syscall_intercept A user space library for intercepting system calls Author Name, Company Krzysztof Czuryło, Intel
|
|
- Samuel Hines
- 6 years ago
- Views:
Transcription
1 Talk syscall_intercept Title Here A user space library for intercepting system calls Author Name, Company Krzysztof Czuryło, Intel
2 What it is? Provides a low-level interface for hooking Linux system calls in user space Very simple API Open source: BSD license
3 Why we need it?
4 Motivation libpmemfile fully user-space filesystem not FUSE builds on libpmemobj ( persistent memory as a media
5 pmemfile design User Applications pmemfile_write write pmemfile components libpmemfile-posix libpmemobj libpmemfile syscall_intercept glibc User Space load/store System Call Interface Kernel SYS_write Kernel Space Architecture-Dependent Kernel Code NVDIMM Hardware Platform
6 How does it work?
7 How does it work? Disassemble the code Identify all the syscall instructions...and their context Hotpatch the code Replace syscalls with jumps to a custom syscall hook All the syscalls by libc are intercepted assume libc is already loaded One hook function to rule them all
8 How does it work? Patch libc libpthread Do not patch libsyscall_intercept libcapstone Optional target program other libraries INTERCEPT_ALL_OBJS=1
9 Capstone The Ultimate Disassembler
10 Capstone "Capstone is a lightweight multi-platform, multiarchitecture disassembly framework. Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community."
11 Capstone Multi-arch: Arm, Arm64 (Armv8), M68K, Mips, PowerPC, Sparc, SystemZ, TMS320C64X, XCore& X86/X86_64 Multi-platform: Native support for Windows & *nix (with Mac OSX, ios, Android, Linux, *BSD & Solaris confirmed) Bindings for Clojure, F#, Common Lisp, Visual Basic, PHP, PowerShell, Haskell, Perl, Python, Ruby, C#, NodeJS, Java, GO, C++, OCaml, Lua, Rust, Delphi, Free Pascal & Vala available Provide details on disassembled instruction (called "decomposer" by some others) Provide some semantics of the disassembled instruction, such as list of implicit registers read & written Thread-safe by design Distributed under the open source BSD license Over 300 products already using Capstone Source code: source:
12 Disassembly Iterate thru all instructions in TEXT section cs_disasm_iter() Examine each instruction and its operands is syscall? is call/jump/relative jump/indirect jump? is ret? is nop? has IP relative operands? (cannot be patched!) can be relocated?
13 Everything here is x86_64 and Linux-specific!!!
14 Hotpatching Can't replace syscall with a call to C function return addr ret (stack) Can't replace syscall with a jump to C function arguments Need a wrapper routine Call the actual syscall hook function Eventually must jump back to the origin
15 Hotpatching Syscalls replaced with a jmp to a wrapper routine Each patched syscall has its own one Generated on-the-fly Wrapper routine template intercept_template.s Save registers Call the syscall hook Jump back to origin
16 Hotpatching Overriding syscall instruction syscall - 2 bytes long jmp - 5 bytes If surrounding instructions can be relocated Move them to the wrapper Look for some place nearby that can be overwritten Put a trampoline code there (the actual long jump) syscall => short jump (2 bytes)
17 Hotpatching Before calling C syscall hook function Save all the registers on stack recent GCC/clang versions may help with attribute no_caller_saved_registers calee-saved registers Align the stack 32-byte boundary (because of AVX regs) force_align_arg_pointer attribute does not help
18 Hotpatching Syscall in a leaf function red zone adjust stack pointer
19 Wrapper routine template intercept_template.s... mov %rsp, %r11 sub $0x80, $rsp and $-32, %rsp sub $0x38, %rsp mov %r11, (%rsp) mov $0x , %r11 call *r11 mov (%rsp), %rsp jmp absolute address... # remember the original value of $rsp # respect the red zone # align the stack # allocate space for some locals # save the original value of #rsp # the address of a syscall hook function to call # call into code common to all syscalls # restore original %rsp, as it was in the intercepted code # appended to the template
20 Patched code patched code example... 0x0010 mov $2, %eax 0x0019 jmp $0x1100 # an overwritten syscall 0x0020 cmp $-4095, %rax 0x0026 jle $0x0100 0x0032 ret 0x0040 mov $3, %eax 0x0049 jmp $0x1200 # another syscall 0x0040 cmp $-4095, %rax 0x0049 jle $0x0100 0x0052 ret x1100 cmp $-4095, %rax 0x1100 mov %rsp, %r11 0x1105 sub $0x80, $rsp 0x110a and $-32, %rsp 0x1110 sub $0x38, %rsp 0x1116 mov %r11, (%rsp) 0x111b mov $0x , %r11 0x113a call *%r11 0x1140 mov (%rsp), %rsp 0x1144 jmp $0x0026 # jmp back... 0x1200 mov %rsp, %r11 # same as above...
21 Special cases SYS_clone Different stack pointer Restoring registers may result in undefined behavior Cannot be handled in C function Execute syscall in its original context
22 Special cases Syscall execution signal-safe MT-safe Cannot guarantee the user hook is signal-safe I.e. calling libc printf from a hooked write syscall, which was originally called by libc printf
23 My first interceptor
24 Example #include <libsyscall_intercept_hook_point.h> /* * The syscall_number, and the six args describe the syscall currently being intercepted. * A non-zero return value means libsyscall_intercept should execute the original syscall, * use its result. * A zero return value means libsyscall_intercept should not execute the syscall, and use * the integer stored to *result as the result of the syscall to be returned in RAX to libc. */ extern int (*intercept_hook_point)(long syscall_number, long arg0, long arg1, long arg2, long arg3, long arg4, long arg5, long *result); /* * Call syscall_no_intercept to make syscalls from the interceptor library, once glibc is * already patched. * Don't use the syscall function from glibc, that would just result in an infinite recursion. */ long syscall_no_intercept(long syscall_number,...);
25 Example #include <libsyscall_intercept_hook_point.h> #include <syscall.h> #include <errno.h> static int hook(long syscall_number, long arg0, long arg1, long arg2, long arg3, long arg4, long arg5, long *result) { if (syscall_number == SYS_xxx) { /* do something */ return 0; /* syscall handled */ } else { /* ignore other syscalls */ return 1; /* pass it to the kernel */ } } static attribute ((constructor)) void init(void) { /* set up the callback function */ intercept_hook_point = hook; }
26 Example ================= hello.c =================== int main(int argc, char **argv) { printf("hello world!\n"); return 0; } ================= mysi.c =================== char translate(char c) { switch (c) { case 'l': return '1'; case 'o': return '0'; case 'e': return '3'; default: return c; } } if (syscall_number == SYS_write) { char buf_copy[0x1000]; size_t size = (size_t)arg2; char *buf = (char *)arg1; size_t i; } return 1;... if (size > sizeof(buf_copy)) size = sizeof(buf_copy); for (i = 0; i < size; ++i) buf_copy[i] = translate(buf[i]); buf_copy[i] = '\0'; *result = syscall_no_intercept( SYS_write, arg0, buf_copy, size); return 0;
27 Example $ cc -lsyscall_intercept -fpic -shared mysi.c -o mysilib.so $ cc hello.c -o hello $./hello Hello world! $ LD_PRELOAD=mysilib.so./hello H3110 w0r1d!
28 Other features
29 Usage - intercept log Intercept log Log each intercepted system call to a file could be many per-process log files if process forks INTERCEPT_LOG=1 enable logging INTERCEPT_LOG_TRUNC=0 do not truncate log file
30 Usage - intercept log $ INTERCEPT_LOG=./log LD_PRELOAD=mysilib.so./hello H3110 w0r1d! $ cat./log tempfile=... # will be explained in a minute... /lib64/libc.so.6 0xf fstat(1, 0x7ffce0f984c0) =? /lib64/libc.so.6 0xf fstat(1, 0x7ffce0f984c0) = 0 /lib64/libc.so.6 0xf7ade -- write(1, "Hello world!\n", 13) =? /lib64/libc.so.6 0xf7ade -- write(1, "Hello world!\n", 13) = 13 /lib64/libc.so.6 0xccb56 -- exit_group(0)
31 Usage - intercept log Log is a script (very slow!!!) tempfile=$(mktemp) ; tempfile2=$(mktemp) ; grep "^/" $0 cut -d " " -f 1,2 sed "s/^/addr2line -p -f -e /" > $tempfile ; { echo ;. $tempfile ; echo ; } > $tempfile2 ; paste $tempfile2 $0 ; exit 0 $./log GI fxstat at /usr/src/debug/glibc g605e6f9/io/../sysdeps/unix/sysv/linux/wordsize- 64/fxstat.c:35 /lib64/libc.so.6 0xf fstat(1, 0x7ffce0f984c0) =? GI fxstat at /usr/src/debug/glibc g605e6f9/io/../sysdeps/unix/sysv/linux/wordsize- 64/fxstat.c:35 /lib64/libc.so.6 0xf fstat(1, 0x7ffce0f984c0) = 0 write_nocancel at /usr/src/debug////////glibc g605e6f9/io/../sysdeps/unix/syscall-template.s:84 /lib64/libc.so.6 0xf7ade -- write(1, "Hello world!\n", 13) =? write_nocancel at /usr/src/debug////////glibc g605e6f9/io/../sysdeps/unix/syscall-template.s:84 /lib64/libc.so.6 0xf7ade -- write(1, "Hello world!\n", 13) = 13 GI exit at /usr/src/debug/glibc g605e6f9/posix/../sysdeps/unix/sysv/linux/_exit.c:31 /lib64/libc.so.6 0xccb56 -- exit_group(0)
32 Examples - syscall logger examples/syscall_logger.c strace-like $ export SYSCALL_LOG_PATH=./syscall.log $ LD_PRELOAD=libsyscall_logger.so./hello $ cat./syscall.log fstat(1, 0x00007ffc88c26490) = 0 write(1, 0x bd9010, 0x d) = 13 exit_group(0x )
33 Debugging Run the program under GDB Don't want the syscalls made by GDB to be intercepted cmdline filter Only patch the selected binaries (by name) INTERCEPT_HOOK_CMDLINE_FILTER=... name/path Can be queried syscall_hook_in_process_allowed()
34 Summary
35 Limitations Only Linux x86_64 is supported Tested with glibc only There are known issues with some syscalls: clone, rt_sigreturn, ptrace Code is patched once Dynamically generated/loaded code can't be hooked May be fooled by any handwritten assembly Undocumented ISA Mixing code and data Overlapping instructions
36 Potential use cases Error injection / testing Fast syscall tracing Device emulation lib_***_intercept? not only syscalls specific instructions, etc. Other
37 Future plans Release version 1.0 Packages for popular Linux distros
38 Q&A
39
40 Backup
41 Build and install git clone ccmake syscall_intercept make sudo make install
Practical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationUsing persistent memory to
Using persistent memory to Talk build Title a high-performant, Here fully Author Name, Company user space filesystem Krzysztof Czuryło, Intel What it is? pmemfile Low-overhead userspace implementation
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationProcesses. Johan Montelius KTH
Processes Johan Montelius KTH 2017 1 / 47 A process What is a process?... a computation a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationA process. the stack
A process Processes Johan Montelius What is a process?... a computation KTH 2017 a program i.e. a sequence of operations a set of data structures a set of registers means to interact with other processes
More informationFunctions. Ray Seyfarth. August 4, Bit Intel Assembly Language c 2011 Ray Seyfarth
Functions Ray Seyfarth August 4, 2011 Functions We will write C compatible function C++ can also call C functions using extern "C" {...} It is generally not sensible to write complete assembly programs
More informationUnicorn: Next Generation CPU Emulator Framework
Unicorn: Next Generation CPU Emulator Framework www.unicorn-engine.org NGUYEN Anh Quynh Syscan360 Beijing - October 21st, 2015 1 / 38 NGUYEN Anh Quynh Unicorn: Next Generation CPU
More informationArm cross development tools
Arm cross development tools slide 1 the GNU C compiler, binutils and glibc can be configured to target the arm series of microprocessors Raspberry Pi uses an arm11 processor processor runs at 700Mhz cross
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationKEYSTONE: the last missing framework for Reverse Engineering
KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh Quynh RECON - June 19th, 2016 1 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing
More informationCommand Line Interface / Application Programming Interface (cliapi) Kevin Sheldrake rtfc.org.uk
Command Line Interface / Application Programming Interface (cliapi) Kevin Sheldrake rtfc.org.uk WTF? cliapi is a tool that runs individual functions in an executable or library on linux. Sometimes a function
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationWhat the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.
C Flow Control David Chisnall February 1, 2011 Outline What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope Disclaimer! These slides contain a lot of
More informationCS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: February 28, 2018 at 06:32 CS429 Slideset 9: 1 Mechanisms in Procedures
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More informationDynamic Binary Instrumentation: Introduction to Pin
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationMachine Language Instructions Introduction. Instructions Words of a language understood by machine. Instruction set Vocabulary of the machine
Machine Language Instructions Introduction Instructions Words of a language understood by machine Instruction set Vocabulary of the machine Current goal: to relate a high level language to instruction
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationCS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:
CS-220 Spring 2018 Test 2 Version Practice Apr. 23, 2018 Name: 1. (10 points) For the following, Check T if the statement is true, the F if the statement is false. (a) T F : The main difference between
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationan infinite loop Processes and Exceptions doing nothing on a busy system timing nothing
an infinite loop Processes and Exceptions int main(void) { while (1) { /* waste CPU time */ If I run this on a lab machine, can you still use it? even if the machine only has one core? 1 2 timing nothing
More information6.035 Project 3: Unoptimized Code Generation. Jason Ansel MIT - CSAIL
6.035 Project 3: Unoptimized Code Generation Jason Ansel MIT - CSAIL Quiz Monday 50 minute quiz Monday Covers everything up to yesterdays lecture Lexical Analysis (REs, DFAs, NFAs) Syntax Analysis (CFGs,
More informationCSE 351 Midterm - Winter 2015 Solutions
CSE 351 Midterm - Winter 2015 Solutions February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate
More informationStack overflow exploitation
Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void
More informationSource level debugging. October 18, 2016
Source level debugging October 18, 2016 Source level debugging Source debugging is a nice tool for debugging execution problems; it can be particularly useful when working with crashed programs that leave
More informationCS 5460/6460 Operating Systems
CS 5460/6460 Operating Systems Fall 2009 Instructor: Matthew Flatt Lecturer: Kevin Tew TAs: Bigyan Mukherjee, Amrish Kapoor 1 Join the Mailing List! Reminders Make sure you can log into the CADE machines
More informationCS 3305 Intro to Threads. Lecture 6
CS 3305 Intro to Threads Lecture 6 Introduction Multiple applications run concurrently! This means that there are multiple processes running on a computer Introduction Applications often need to perform
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationControl-flow Enforcement Technology H.J. Lu. Intel November, 2018
Control-flow Enforcement Technology H.J. Lu Intel November, 2018 Introduction Control-flow Enforcement Technology (CET) An upcoming Intel processor family feature that blocks return/jumporiented programming
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationCS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri
CS356: Discussion #6 Assembly Procedures and Arrays Marco Paolieri (paolieri@usc.edu) Procedures Functions are a key abstraction in software They break down a problem into subproblems. Reusable functionality:
More informationMemory management. Johan Montelius KTH
Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/ collberg
More informationCS 290 Host-based Security and Malware. Christopher Kruegel
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Reverse Engineering Introduction Reverse engineering process of analyzing a system understand its structure and functionality
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationCSC369 Lecture 2. Larry Zhang
CSC369 Lecture 2 Larry Zhang 1 Announcements Lecture slides Midterm timing issue Assignment 1 will be out soon! Start early, and ask questions. We will have bonus for groups that finish early. 2 Assignment
More informationCSC 405 Computer Security Reverse Engineering Part 1
CSC 405 Computer Security Reverse Engineering Part 1 Alexandros Kapravelos akaprav@ncsu.edu Introduction Reverse engineering process of analyzing a system understand its structure and functionality used
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationCSC369 Lecture 2. Larry Zhang, September 21, 2015
CSC369 Lecture 2 Larry Zhang, September 21, 2015 1 Volunteer note-taker needed by accessibility service see announcement on Piazza for details 2 Change to office hour to resolve conflict with CSC373 lecture
More informationCSE 333 SECTION 3. POSIX I/O Functions
CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight Exercise 7 due Monday (out later today) POSIX Portable Operating System Interface Family of standards specified by the
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationMechanisms in Procedures. CS429: Computer Organization and Architecture. x86-64 Stack. x86-64 Stack Pushing
CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: February 28, 2018 at 06:32 Mechanisms in Procedures Passing Control
More informationCapstone Disassembly Engine
www.capstone-engine.org NGUYEN Anh Quynh, Coseinc Syscan360 Beijing, July 16th 2014 1 / 53 Agenda 1 Disassembly engines & their issues 2 Capstone: general ideas & design Capstone
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationKernel hacking su Android. Better Embedded Andrea Righi
Kernel hacking su Android Agenda Overview Android Programming Android Power Management Q/A Overview What is Android OS? Linux kernel Android patches Bionic libc Dalvik VM (Java Virtual Machine) Application
More informationCS 550 Operating Systems Spring System Call
CS 550 Operating Systems Spring 2018 System Call 1 Recap: The need for protection When running user processes, the OS needs to protect itself and other system components For reliability: buggy programs
More informationGDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32
GDB Tutorial Young W. Lim 2017-02-14 Tue Young W. Lim GDB Tutorial 2017-02-14 Tue 1 / 32 Outline 1 Introduction Young W. Lim GDB Tutorial 2017-02-14 Tue 2 / 32 Based on "Self-service Linux: Mastering the
More informationShell Code For Beginners
Shell Code For Beginners Beenu Arora Site: www.beenuarora.com Email: beenudel1986@gmail.com ################################################################ #.. # # _/ \ _ \ _/ # # / \ \\ \ / // \/ /_\
More informationAn Experience Like No Other. Stack Discipline Aug. 30, 2006
15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please
More informationPlaying with process tracing to instrument static function at runtime in EZTrace. Damien Martin-Guillerez SED
Playing with process tracing to instrument static function at runtime in EZTrace Damien Martin-Guillerez SED CENTRE Inria BORDEAUX SUD-OUEST INTRODUCTION EZTrace is a performance trace generator for parallel
More informationPRINCIPLES OF OPERATING SYSTEMS
PRINCIPLES OF OPERATING SYSTEMS Tutorial-1&2: C Review CPSC 457, Spring 2015 May 20-21, 2015 Department of Computer Science, University of Calgary Connecting to your VM Open a terminal (in your linux machine)
More informationDo You Trust a Mutated Binary? Drew Bernat Correct Relocation
Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat bernat@cs.wisc.edu April 30, 2007 Correct Relocation Binary Manipulation We want to: Insert new code Modify or delete code These operations
More informationCS 220: Introduction to Parallel Computing. Beginning C. Lecture 2
CS 220: Introduction to Parallel Computing Beginning C Lecture 2 Today s Schedule More C Background Differences: C vs Java/Python The C Compiler HW0 8/25/17 CS 220: Parallel Computing 2 Today s Schedule
More informationComputer Architecture and Assembly Language. Practical Session 5
Computer Architecture and Assembly Language Practical Session 5 Addressing Mode - "memory address calculation mode" An addressing mode specifies how to calculate the effective memory address of an operand.
More informationDigging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing
Digging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing NGUYEN Anh Quynh Kai Jern LAU HackInTheBox - Beijing, November 2nd, 2018
More informationCS527 Software Security
Reverse Engineering Purdue University, Spring 2018 Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2)) Remember common ASCII characters
More informationLecture XXIV: Review Xuan Guo CSC 3210 Computer Organization and Programming Georgia State University April 23, 2015 Xuan Guo Lecture XXIV: Review
CSC 3210 Computer Organization and Programming Georgia State University April 23, 2015 This lecture Review: set instruction register saving subroutine linkage arguments passing printf function instruction
More informationCSE 351 Midterm - Winter 2015
CSE 351 Midterm - Winter 2015 February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove
More informationJava and C II. CSE 351 Spring Instructor: Ruth Anderson
Java and C II CSE 351 Spring 2017 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis Administrivia Lab 5 Due TONIGHT! Fri 6/2
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More information518 Lecture Notes Week 3
518 Lecture Notes Week 3 (Sept. 15, 2014) 1/8 518 Lecture Notes Week 3 1 Topics Process management Process creation with fork() Overlaying an existing process with exec Notes on Lab 3 2 Process management
More informationProcesses (Intro) Yannis Smaragdakis, U. Athens
Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's
More informationCAN STRACE MAKE YOU FAIL?
CAN STRACE MAKE YOU FAIL? Nahim El Atmani @brokenpi_pe July 15, 2016 1 DEFINITION 1.0 strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions
More informationBryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition. Carnegie Mellon
Carnegie Mellon Machine-Level Programming III: Procedures 15-213/18-213/14-513/15-513: Introduction to Computer Systems 7 th Lecture, September 18, 2018 Today Procedures Mechanisms Stack Structure Calling
More informationFixing/Making Holes in Binaries
Fixing/Making Holes in Binaries The Easy, The Hard, The Time Consuming Shaun Clowes Ð shaun@securereality.com.au What are we doing? Changing the behaviour of programs Directly modifying the program in
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationLibSysCTr(3) System Call Tracing Library LibSysCTr(3)
NAME systr_init_library, systr_cleanup_library, systr_run, systr_stop, systr_trace_syscall, systr_untrace_syscall, systr_get_pid, systr_get_param, systr_set_params, systr_is_entry, systr_pmem_read, systr_pmem_write,
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationHandling of Interrupts & Exceptions
CSE 2421: Systems I Low-Level Programming and Computer Organization Handling of Interrupts & Exceptions Read/Study: Bryant 8.1 11-30-2018 Presentation O Gojko Babić Computer Architecture (repeat) A modern
More informationMcSema: Static Translation of X86 Instructions to LLVM
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM About Us Artem Security Researcher blog.dinaburg.org Andrew PhD Student,
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationRunning a C program Compilation Python and C Variables and types Data and addresses Functions Performance. John Edgar 2
CMPT 125 Running a C program Compilation Python and C Variables and types Data and addresses Functions Performance John Edgar 2 Edit or write your program Using a text editor like gedit Save program with
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationThe X86 Assembly Language Instruction Nop Means
The X86 Assembly Language Instruction Nop Means As little as 1 CPU cycle is "wasted" to execute a NOP instruction (the exact and other "assembly tricks", as explained also in this thread on Programmers.
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationTHEORY OF COMPILATION
Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical
More informationIRIX is moving in the n32 direction, and n32 is now the default, but the toolchain still supports o32. When we started supporting native mode o32 was
Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.035, Fall 2002 Handout 23 Running Under IRIX Thursday, October 3 IRIX sucks. This handout describes what
More informationMachine-Level Programming III: Procedures
Machine-Level Programming III: Procedures CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGİN Slides adapted from Bryant & O Hallaron s slides Mechanisms in Procedures Passing control
More informationHardware: Logical View
Hardware: Logical View CPU Memory Bus Disks Net USB Etc. 1 Hardware: Physical View USB I/O controller Storage connections CPU Memory 2 Hardware: 351 View (version 0) instructions? Memory CPU data CPU executes
More informationseccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment
Nicolas Bareil 1/25 seccomp-nurse Nicolas Bareil EADS CSC Innovation Works France ekoparty 2010 Nicolas Bareil 2/25 Sandbox landscape Executive summary New sandboxing environment on Linux Focusing on headless
More informationStack Discipline Jan. 19, 2018
15-410 An Experience Like No Other Discipline Jan. 19, 2018 Dave Eckhardt Brian Railing Slides originally stolen from 15-213 1 15-410, S 18 Synchronization Registration The wait list will probably be done
More informationCSCI341. Lecture 22, MIPS Programming: Directives, Linkers, Loaders, Memory
CSCI341 Lecture 22, MIPS Programming: Directives, Linkers, Loaders, Memory REVIEW Assemblers understand special commands called directives Assemblers understand macro commands Assembly programs become
More informationReverse Engineering Microsoft Binaries
Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com Recon 2006 Overview In the next one hour, we will cover: Setting up a scalable reverse engineering environment getting binaries
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationECE 471 Embedded Systems Lecture 8
ECE 471 Embedded Systems Lecture 8 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 21 September 2018 Announcements HW#2 was due HW#3 will be posted today. Work in groups? Note
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationRomain Thomas - Static instrumentation based on executable file formats
Romain Thomas - rthomas@quarkslab.com Static instrumentation based on executable file formats About Romain Thomas - Security engineer at Quarkslab Working on various topics: Android, (de)obfuscation, software
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More information