing any sheets, then write your full name, Andrew
More informationCISC 360. Machine-Level Programming I: Introduction Sept. 18, 2008
CISC 360 Machine-Level Programming I: Introduction Sept. 18, 2008 Topics Assembly Programmerʼs Execution Model Accessing Information Registers Memory Arithmetic operations IA32 Processors Totally Dominate
More informationIntel assembly language using gcc
QOTD Intel assembly language using gcc Assembly language programming is difficult. Make no mistake about that. It is not for wimps and weaklings. - Tanenbaum s 6th, page 519 These notes are a supplement
More informationLabeling Library Functions in Stripped Binaries
Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller Computer Sciences Department University of Wisconsin - Madison PASTE 2011 Szeged, Hungary September
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationRakan El-Khalil xvr α xvr net
Information Hiding in Program Binaries Rakan El-Khalil xvr α xvr net Warning: Steganography vs. Stenography. Intro Information hiding overview Theoretical aspects of Software marking In practice Applications
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationMachine-Level Programming Introduction
Machine-Level Programming Introduction Today Assembly programmer s exec model Accessing information Arithmetic operations Next time More of the same Fabián E. Bustamante, Spring 2007 IA32 Processors Totally
More informationThe course that gives CMU its Zip! Machine-Level Programming I: Introduction Sept. 10, 2002
15-213 The course that gives CMU its Zip! Machine-Level Programming I: Introduction Sept. 10, 2002 Topics Assembly Programmer s Execution Model Accessing Information Registers Memory Arithmetic operations
More informationUnderstanding C/C++ Strict Aliasing
Understanding C/C++ Strict Aliasing or - Why won't the #$@##@^% compiler let me do what I need to do! by Patrick Horgan There's a lot of confusion about strict aliasing rules. The main source of people's
More informationCS , Fall 2009 Exam 1
Andrew login ID: Full Name: Recitation Section: CS 15-213, Fall 2009 Exam 1 Thursday, September 24, 2009 Instructions: Make sure that your exam is not missing any sheets, then write your full name, Andrew
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationAssembly I: Basic Operations. Jo, Heeseung
Assembly I: Basic Operations Jo, Heeseung Moving Data (1) Moving data: movl source, dest Move 4-byte ("long") word Lots of these in typical code Operand types Immediate: constant integer data - Like C
More informationOverview of Compiler. A. Introduction
CMPSC 470 Lecture 01 Topics: Overview of compiler Compiling process Structure of compiler Programming language basics Overview of Compiler A. Introduction What is compiler? What is interpreter? A very
More informationASSEMBLY I: BASIC OPERATIONS. Jo, Heeseung
ASSEMBLY I: BASIC OPERATIONS Jo, Heeseung MOVING DATA (1) Moving data: movl source, dest Move 4-byte ("long") word Lots of these in typical code Operand types Immediate: constant integer data - Like C
More informationMachine Level Programming II: Arithmetic &Control
Machine Level Programming II: Arithmetic &Control Arithmetic operations Control: Condition codes Conditional branches Loops Switch Kai Shen 1 2 Some Arithmetic Operations Two Operand Instructions: Format
More informationY86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View
Computer Architecture I Instruction Set Architecture Assembly Language View Processor state Registers, memory, Instructions addl, movl, andl, How instructions are encoded as bytes Layer of Abstraction
More informationIA32 Processors The course that gives CMU its Zip! Machine-Level Programming I: Introduction Sept. 10, X86 Evolution: Programmer s View
Machine-Level Programming I: Introduction Sept. 10, 2002 class05.ppt 15-213 The course that gives CMU its Zip! Topics Assembly Programmer s Execution Model Accessing Information Registers Memory Arithmetic
More informationX86 Stack Calling Function POV
X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003
More informationMachine-Level Programming II: Control Flow
Machine-Level Programming II: Control Flow Today Condition codes Control flow structures Next time Procedures Fabián E. Bustamante, Spring 2010 Processor state (ia32, partial) Information about currently
More informationMachine Programming 1: Introduction
Machine Programming 1: Introduction CS61, Lecture 3 Prof. Stephen Chong September 8, 2011 Announcements (1/2) Assignment 1 due Tuesday Please fill in survey by 5pm today! Assignment 2 will be released
More information