Format string vulnerabilities
|
|
- Toby Casey
- 6 years ago
- Views:
Transcription
1 Format string vulnerabilities
2 Goal Take control of the program (as usual) How? Write4 (write 4 bytes to an arbitrary location) Inject shellcode (or other exploits) into the process
3 What should we overwrite? Saved instruction pointer () Other pointers to code (we ll come back to this)
4 printf family printf fprintf sprintf snprintf asprintf dprintf vprintf vfprintf vsprintf vsnprintf vasprintf vdprintf
5 Conversion specifiers %c Character %s String %d, %i Integer %p Pointer %u Unsigned integer %% Literal % %x, %X Hex %n Stores number of characters written %e, %f, %g Double
6 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ending 5 s
7 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 H ending 5 s
8 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 He ending 5 s
9 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 Hel_ ending 5 s
10 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 Hell ending 5 s
11 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o Hell ending 5 s
12 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o Hell ending 5 s
13 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o 5_ Hell ending 5 s
14 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o 5 Hell ending 5 s
15 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 w o 5 Hell ending 5 s
16 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 wo o 5 Hell ending 5 s
17 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 wor_ o 5 Hell ending 5 s
18 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 worl o 5 Hell ending 5 s
19 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 d worl o 5 Hell ending 5 s
20 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ds worl o 5 Hell ending 5 s
21 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ds _ worl o 5 Hell ending 5 s
22 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 x: _ 5
23 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 o Hell x: _ 5
24 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 o 5_ Hell x: _ 5
25 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: _ 5
26 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: 13 5
27 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: 13 5
28 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
29 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
30 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 2b ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
31 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); f 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
32 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); fa 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
33 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
34 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
35 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); Z = 0x5a 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
36 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
37 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
38 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
39 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
40 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 12 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
41 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 12 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string
42 Picking the bytes to write Use % len x to control the length of the output Use %hhn to write just the least-significant byte of the length
43 Almost putting it all together = address ZZZZ address+1 ZZZZ address+2 ZZZZ address+3 %8x%8x%8x % len x%hhn % len x%hhn % len x%hhn % len x%hhn ;
44 Misaligned If is not 4-byte aligned, prepend 1, 2, or 3 characters to
45 Advantages of format string exploits No need to smash the stack (targeted write) Avoids defenses such as stack canaries! Stack canary is a random word pushed onto the stack that is checked before the function returns
46 Stack Canaries int bar(char *); char foo(void) { char [100]; bar(); return [0]; foo: push {r4, lr sub sp, sp, #104 movw r4, #:lower16: stack_chk_guard movt r4, #:upper16: stack_chk_guard ldr r3, [r4] str r3, [sp, #100] mov r0, sp bl bar ldrb r0, zero_extendqisi2 ldr r2, [sp, #100] ldr r3, [r4] cmp r2, r3 beq.l2 bl stack_chk_fail.l2: add sp, sp, #104 pop {r4, pc saved lr saved r4 canary
47 Disadvantages of exploits Easy to catch so rarer: $ gcc -Wformat=2 f.c f.c: In function main : f.c:5: warning: format not a string literal and no format arguments Tricky to exploit compared to fer overflows
48 What else can we overwrite? Function pointers C++ vtables Global offset table (GOT)
49 Function pointers #include <stdlib.h> #include <stdio.h> int compare(const void *a, const void *b) { const int *x = a; const int *y = b; return *x - *y; int main() { int i; int arr[6] = {2, 1, 5, 13, 8, 4; qsort(arr, 6, 4, compare); for (i = 0; i < 6; ++i) printf("%d ", arr[i]); putchar('\n'); return 0; main: pushl movl leal movl movl movl movl call %ebp %esp, %ebp qsort: call *0x14(%ebp) 24(%esp), %esi // arr $compare, 12(%esp) $4, 8(%esp) $6, 4(%esp) %esi, (%esp) qsort
50 C++ Virtual function tables (vtable) struct Foo { Foo() { virtual ~Foo() { virtual void fun1() { virtual void fun2() { ; void bar(foo &f) { f.fun1(); f.fun2(); int main() { Foo f; foo(f); _Z3barR3Foo: // bar(foo&) pushl %ebp movl %esp, %ebp pushl %ebx subl $20, %esp movl 8(%ebp), %ebx // ebx <- f movl (%ebx), %eax // eax <- vtable movl %ebx, (%esp) // (esp) <- this call *8(%eax) // call virtual function movl (%ebx), %eax // eax <- vtable movl %ebx, (%esp) // (esp) <- this call *12(%eax) // call virtual function addl $20, %esp popl %ebx popl %ebp ret
51 vtable for Foo // Real code _ZN3FooC1Ev: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl $_ZTV3Foo+8, (%eax) popl %ebp ret _ZTV3Foo:.long 0.long _ZTI3Foo.long _ZN3FooD1Ev.long _ZN3FooD0Ev.long _ZN3Foo4fun1Ev.long _ZN3Foo4fun2Ev address of vtable+8 stored in first word of object // Demangled Foo::Foo(): pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl vtable for Foo+8, (%eax) popl %ebp ret vtable for Foo:.long 0.long typeinfo for Foo.long Foo::~Foo().long Foo::~Foo().long Foo::fun1().long Foo::fun2()
52 Global Offset Table (GOT) Contains pointers to code and data in shared libraries Library functions aren t called directly; stub in the Procedure Linkage Table (PLT) called E.g., call exit -> call exit@plt exit@plt looks up the address of exit in the GOT and jumps to it (not the whole story) Overwrite function pointer in GOT
Software Vulnerabilities. Jeff Foster University of Maryland, College Park
Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationProcedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29
Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationQuestion 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110
Questions 1 Question 4.1 1: (Solution, p 5) Define the fetch-execute cycle as it relates to a computer processing a program. Your definition should describe the primary purpose of each phase. Question
More informationIntel assembly language using gcc
QOTD Intel assembly language using gcc Assembly language programming is difficult. Make no mistake about that. It is not for wimps and weaklings. - Tanenbaum s 6th, page 519 These notes are a supplement
More informationProcedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27
Procedure Calls Young W. Lim 2016-11-05 Sat Young W. Lim Procedure Calls 2016-11-05 Sat 1 / 27 Outline 1 Introduction References Stack Background Transferring Control Register Usage Conventions Procedure
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls"
CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationMidterm 1 Review. Memory Safety & Web Attacks
Midterm 1 Review Memory Safety & Web Attacks What s on the midterm? Lecture material through Feb 9 Lecture notes ("Notes on..." on the course site) Section material, per "Handout w/ solutions" Concepts
More informationFormat String Dangers. Shachar Shemesh Security Consultant
Format String Dangers Shachar Shemesh Security Consultant http://www.shemesh.biz Schedule Reintroduction to printf (as if you don t already know ). Some reflection about common uses of printf. Dangers
More informationFinal exam. Scores. Fall term 2012 KAIST EE209 Programming Structures for EE. Thursday Dec 20, Student's name: Student ID:
Fall term 2012 KAIST EE209 Programming Structures for EE Final exam Thursday Dec 20, 2012 Student's name: Student ID: The exam is closed book and notes. Read the questions carefully and focus your answers
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationLecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More information4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only
Instructions: The following questions use the AT&T (GNU) syntax for x86-32 assembly code, as in the course notes. Submit your answers to these questions to the Curator as OQ05 by the posted due date and
More informationCMSC 313 Lecture 12 [draft] How C functions pass parameters
CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationComputer Systems CEN591(502) Fall 2011
Computer Systems CEN591(502) Fall 2011 Sandeep K. S. Gupta Arizona State University 9 th lecture Machine-Level Programming (4) (Slides adapted from CSAPP) Announcements Potentially Makeup Classes on Sat
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationCYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 Secure Coding String management Pointer Subterfuge
More information2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 String management Pointer Subterfuge Secure
More informationSungkyunkwan University
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationMachine-level Programming (3)
Machine-level Programming (3) Procedures A: call A call A return Two issues How to return to the correct position? How to pass arguments and return values between callee to caller? 2 Procedure Control
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013 CONST POINTERS CONST POINTERS 4 ways to declare pointers in combination with const:!! int *ptr! const int *ptr!
More informationCS642: Computer Security
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationCPSC W Term 2 Problem Set #3 - Solution
1. (a) int gcd(int a, int b) { if (a == b) urn a; else if (a > b) urn gcd(a - b, b); else urn gcd(a, b - a); CPSC 313 06W Term 2 Problem Set #3 - Solution.file "gcdrec.c".globl gcd.type gcd, @function
More informationAS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions
CS220 Logic Design Outline Calling Conventions Multi-module Programs 1 Calling and Returning We have already seen how the call instruction is used to execute a subprogram. call pushes the address of the
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationLecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422
Lecture 04 Control Flow II Stehen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422 Function calls on 32-bit x86 Stack grows down (from high to low addresses)
More informationMachine Programming 1: Introduction
Machine Programming 1: Introduction CS61, Lecture 3 Prof. Stephen Chong September 8, 2011 Announcements (1/2) Assignment 1 due Tuesday Please fill in survey by 5pm today! Assignment 2 will be released
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls
CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationProject 1 Buffer Overflow
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Project 1 Buffer Overflow
More informationAssembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012
19:211 Computer Architecture Lecture 10 Fall 20 Topics:Chapter 3 Assembly Language 3.2 Register Transfer 3. ALU 3.5 Assembly level Programming We are now familiar with high level programming languages
More informationLecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2016 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) HW3 submitted Course Admin Being graded Solution
More informationCS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013
CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until
More informationCS61, Fall 2012 Midterm Review Section
CS61, Fall 2012 Midterm Review Section (10/16/2012) Q1: Hexadecimal and Binary Notation - Solve the following equations and put your answers in hex, decimal and binary. Hexadecimal Decimal Binary 15 +
More informationsymbolic name data type (perhaps with qualifier) allocated in data area, stack, or heap duration (lifetime or extent)
variables have multiple attributes variable symbolic name data type (perhaps with qualifier) allocated in data area, stack, or heap duration (lifetime or extent) storage class scope (visibility of the
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationAssembly Language Programming - III
Assembly Language Programming - III GDB Debugger Please refer to the handout New GDB commands (power.s) info registers (prints all register values) print/d $eax (prints individual register value. Note
More informationCS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G
CS 33: Week 3 Discussion x86 Assembly (v1.0) Section 1G Announcements - HW2 due Sunday - MT1 this Thursday! - Lab2 out Info Name: Eric Kim (Section 1G, 2-4 PM, BH 5419) Office Hours (Boelter 2432) - Wed
More informationCSCI 192 Engineering Programming 2. Assembly Language
CSCI 192 Engineering Programming 2 Week 5 Assembly Language Lecturer: Dr. Markus Hagenbuchner Slides by: Igor Kharitonenko and Markus Hagenbuchner Room 3.220 markus@uow.edu.au UOW 2010 24/08/2010 1 C Compilation
More informationWhat the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.
C Flow Control David Chisnall February 1, 2011 Outline What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope Disclaimer! These slides contain a lot of
More informationProcess Layout, Function Calls, and the Heap
Process Layout, Function Calls, and the Heap CS 6 Spring 20 Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin January 9, 20 / 5 2 / 5 Outline Process Layout Function Calls The Heap
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationAccess. Young W. Lim Sat. Young W. Lim Access Sat 1 / 19
Access Young W. Lim 2017-06-10 Sat Young W. Lim Access 2017-06-10 Sat 1 / 19 Outline 1 Introduction References IA32 Operand Forms Data Movement Instructions Data Movement Examples Young W. Lim Access 2017-06-10
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationCMSC 313 Fall2009 Midterm Exam 2 Section 01 Nov 11, 2009
CMSC 313 Fall2009 Midterm Exam 2 Section 01 Nov 11, 2009 Name Score out of 70 UMBC Username Notes: a. Please write clearly. Unreadable answers receive no credit. b. For TRUE/FALSE questions, write the
More informationTurning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p
Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationCAS CS Computer Systems Spring 2015 Solutions to Problem Set #2 (Intel Instructions) Due: Friday, March 20, 1:00 pm
CAS CS 210 - Computer Systems Spring 2015 Solutions to Problem Set #2 (Intel Instructions) Due: Friday, March 20, 1:00 pm This problem set is to be completed individually. Explain how you got to your answers
More informationMachine/Assembler Language Putting It All Together
COMP 40: Machine Structure and Assembly Language Programming Fall 2015 Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah
More informationCIT Week13 Lecture
CIT 3136 - Week13 Lecture Runtime Environments During execution, allocation must be maintained by the generated code that is compatible with the scope and lifetime rules of the language. Typically there
More informationCOMP 210 Example Question Exam 2 (Solutions at the bottom)
_ Problem 1. COMP 210 Example Question Exam 2 (Solutions at the bottom) This question will test your ability to reconstruct C code from the assembled output. On the opposing page, there is asm code for
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationAccess. Young W. Lim Fri. Young W. Lim Access Fri 1 / 18
Access Young W. Lim 2017-01-27 Fri Young W. Lim Access 2017-01-27 Fri 1 / 18 Outline 1 Introduction References IA32 Operand Forms Data Movement Instructions Young W. Lim Access 2017-01-27 Fri 2 / 18 Based
More informationSection 4: Threads and Context Switching
CS162 September 19-20, 2017 Contents 1 Warmup 2 1.1 Hello World............................................ 2 2 Vocabulary 2 3 Problems 3 3.1 Join................................................ 3 3.2
More informationData in Memory. variables have multiple attributes. variable
Data in Memory variables have multiple attributes variable symbolic name data type (perhaps with qualifier) allocated in data area, stack, or heap duration (lifetime or extent) storage class scope (visibility
More informationCS , Fall 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.
More informationSection 4: Threads CS162. September 15, Warmup Hello World Vocabulary 2
CS162 September 15, 2016 Contents 1 Warmup 2 1.1 Hello World............................................ 2 2 Vocabulary 2 3 Problems 3 3.1 Join................................................ 3 3.2 Stack
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018 Previous Class Buffer overflows can be devastating It occurs when the access
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationHomework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1
Homework In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, 361-367 Practice Exam 1 1 In-line Assembly Code The gcc compiler allows you to put assembly instructions in-line
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More information1 /* file cpuid2.s */ 4.asciz "The processor Vendor ID is %s \n" 5.section.bss. 6.lcomm buffer, section.text. 8.globl _start.
1 /* file cpuid2.s */ 2.section.data 3 output: 4.asciz "The processor Vendor ID is %s \n" 5.section.bss 6.lcomm buffer, 12 7.section.text 8.globl _start 9 _start: 10 movl $0, %eax 11 cpuid 12 movl $buffer,
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More information