Fuzzgrind: an automatic fuzzing tool
|
|
- Naomi Watson
- 5 years ago
- Views:
Transcription
1 Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com
2 Fuzzgrind: an automatic fuzzing tool 2/55 Plan
3 Fuzzgrind: an automatic fuzzing tool 3/55 Roadmap
4 Fuzzgrind: an automatic fuzzing tool 4/55 Roadmap
5 Fuzzgrind: an automatic fuzzing tool 5/55 Fuzzing Technique to search for software implementation errors by injecting invalid data. Test generation: random, input mutation, model-based. Several fuzzing software programs. Endless process: study of specifications, reverse engineering of protocols, new development for each target, etc. Innovative theories: Autodafe, Flayer, Sage, etc.
6 Fuzzgrind: an automatic fuzzing tool 6/55 Roadmap
7 Fuzzgrind: an automatic fuzzing tool 7/55 Let fuzzing be completely automatic. Give a target program and an input file, New inputs generated automatically, Wait for crashes.
8 Fuzzgrind: an automatic fuzzing tool 8/55 Roadmap
9 Fuzzgrind: an automatic fuzzing tool 9/55 Symbolic execution Use of algebraic expressions to represent the variable values throughout the execution of the program. 1 Symbolically execute the target program on a given input, 2 Analyze execution path and extract path conditions depending on the input, 3 Negate each path condition, 4 Solve constraints and generate new test inputs. 5 This algorithm is repeated until all executions path are (ideally) covered. = Increase code coverage to discover new bugs.
10 Fuzzgrind: an automatic fuzzing tool 10/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
11 Fuzzgrind: an automatic fuzzing tool 11/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
12 Fuzzgrind: an automatic fuzzing tool 12/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
13 Fuzzgrind: an automatic fuzzing tool 13/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
14 Fuzzgrind: an automatic fuzzing tool 14/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
15 Fuzzgrind: an automatic fuzzing tool 15/55 Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00"
16 Fuzzgrind: an automatic fuzzing tool 16/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
17 Fuzzgrind: an automatic fuzzing tool 17/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
18 Fuzzgrind: an automatic fuzzing tool 18/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
19 Fuzzgrind: an automatic fuzzing tool 19/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
20 Fuzzgrind: an automatic fuzzing tool 20/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
21 Fuzzgrind: an automatic fuzzing tool 21/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
22 Fuzzgrind: an automatic fuzzing tool 22/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
23 Fuzzgrind: an automatic fuzzing tool 23/55 Symbolic execution: example input = "\x28\x00\x00\x00\x0f\x00\x00\x00"
24 Fuzzgrind: an automatic fuzzing tool 24/55 Symbolic execution: example input = "\x28\x00\x00\x00\x21\x00\x00\x00"
25 Fuzzgrind: an automatic fuzzing tool 25/55 Symbolic execution: example input = "\x28\x00\x00\x00\x21\x00\x00\x00"
26 Fuzzgrind: an automatic fuzzing tool 26/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4
27 Fuzzgrind: an automatic fuzzing tool 27/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4
28 Fuzzgrind: an automatic fuzzing tool 28/55 Valgrind Valgrind STP Framework for Dynamic Binary Instrumentation. Multiple architectures supported. Generic framework for creating program analysis tools (e.g.: Memcheck). Machine-code interpreter: just-in-time instruction recompilation. Nothing from the original program ever gets run directly.
29 Fuzzgrind: an automatic fuzzing tool 29/55 Overall view Valgrind STP 1 Disassembly and translation from machine code (x86) into Intermediate Representation (VEX), 2 IR optimization, 3 IR instrumentation by the plugin, 4 Conversion of the instrumented IR into machine code (x86) and register allocation, 5 Instrumented code execution.
30 Fuzzgrind: an automatic fuzzing tool 30/55 IR and instrumentation Valgrind STP 0x4000A99 : movl %eax,% ecx #----- IMark(0x4000A99, 2) PUT(4) = GET: I32 (0) # copy of EAX into ECX 0x4000A9B : l e a l 0x2C(%ebx ), %esi #----- IMark(0x4000A9B, 6) PUT(60) = 0x4000A9B : I32 t0 = Add32(GET: I32 (12),0x2C : I32 ) PUT(24) = t0 # EIP update # addition of EBX content with 0x2C # result copy into ESI
31 Fuzzgrind: an automatic fuzzing tool 31/55 System calls Valgrind STP 1 copy virtual registers into real registers (apart EIP), 2 do the system call, 3 copy real registers into virtual registers (apart EIP), 4 restore stack pointer.
32 Fuzzgrind: an automatic fuzzing tool 32/55 Roadmap Valgrind STP 1 2 Valgrind STP 3 4
33 Fuzzgrind: an automatic fuzzing tool 33/55 STP A Fast Prover Valgrind STP Constraint solver, generated by static and dynamic analysis programs. Especially fast. Used in Automatic Patch-Based Exploit Generation paper. Take in input a request set of one or multiples constraints. Constraints composed of a set of functions and predicates. Output tells if request is satisfiable or not. Counter-example display.
34 Fuzzgrind: an automatic fuzzing tool 34/55 Example Valgrind STP # cat file.c... char x, y ; i f (x y == 16)... # cat file.stp x : BITVECTOR( 8 ) ; y : BITVECTOR( 8 ) ; QUERY(NOT(BVMULT(8, x, y ) = 0h10 ) ) ; # stp -p file.stp I n v a l i d. ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 ) ;
35 Fuzzgrind: an automatic fuzzing tool 35/55 Softwares used Valgrind STP Valgrind: path conditions search. STP: constraints solving. Python scripts to link all of this.
36 Fuzzgrind: an automatic fuzzing tool 36/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
37 Fuzzgrind: an automatic fuzzing tool 37/55 Overall view Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring
38 Fuzzgrind: an automatic fuzzing tool 38/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
39 Fuzzgrind: an automatic fuzzing tool 39/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 2) Valgrind plugin: search for path conditions 1 Initial tainting of data from the tainted source, 2 Propagation and display of constraints associated with tainted data. 3 Untaint data.
40 Fuzzgrind: an automatic fuzzing tool 40/55 2) Valgrind plugin: initial tainting Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Based on Flayer s implementation. Supported inputs: files and standard input. System calls monitoring. open: file descriptor monitoring, close: ends file descriptor monitoring, read, mmap: tainted data addresses. Tainted data Constraint depending on the number i from the byte read/mmaped.
41 Fuzzgrind: an automatic fuzzing tool 41/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 2) Valgrind plugin: propagation and display Function of the tool in charge of the instrumentation of the IR. Tainted data: memory address and registers. Instruction doesn t depend on tainted data = ignored/result untainted, Operation on tainted data = Tainting of temporary that saves the result, Temporary associated to the constraint that is associated to the operation. t0 = Add32(GET:I32(12), 0x2C:I32) Condition depends on tainted data = associated constraint is displayed. 0x08048e0d: CmpEQ32(8Uto32(LDle:I8(input(0))),0x0:I32) => 0
42 Fuzzgrind: an automatic fuzzing tool 42/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
43 Fuzzgrind: an automatic fuzzing tool 43/55 3) Constraint analysis Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Translation of Valgrind s IR into STP language. Constraints optimization and negation. 0x08048e0d: CmpEQ32(8Uto32(LDle:I8(input(0))),0x0:I32) => 0 x0 : BITVECTOR(8); QUERY( NOT(( IF (((0h000000@x0) = 0h )) THEN (0b1) ELSE (0b0) ENDIF) = 0b1));
44 Fuzzgrind: an automatic fuzzing tool 44/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
45 Fuzzgrind: an automatic fuzzing tool 45/55 Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4) Constraints solving, 5) New inputs Resolution of constraints using STP../stp/stp -p /tmp/example.stp Invalid. ASSERT( x0 = 0hex00 ); If query is invalid, assign this new values, Generation of new test files.
46 Fuzzgrind: an automatic fuzzing tool 46/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
47 Fuzzgrind: an automatic fuzzing tool 47/55 6) Detecting faults Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Ptrace, Signals: SIGSEGV, SIGKILL, SIGABRT. Crackmes, tests: search of patterns in output.
48 Fuzzgrind: an automatic fuzzing tool 48/55 Roadmap Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring 4
49 Fuzzgrind: an automatic fuzzing tool 49/55 7) Scoring Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring Valgrind s Lackey plugin, Number of executed basic blocks.
50 Fuzzgrind: an automatic fuzzing tool 50/55 Demo Valgrind plugin Constraint analysis Constraints solving Fault detection Scoring
51 Fuzzgrind: an automatic fuzzing tool 51/55 Roadmap
52 Fuzzgrind: an automatic fuzzing tool 52/55 Results Fuzzing completely automatic. New vulnerabilites in readelf and swfextract. Vulnerabilities found in libtiff in a few minutes (discovered by Tavis Ormandy, led to the execution of unsigned code on the PSP and the iphone). Resolution of simple crackmes.
53 Fuzzgrind: an automatic fuzzing tool 53/55 Caveats Path explosion, Loop iterations, Cryptographic functions, Data tainting can be losed: char *digits = " abcdefghijklmnopqrstuvwxyz"; if (digits[x] == 1 ) CmpEQ32(LDle(Add32(x, digits)), 0x31)
54 Fuzzgrind: an automatic fuzzing tool 54/55 Improvement Monitoring of network inputs. Scoring tool. Parallelization. Constraints caching. Fuzzgrind is licenced under GPL: contribute!
55 Fuzzgrind: an automatic fuzzing tool 55/55 Thank your for your time. Q&A?
Outline. 1 Background. 2 Symbolic Execution. 3 Whitebox Fuzzing. 4 Summary. 1 Cost of each Microsoft Security Bulletin: $Millions
CS 6V81-05: System Security and Malicious Code Analysis and Zhiqiang Lin 1 Background 2 Department of Computer Science University of Texas at Dallas 3 April 9 th, 2012 4 Software security bugs can be very
More informationProgram Vulnerability Analysis Using DBI
Program Vulnerability Analysis Using DBI CodeEngn Co-Administrator DDeok9@gmail.com 2011.7.2 www.codeengn.com CodeEngn ReverseEngineering Conference Outline What is DBI? Before that How? A simple example
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCONSTRAINT SOLVING. Lecture at NYU Poly
CONSTRAINT SOLVING Lecture at NYU Poly WHO AM I John Villamil Senior Research Scientist at Accuvant Previously at Matasano Started at Mandiant jvillamil@accuvant.com @day6reak ONCE UPON A TIME I asked
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationShuntaint: Emulation-based Security Testing for Formal Verification
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Abstract. This paper describes an emulated approach to collect traces of program states, in order to verify
More informationAnalysis of MS Multiple Excel Vulnerabilities
Analysis of MS-07-036 Multiple Excel Vulnerabilities I. Introduction This research was conducted using the Office 2003 Excel Viewer application and the corresponding security patch for MS-07-036 - Vulnerabilities
More informationRegister Allocation, iii. Bringing in functions & using spilling & coalescing
Register Allocation, iii Bringing in functions & using spilling & coalescing 1 Function Calls ;; f(x) = let y = g(x) ;; in h(y+x) + y*5 (:f (x
More informationIntroduction to software exploitation ISSISP 2017
Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2
More informationTaint Nobody Got Time for Crash Analysis
Taint Nobody Got Time for Crash Analysis Crash Analysis Triage Goals Execution Path What code paths were executed What parts of the execution interacted with external data Input Determination Which input
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationU23 - Binary Exploitation
U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:
More informationCS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018
CS 31: Intro to Systems Pointers and Memory Kevin Webb Swarthmore College October 2, 2018 Overview How to reference the location of a variable in memory Where variables are placed in memory How to make
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationTriton: Concolic Execution Framework
Triton: Concolic Execution Framework Florent Saudel Jonathan Salwan SSTIC Rennes France Slides: detailed version June 3 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic execution,
More informationSimuVEX. Using VEX in Symbolic Analysis
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationFUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM
FUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM LEE@SSG SINGI@THEORI HITBAMS2018 - FUZZING JAVASCRIPT ENGINES FOR FUN AND PROFIT AREUM LEE Areum Lee Member @ SSG Undergrad student @ Sejong Univ Former
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationOptiCode: Machine Code Deobfuscation for Malware Analysis
OptiCode: Machine Code Deobfuscation for Malware Analysis NGUYEN Anh Quynh, COSEINC CONFidence, Krakow - Poland 2013, May 28th 1 / 47 Agenda 1 Obfuscation problem in malware analysis
More informationAn Introduction to IDA and crackmes - Cruehead[MiB] crackme 2 writeup Mitchell Adair 08/14/2011 utdcsg.org
An Introduction to IDA and crackmes - Cruehead[MiB] crackme 2 writeup Mitchell Adair 08/14/2011 utdcsg.org This is a writeup over Cruehead's crackme 2, hopefully providing an intro to IDA and some general
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationMachine-level Programming (3)
Machine-level Programming (3) Procedures A: call A call A return Two issues How to return to the correct position? How to pass arguments and return values between callee to caller? 2 Procedure Control
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationThe System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities
The System of Automatic Searching for Vulnerabilities or how to use Taint Analysis to find vulnerabilities Alex Bazhanyuk (@ABazhanyuk) Nikita Tarakanov (@NTarakanov) Who is Alex Bazhanyuk Security Researcher
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationPOMP: Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts
POMP: Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts Jun Xu 1, Dongliang Mu 12, Xinyu Xing 1, Peng Liu 1, Ping Chen 1, Bing Mao 2 1. Pennsylvania State University 2. Nanjing University
More informationFinding media bugs in Android using file format fuzzing. Costel Maxim Intel OTC Security
Finding media bugs in Android using file format fuzzing Costel Maxim Intel OTC Security 1 Agenda File format fuzzing Generate high-quality corpus of files Fuzzing the Stagefright Framework Logging & Triage
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationAutomatic Binary Exploitation and Patching using Mechanical [Shell]Phish University of California, Santa Barbara (UCSB)
Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara (UCSB) HITCON Pacific December 2nd, 2016 Shellphish
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationRepresentation of Information
Representation of Information CS61, Lecture 2 Prof. Stephen Chong September 6, 2011 Announcements Assignment 1 released Posted on http://cs61.seas.harvard.edu/ Due one week from today, Tuesday 13 Sept
More informationROP It Like It s Hot!
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development
More informationLow Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
More informationCS61, Fall 2012 Midterm Review Section
CS61, Fall 2012 Midterm Review Section (10/16/2012) Q1: Hexadecimal and Binary Notation - Solve the following equations and put your answers in hex, decimal and binary. Hexadecimal Decimal Binary 15 +
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationCSE 351: Week 4. Tom Bergan, TA
CSE 35 Week 4 Tom Bergan, TA Does this code look okay? int binarysearch(int a[], int length, int key) { int low = 0; int high = length - ; while (low
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationCS213. Machine-Level Programming III: Procedures
CS213 Machine-Level Programming III: Procedures Topics IA32 stack discipline Register saving conventions Creating pointers to local variables IA32 Region of memory managed with stack discipline Grows toward
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationThe course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002
15-213 The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables class07.ppt
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationComputer Organization & Assembly Language Programming
Computer Organization & Assembly Language Programming CSE 2312-002 (Fall 2011) Lecture 8 ISA & Data Types & Instruction Formats Junzhou Huang, Ph.D. Department of Computer Science and Engineering Fall
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationASSEMBLY III: PROCEDURES. Jo, Heeseung
ASSEMBLY III: PROCEDURES Jo, Heeseung IA-32 STACK (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationAll files and detailed submission instructions for this lab are at the course site in Bspace, under Assignments Lab 2.
Dawn Song Fall 2012 CS 161 Computer Security Lab 2 Program Verification & Vulnerability Discovery Due Date: Monday October 1, 2012 by 11:59pm Introduction In this exercise, we will reason about the correctness
More informationAssembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
More informationAssembly III: Procedures. Jo, Heeseung
Assembly III: Procedures Jo, Heeseung IA-32 Stack (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationA Survey of Obfuscations in Prevalent Packer Tools
A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26, 2012 1 Types of program analysis Source code Friendly binary Uncooperative
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationCIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final
Spring 2012 Name: Page Points Score 1 14 2 7 3 6 4 5 5 5 6 5 7 10 8 11 9 10 10 9 11 8 12 10 Total: 100 Instructions The exam is closed book, closed notes. You may not use a calculator, cell phone, etc.
More informationDetecting and exploiting integer overflows
Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18 Context Binary representation Integers misinterpretation
More informationDynamic Binary Instrumentation: Introduction to Pin
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects
More informationHITB Amsterdam
Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org HITB 2011 - Amsterdam Purpose of this presentation G. Delugré
More informationProcesses (Intro) Yannis Smaragdakis, U. Athens
Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's
More informationA Dozen Years of Shellphish. Journey to the Cyber Grand Challenge
A Dozen Years of Shellphish Journey to the Cyber Grand Challenge 1 Zardus rhelmot 2 HEX on the beach 3 4 5 19 17 4 1 1 :-( 6 # of Shellphish players (cumulative) 40 30 20 10 0 23 29 2015 7 # of Defcons
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationAssembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationConfigurations. Make menuconfig : Kernel hacking/
Kernel Debugging Configurations Make menuconfig : Kernel hacking/ Timing info on printks depreciated logic Detection of hung tasks SLUB debugging Kernel memory leak detector Mutext/lock debugging Kmemcheck
More informationBinary Translation 2
Binary Translation 2 G. Lettieri 22 Oct. 2014 1 Introduction Fig. 1 shows the main data structures used in binary translation. The guest system is represented by the usual data structures implementing
More informationCAN STRACE MAKE YOU FAIL?
CAN STRACE MAKE YOU FAIL? Nahim El Atmani @brokenpi_pe July 15, 2016 1 DEFINITION 1.0 strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions
More informationBinary Code Analysis: Concepts and Perspectives
Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury LaBRI, Université de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017
ICS143A: Principles of Operating Systems Midterm recap, sample questions Anton Burtsev February, 2017 Describe the x86 address translation pipeline (draw figure), explain stages. Address translation What
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationRegion of memory managed with stack discipline Grows toward lower addresses. Register %esp contains lowest stack address = address of top element
Machine Representa/on of Programs: Procedures Instructors: Sanjeev Se(a 1 IA32 Stack Region of memory managed with stack discipline Grows toward lower addresses Stack BoGom Increasing Addresses Register
More informationAaron Evans 2004 Nov 15
Aaron Evans 2004 Nov 15 Citation Nicholas Nethercote and Julian Seward, Valgrind: A Program Supervision Framework, Electronic Notes in Theoretical Computer Science, Volume 89, Issue 2, October 2003, Pages
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationWar Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.
War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control By Lovepump, 2004 Visit: www.warindustries.com Part II Programs 101 Goals: At the end of
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More informationAssembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly III: Procedures Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32 (1) Characteristics Region of memory managed with stack discipline
More informationprintf("this program adds the value 10 to a given integer number.\n\n");
PA1 Sample Solution Program 1 void add10(int *n); //Prototype int n; printf("this program adds the value 10 to a given integer number.\n\n"); printf("please enter an integer number: "); scanf("%d", &n);
More informationJonathan Afek, 1/8/07, BlackHat USA
Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer?
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationProtection and System Calls. Otto J. Anshus
Protection and System Calls Otto J. Anshus Protection Issues CPU protection Prevent a user from using the CPU for too long Throughput of jobs, and response time to events (incl. user interactive response
More informationBinary Static Analysis. Chris Wysopal, CTO and Co-founder March 7, 2012 Introduction to Computer Security - COMP 116
Binary Static Analysis Chris Wysopal, CTO and Co-founder March 7, 2012 Introduction to Computer Security - COMP 116 Bio Chris Wysopal, Veracode s CTO and Co- Founder, is responsible for the company s software
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationProfilers and Debuggers. Introductory Material. One-Slide Summary
Profilers and Debuggers #1 Introductory Material First, who doesn t know assembly language? You ll get to answer all the assembly questions. Yes, really. Lecture Style: Sit on the table and pose questions.
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationMitchell Adair January, 2014
Mitchell Adair January, 2014 Know Owen from our time at Sandia National Labs Currently work for Raytheon Founded UTDallas s Computer Security Group (CSG) in Spring 2010 Reversing, binary auditing, fuzzing,
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More information