Xbox Security. Daniel Butnaru. 28 th June 2006
|
|
- Randell Hancock
- 5 years ago
- Views:
Transcription
1 Xbox Security Daniel Butnaru 28 th June 2006
2 Overview Intro Benefits Security System Attacks Conclusion 2
3 Hardware Introduction XBOX is a game console introduced by Microsoft in Consists of: Pentium III Celeron Mobile 733 MHz CPU 64 MB of RAM Geforce 3 MX with TV out 10 GB IDE HD DVD drive, Ethernet, USB 3
4 Software Introduction Software: simplified Windows 2000 kernel adapted versions of Win32, libc and DirectX statically linked 4
5 Benefits From a hardware point of view the XBOX is a PC: It has LPC, PCI and AGP busses it has IDE drives it has a Northbridge and a Southbridge and it includes all the legacy PC features If it is a PC why not also used it like a (cheap) PC? 5
6 Usage scenarios Benefits So we could use it for: playing copied games running unofficial applications alternative operating systems ( ) Microsoft designed and implemented a security system to prevent this. 6
7 Security System Idea: Lock out all software that is either not on the intended (original) medium or not by Microsoft. Bad : this makes the security system easier and reduces the number of attack points. Good : 3 times more attackers have a single security system to hack 7
8 Idea Security System order to allow only licensed and authentic code to run, a TCPA/Palladium-like chain of trust is required this chain reaches from system boot to the actual execution of the game. the first link is from the CPU to the code in ROM (256Kb), which includes the Windows kernel the second link is from the kernel to the game. one link less the harddisk 8
9 Architecture System Security 9
10 Startup Security System Security on startup a x86-compatible CPUs start at the address 0xFFFFFFF0 which usually is flash memory. but flash memory can be replaced/overridden/reprogrammed ROM is much better but expensive so it must boot from flash 10
11 The Hidden ROM Security System Workaround use a tiny non-replaceable startup ROM put the bulk of the firmware (windows kernel) in the flash memory the internal ROM checks if the data on the flash memory is authentic and passes execution to it 11
12 Architecture System Security 12
13 The Verification Algorithm Verify the kernel through: hash (SHA-1, MD5), but kernel updates become expensive digital signature (RSA), but is should fit on the small ROM (512 bytes) 13
14 2bl Security System Introduce another link in the chain of trust hashes a small loader ("2bl", "second bootloader") in flash memory, which can never be changed It is then the job of this loader to verify the rest of flash, and as the second loader can be any size, there are no restrictions. 14
15 Trust Chain Security System CPU boots secret ROM secret ROM verifies the 2bl in flash memory 2bl checks the kernel and boots it 15
16 Encrypt the Flash Memory having the kernel and the 2bl in plain text in flash is not a good idea then encrypt it. But RAM initialization, data decryption and hashing in 512 bytes? 16
17 Virtual Machine Interpreter Microsoft designed an interpreter for a virtual machine that can read and write memory, access the PCI config space, do "AND" and "OR" calculations, jump conditionally etc. The interpreter for the virtual machine is stored in the secret ROM, and its code ("xcodes") is stored in flash memory. 17
18 Interpreter struct { char opcode; int op1; int op2; } *p; int acc; case 3: *((int*)p->op1) = p->op2; break; case 4: outl(p->op1, 0x0CF8); outl(p->op2, 0x0CFC); break; p = 0xFFF00080; case 5:... while(1) { switch(p->opcode) { case 2: acc = *((int*)p->op1); break; case 0xEE: goto end; } p++; } end: 18
19 xcodes 0x02 PEEK ACC := MEM[OP1] 0x03 POKE MEM[OP1] := OP2 0x04 POKEPCI PCICONF[OP1] := OP2 must not read the secret ROM (upper 512 Mb) sets bit #1 in the PCI config space, device 0:1:0, register offset 0x80 (0x ) may also not turn off the secret ROM, or else the CPU, while executing the xcode interpreter, would "fall down" from the secret ROM into the underlying flash ROM 19
20 Decryption of the 2pl RC4 is used as algorithm (fits in 150 bytes) 16 bytes key stored in secret ROM The Xcode interpreter is about 175 bytes CPU init about 145 bytes This leaves only about 40 bytes for checking decryption success only checked for one 32 bit constant (0x A) TOTAL 512 bytes 20
21 So far Security System secret ROM interprets the xcodes decrypt and check in RAM 2bl and kernel jump to the decrypted 2bl in RAM 21
22 Problem Security System a hacker could deliberately make the hash fail - panic after panicking the CPU shuts down and a device attached to the bus can dump the secret ROM 22
23 Possible Solutions Security System shut down the secret ROM but then the CPU can't be stopped the CPU will then fall into flash memory where malicious code lies or shut down the CPU but then the secret ROM can't be stopped device CPU sniff hyperbus Secret ROM 23
24 MS Solution Security System jump to the very end of the address space (FFFFFFF1) and turn off the secret ROM in the very last instruction inside the address space. After the last instruction, the program counter (EIP) will overflow to this causes an exception as there is no exception handler set up, it causes a double fault, which will effectively halt the machine. 24
25 MS Solution Security System mov eax, ds:95fe4h cmp eax, Ah jnz short bad_checkcode mov eax, ds:90000h jmp eax ; jump to decrypted second bootloader in RAM bad_checkcode: mov eax, h ; prepare MCPX ROM disable mov dx, 0CF8h out dx, eax jmp far ptr 8:0FFFFFFFAh ; jump to end of ROM, wraparound [...] FFFA: ; this is address FFFFFFFA add dl, 4 mov al, 2 out dx, al ; this is address
26 Memory Security System
27 Attacks People got curios: the hard-disk was checked and found (almost) empty Andrew "bunnie" Huang, PhD student at the MIT, disassembled his Xbox, saw the flash memory, de-soldered it, extracted the contents, put it on his website and got a phone call from one of Microsoft's lawyers. he sniffed the busses, and eventually dumped the complete secret ROM, including the RC4 key from HyperTransport. 27
28 Tools 28
29 Overview the secret key is available but illegal to use a legal solution is needed Get rid of the secret ROM altogether. 29
30 The vizor trick rolling over of the instruction pointer from 0xFFFFFFFF to 0x is supposed to generate an exception. but it doesn't it continues running code at 0x so... 30
31 Exploit POKE 0x , 0x001000B8 ; store "mov eax, 0xFF001000; jmp eax" POKE 0x , 0x90E0FFFF ; at 0x in memory END ; now we can place our code at 0x1000 in Flash 31
32 The mist trick the check for 0x , the address of the configuration register to turn off the hidden ROM, is incorrect. the Southbridge decodes the 32 bit value into "bus", "device", "function" and "register" not all 32 bits are used. so 0x or 0xF behave exactly the same as 0x but are not caught by the interpreter 32
33 MS Reaction With XBOX 1.1 they squeezed a TEA hash into the 512 bytes, replacing the old 32 bit test. changed the RC4 secret key. they left both the MIST backdoor and the Visor backdoor wide open. the TEA hash has been a bad choice. 33
34 Conclusion 512 bytes is a very small amount of code (it fits on a single sheet of paper!), compared to the megabytes of code contained in software like Windows, Internet Explorer or Internet Information Server. Three bugs within these 512 bytes compromised the security completely a bunch of hackers found them within days after first looking at the code. 34
35 Questions? 35
36 References
Trusted Computing and O/S Security
Computer Security Spring 2008 Trusted Computing and O/S Security Aggelos Kiayias University of Connecticut O/S Security Fundamental concept for O/S Security: separation. hardware kernel system user Each
More informationTrusted Computing and O/S Security. Aggelos Kiayias Justin Neumann
Trusted Computing and O/S Security Aggelos Kiayias Justin Neumann O/S Security Fundamental concept for O/S Security: separation. hardware kernel system user Each layer may try to verify the outer layer
More information6.857 L17. Secure Processors. Srini Devadas
6.857 L17 Secure Processors Srini Devadas 1 Distributed Computation Example: Distributed Computation on the Internet (SETI@home, etc.) Job Dispatcher Internet DistComp() { x = Receive(); result = Func(x);
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationCS 410/510. Mark P Jones Portland State University
CS 41/51 Languages & Low-Level Programming Mark P Jones Portland State University Fall 21 Week 2: Bare Metal and the Boot Process 1 Copyright Notice These slides are distributed under the Creative Commons
More informationM2351 Trusted Boot. Application Note for 32-bit NuMicro Family
M2351 Trusted Boot Application Note for 32-bit NuMicro Family Document Information Abstract Apply to Introduce the M2351 Secure Bootloader, Secure Boot verification mechanism, and how it works to perform
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationReal instruction set architectures. Part 2: a representative sample
Real instruction set architectures Part 2: a representative sample Some historical architectures VAX: Digital s line of midsize computers, dominant in academia in the 70s and 80s Characteristics: Variable-length
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationIA32 Intel 32-bit Architecture
1 2 IA32 Intel 32-bit Architecture Intel 32-bit Architecture (IA32) 32-bit machine CISC: 32-bit internal and external data bus 32-bit external address bus 8086 general registers extended to 32 bit width
More informationCS3210: Booting and x86. Taesoo Kim
1 CS3210: Booting and x86 Taesoo Kim 2 What is an operating system? e.g. OSX, Windows, Linux, FreeBSD, etc. What does an OS do for you? Abstract the hardware for convenience and portability Multiplex the
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationSecurity Issues Related to Pentium System Management Mode
Security Issues Related to Pentium System Management Mode Loïc Duflot Direction Centrale de la Sécurité des Systèmes d Information loic.duflot@sgdn.pm.gouv.fr SGDN/DCSSI 51 boulevard de la Tour Maubourg
More informationVirtual Machine Tutorial
Virtual Machine Tutorial CSA2201 Compiler Techniques Gordon Mangion Virtual Machine A software implementation of a computing environment in which an operating system or program can be installed and run.
More informationResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models Xiao Sun Senior Application Engineer ARM Tech Symposia China 2015 November 2015 Evolution from M2M to IoT M2M Silos of Things Standards Security
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationSecure Design Methodology and The Tree of Trust
Secure Design Methodology and The Tree of Trust Secure Embedded Systems Group ECE Department Virginia Tech The new Cool: Reverse Engineering... Microsoft Zune (http://bunniestudios.com) Under the Hood
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationARM Security Solutions and Numonyx Authenticated Flash
ARM Security Solutions and Numonyx Authenticated Flash How to integrate Numonyx Authenticated Flash with ARM TrustZone* for maximum system protection Introduction Through a combination of integrated hardware
More informationBoot Loader. Bootloader
October 2013 Boot Loader A program that is executed upon initial power-up that typically involves a power-on self-test, locating and initializing peripheral devices, and then loading and starting an operating
More informationCS3210: Booting and x86
CS3210: Booting and x86 Lecture 2 Instructor: Dr. Tim Andersen 1 / 34 Today: Bootstrapping CPU -> needs a first instruction Memory -> needs initial code/data I/O -> needs to know how to communicate 2 /
More informationCOS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University
COS 318: Operating Systems Overview Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Announcements Precepts: Tue (Tonight)!
More informationA Smart Port Card Tutorial --- Hardware
A Smart Port Card Tutorial --- Hardware John DeHart Washington University jdd@arl.wustl.edu http://www.arl.wustl.edu/~jdd 1 References: New Links from Kits References Page Intel Embedded Module: Data Sheet
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationFirmware Rootkits: The Threat to the Enterprise. John Heasman, Director of Research
Firmware Rootkits: The Threat to the Enterprise John Heasman, Director of Research Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection,
More informationMeet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies)
Meet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : Friday, Sept. 29th. 5-6 pm Where : 3rd Floor Atrium, CIT CS33 Intro to Computer Systems X 1 Copyright
More informationOverhead Evaluation about Kprobes and Djprobe (Direct Jump Probe)
Overhead Evaluation about Kprobes and Djprobe (Direct Jump Probe) Masami Hiramatsu Hitachi, Ltd., SDL Jul. 13. 25 1. Abstract To implement flight recorder system, the overhead
More informationCS 3330 Exam 3 Fall 2017 Computing ID:
S 3330 Fall 2017 Exam 3 Variant E page 1 of 16 Email I: S 3330 Exam 3 Fall 2017 Name: omputing I: Letters go in the boxes unless otherwise specified (e.g., for 8 write not 8 ). Write Letters clearly: if
More informationVARDHAMAN COLLEGE OF ENGINEERING (AUTONOMOUS) Shamshabad, Hyderabad
Introduction to MS-DOS Debugger DEBUG In this laboratory, we will use DEBUG program and learn how to: 1. Examine and modify the contents of the 8086 s internal registers, and dedicated parts of the memory
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationWhen Hardware Attacks. Marc Witteman
When Hardware Attacks scale Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote software protocol key brute force Fast relay attack mitm side channel Slow Hardware
More informationAbout unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos
July 16, 2016 1/45 Whoami RE, vulnerability research LSE 2015 Sogeti since 2/45 1 2 Reverse Exploitation 3 4 3/45 Agenda 1 4/45 Agenda 1 5/45 Unified Extended FIrmware is based on EFI Specification for
More informationXosdev Chapter 1 [The Bootloader] by mr. xsism
Xosdev Chapter 1 [The Bootloader] by mr. xsism Planning/Setting goals When coding an Operating systtem or even a simple kernel you usually start with a bootloader. But what is a bootloader? A bootloader
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationOS: An Overview. ICS332 Operating Systems
OS: An Overview ICS332 Operating Systems Why are we studying this? After all, you probably will not develop an OS Important to understand what you use: Develop better (apps); What can and cannot be done;
More informationAssembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationx86 Memory Protection and Translation
Lecture Goal x86 Memory Protection and Translation Don Porter CSE 506 ò Understand the hardware tools available on a modern x86 processor for manipulating and protecting memory ò Lab 2: You will program
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationCS/ECE 217. GPU Architecture and Parallel Programming. Lecture 16: GPU within a computing system
CS/ECE 217 GPU Architecture and Parallel Programming Lecture 16: GPU within a computing system Objective To understand the major factors that dictate performance when using GPU as an compute co-processor
More informationHacking Toshiba Laptops
Hacking Toshiba Laptops Or how to mess up your firmware security REcon Brussels 2018 whois Serge Bazanski Michał Kowalczyk Freelancer in devops & (hardware) security. Vice-captain @ Dragon Sector Researcher
More informationCS 16: Assembly Language Programming for the IBM PC and Compatibles
CS 16: Assembly Language Programming for the IBM PC and Compatibles Discuss the general concepts Look at IA-32 processor architecture and memory management Dive into 64-bit processors Explore the components
More informationAndroid Bootloader and Verified Boot
Android Bootloader and Verified Boot Lecture 7 Security of Mobile Devices 2018 SMD Android Bootloader and Verified Boot, Lecture 7 1/38 Bootloader Recovery Verified Boot Bibliography SMD Android Bootloader
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationSerial Boot Loader For CC2538 SoC
Serial Boot Loader For CC2538 SoC Document Number: SWRA431 Version 1.1 TABLE OF CONTENTS 1. PURPOSE... 3 2. FUNCTIONAL OVERVIEW... 3 3. ASSUMPTIONS... 3 4. DEFINITIONS, ABBREVIATIONS, ACRONYMS... 3 5.
More information143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018
143A: Principles of Operating Systems Lecture 5: Address translation Anton Burtsev October, 2018 Two programs one memory Or more like renting a set of rooms in an office building Or more like renting a
More informationM2351 Security Architecture. TrustZone Technology for Armv8-M Architecture
Architecture TrustZone Technology for Armv8-M Architecture Outline NuMicro Architecture TrustZone for Armv8-M Processor Core, Interrupt Handling, Memory Partitioning, State Transitions. TrustZone Implementation
More informationThe FAT File System. 1. FAT Overview. 2. Boot Sector, FAT, Root Directory, and Files The FAT F 䤀耄 le System
CIS 24 Home http://www.c jump.com/cis24/cis24syllabus.htm The FAT File System 1. FAT Overview 2. Boot Sector, FAT, Root Directory, and Files 3. FAT File System Layout 4. FAT Clusters and Sectors 5. FAT,
More informationCS 11 C track: lecture 8
CS 11 C track: lecture 8 n Last week: hash tables, C preprocessor n This week: n Other integral types: short, long, unsigned n bitwise operators n switch n "fun" assignment: virtual machine Integral types
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More information238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
More informationA Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1
A Hijacker's Guide to the LPC bus IAIK/EUROPKI2011/HIJACKER'S GUIDE 1 Motivation Endpoint security and Trusted Computing How about resilience against simple hardware attacks? IAIK/EUROPKI2011/HIJACKER'S
More informationCS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu
CS61 Scribe Notes Date: 11.6.14 Topic: Fork, Advanced Virtual Memory Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu Administrivia: Final likely less of a time constraint What can we do during
More informationAssembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationSecurity in NVMe Enterprise SSDs
Security in NVMe Enterprise SSDs Radjendirane Codandaramane, Sr. Manager, Applications, Microsemi August 2017 1 Agenda SSD Lifecycle Security threats in SSD Security measures for SSD August 2017 2 SSD
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationHere is a diagram of a simple computer system: (this diagram will be the one needed for exams) CPU. cache
Computer Systems Here is a diagram of a simple computer system: (this diagram will be the one needed for exams) CPU cache bus memory controller keyboard controller display controller disk Computer Systems
More information143A: Principles of Operating Systems. Lecture 6: Address translation. Anton Burtsev January, 2017
143A: Principles of Operating Systems Lecture 6: Address translation Anton Burtsev January, 2017 Address translation Segmentation Descriptor table Descriptor table Base address 0 4 GB Limit
More informationht IE exploit analysis
ht 2013 004 IE exploit analysis Martin Pozdena Zhongying Qiao Introduction Hacking Team leak from June 2015 revealed some 400 GB of company s internal data including their git repositories. This allowed
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationIntel x86 instruction set architecture
Intel x86 instruction set architecture Graded assignment: hand-written resolution of exercise II 2) The exercises on this tutorial are targeted for the as86 assembler. This program is available in the
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationBOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES. CS124 Operating Systems Winter , Lecture 5
BOOTSTRAP, PC BIOS, AND IA32 MEMORY MODES CS124 Operating Systems Winter 2015-2016, Lecture 5 2 Bootstrapping All computers have the same basic issue: They require a program to tell them what to do but
More informationCS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES
CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES Your name: SUNet ID: In accordance with both the letter and the spirit of the Stanford Honor Code, I did not cheat on this exam. Furthermore,
More informationLast class: Today: Course administration OS definition, some history. Background on Computer Architecture
1 Last class: Course administration OS definition, some history Today: Background on Computer Architecture 2 Canonical System Hardware CPU: Processor to perform computations Memory: Programs and data I/O
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationCS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0
CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0 Announcements Midterm 1 was yesterday. It's over! Don't stress out too much. We'll go over the midterm next week Homework 3 due
More informationTroubleshooting & Repair
Chapter Troubleshooting & Repair 6.1 Introduction This chapter provides the most common problem encountered with the M785 notebook computer and some troubleshooting means. Some of the common problems are:
More informationOracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.2 12/12/2013 Copyright 2013 Oracle Corporation Table of
More informationTopic Notes: MIPS Instruction Set Architecture
Computer Science 220 Assembly Language & Comp. Architecture Siena College Fall 2011 Topic Notes: MIPS Instruction Set Architecture vonneumann Architecture Modern computers use the vonneumann architecture.
More informationMOS 6502 Architecture
MOS 6502 Architecture Lecture 3 Fall 17 1 History Origins lie in the Motorola 6800. Was very expensive for consumers. ($300, or about $1500 in 2017 $s) Chuck Peddle proposes lower-cost, lower-area 6800
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationSecure boot under attack: Simulation to enhance fault injection & defenses
Secure boot under attack: Simulation to enhance fault injection & defenses Martijn Bogaard Senior Security Analyst martijn@riscure.com / @jmartijnb Niek Timmers Principal Security Analyst niek@riscure.com
More informationComputer System Overview
Computer System Overview Operating Systems 2005/S2 1 What are the objectives of an Operating System? 2 What are the objectives of an Operating System? convenience & abstraction the OS should facilitate
More informationThe CPU and Memory. How does a computer work? How does a computer interact with data? How are instructions performed? Recall schematic diagram:
The CPU and Memory How does a computer work? How does a computer interact with data? How are instructions performed? Recall schematic diagram: 1 Registers A register is a permanent storage location within
More informationIntel Corporation. About This Release MV85010A.86A.0069.P PXE 2.1 [Intel Boot Agent Version ] for ICH2 LAN Controller
Intel Corporation DATE: April 21, 2003 SUBJECT: MV850.10A.86A Production BIOS P25-0069 About This Release MV85010A.86A.0069.P25.0304170949 PXE 2.1 [Intel Boot Agent Version 4.1.09] for ICH2 LAN Controller
More informationLab5 2-Nov-18, due 16-Nov-18 (2 weeks duration) Lab6 16-Nov-19, due 30-Nov-18 (2 weeks duration)
CS1021 AFTER READING WEEK Mid-Semester Test NOW Thurs 8th Nov @ 9am in Goldsmith Hall (ALL students to attend at 9am) Final 2 Labs Lab5 2-Nov-18, due 16-Nov-18 (2 weeks duration) Lab6 16-Nov-19, due 30-Nov-18
More informationTransfer of Control. Lecture 10 JMP. JMP Formats. Jump Loop Homework 3 Outputting prompts Reading single characters
Lecture 10 Jump Loop Homework 3 Outputting prompts Reading single characters Transfer of Control The CPU loads and executes programs sequentially. You d like to be able to implement if statements, gotos,
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationHardware and Software Architecture. Chapter 2
Hardware and Software Architecture Chapter 2 1 Basic Components The x86 processor communicates with main memory and I/O devices via buses Data bus for transferring data Address bus for the address of a
More informationChangelog. Virtual Memory (2) exercise: 64-bit system. exercise: 64-bit system
Changelog Virtual Memory (2) Changes made in this version not seen in first lecture: 21 November 2017: 1-level example: added final answer of memory value, not just location 21 November 2017: two-level
More informationEE2007 Microprocessor systems.
EE2007 Microprocessor systems Tutorial 1 Semester 1 AY 2010-11 Ganesh Iyer ganesh.vigneswara@gmail.com (facebook, gtalk) http://ganeshniyer.com About Me I have 3 years of Industry work experience in Bangalore,
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationLab Determining Data Storage Capacity
Lab 1.3.2 Determining Data Storage Capacity Objectives Determine the amount of RAM (in MB) installed in a PC. Determine the size of the hard disk drive (in GB) installed in a PC. Determine the used and
More informationVirtual Memory 1. Virtual Memory
Virtual Memory 1 Virtual Memory key concepts virtual memory, physical memory, address translation, MMU, TLB, relocation, paging, segmentation, executable file, swapping, page fault, locality, page replacement
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2011 Quiz II You have 80 minutes to answer the questions in this quiz. In order to receive credit
More informationTHE LITE-ON DG16D5S AND HITACHI DLN10N 0500/0502* SOLUTION FROM THE MATRIX TEAM
QUICK INSTALL GUIDE FOR MATRIX CRYPTOCOP ADDON + FREEDOM LITE PCB: THE LITE-ON DG16D5S AND HITACHI DLN10N 0500/0502* SOLUTION FROM THE MATRIX TEAM BEFORE YOU BEGIN This solution provides the option to
More informationThe Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu
The Early System Start-Up Process Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu 1 Boot Process Booting is the initialization of a computerized system In Linux,
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture. Chapter Overview.
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 2: IA-32 Processor Architecture Slides prepared by Kip R. Irvine Revision date: 09/25/2002 Chapter corrections (Web) Printing
More informationPS2 out today. Lab 2 out today. Lab 1 due today - how was it?
6.830 Lecture 7 9/25/2017 PS2 out today. Lab 2 out today. Lab 1 due today - how was it? Project Teams Due Wednesday Those of you who don't have groups -- send us email, or hand in a sheet with just your
More information