Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
|
|
- Cassandra Russell
- 6 years ago
- Views:
Transcription
1 Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
2 ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code History: No code randomized: Code injection DEP enabled by default: ROP attacks using libc gadgets published 2007 ROP assemblers, compilers, shellcode generators ASLR library load points: ROP attacks use.text segment gadgets Today: all major OSes/compilers support position-independent executables 2
3 Image by Dino Dai Zovi 3
4 ROP Programming 1. Disassemble code (library or program) 2. Identify useful code sequences (usually ending in ) 3. Assemble the useful sequences into reusable gadgets* 4. Assemble gadgets into desired shellcode * Forming gadgets is mostly useful when constructing complicated urn-oriented shellcode by hand 4
5 A note on terminology When ROP was invented in 2007 Sequences of code ending in were the basic building blocks Multiple sequences and data are assembled into reusable gadgets Subsequently A gadget came to refer to any sequence of code ending in a In 2010 ROP without urns (e.g., code sequences ending in call or jmp)
6 There are many semantically equivalent ways to achieve the same net shellcode effect 6
7 Equivalence Mem[v2] = v1 Desired Logic v 2 v 1 Stack a 1 : mov eax, [] a 2 : mov ebx, [+8] a 3 : mov [ebx], eax Implementation 1 7
8 Constant store gadget Mem[v2] = v1 Desired Logic Suppose a 5 and a 3 on stack a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 a 1 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 8
9 Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 a 13 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 9
10 Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 3 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 10
11 Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 45 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 11
12 Constant store gadget Mem[v2] = v1 Desired Logic a 5 v 2 a 3 v 1 Stack eax ebx eip v 1 v 2 a 5 a 1 : pop eax; a 2 : a 3 : pop ebx; a 4 : a 5 : mov [ebx], eax Implementation 2 12
13 Equivalence Mem[v2] = v1 Desired Logic semantically equivalent a 3 v 2 a 2 v 1 Stack a 1 : mov eax, [] a 2 : mov ebx, [+8] a 3 : mov [ebx], eax Implementation 1 a 1 : pop eax; a 2 : pop ebx; a 3 : mov [ebx], eax Implementation 2 13
14 Return-Oriented Programming Mem[v2] = v1 Desired Shellcode Find needed instruction gadgets at esses a 1, a 2, and a 3 in existing code Overwrite stack to execute a 1, a 2, and then a 3 argv argc urn caller s ebp buf (64 bytes) argv[1] buf %ebp % 14
15 Return-Oriented Programming a 3 v 2 Mem[v2] = v1 Desired Shellcode argv a 2 argc v 1 urn a 1 caller s ebp %ebp a 1 : pop eax; a 2 : pop ebx; a 3 : mov [ebx], eax Desired store executed! buf (64 bytes) argv[1] buf % 15
16 What else can we do? Depends on the code we have access to Usually: Arbitrary Turing-complete behavior Arithmetic Logic Conditionals and loops Subroutines Calling existing functions System calls Sometimes: More limited behavior Often enough for straight-line code and system calls
17 Comparing ROP to normal programming Normal programming Instruction pointer eip No-op nop Unconditional jump jmp ess set to ess of gadget Conditional jump jnz ess set to ess of gadget if some condition is met Variables memory and registers mostly memory Inter-instruction (inter-gadget) register and memory interaction minimal, mostly explicit; e.g., adding two registers only affects the destination register ROP can be complex; e.g., adding two registers may involve modifying many registers which impacts other gadgets
18 Return-oriented conditionals Processors support instructions that conditionally change the PC On x86 Jcc family: jz, jnz, jl, jle, etc. 33 in total loop, loope, loopne Based on condition codes mostly; and on ecx for some On MIPS beq, bne, blez, etc. Based on comparison of registers Processors generally don t support for conditionally changing the stack pointer (with some exceptions)
19 We want conditional jumps Unconditional jump movl %eax, %
20 We want conditional jumps Unconditional jump movl %eax, %
21 We want conditional jump Unconditional jump movl %eax, %
22 We want conditional jump Unconditional jump movl %eax, % eax
23 We want conditional jumps Unconditional jump movl %eax, % eax
24 We want conditional jumps Unconditional jump movl %eax, % eax,
25 We want conditional jumps Unconditional jump movl %eax, % eax
26 We want conditional jumps Unconditional jump movl %eax, % Conditional jump, one way Conditionally set a register to 0 or 0xffffffff Perform a logical AND with the register and an Add the result to
27 Conditionally set a register to 0 or 0xffffffff Compare registers eax and ebx and set ecx to 0xffffffff if eax < ebx 0 if eax >= ebx Ideally we would find a sequence like set carry flag cf according to eax - ebx ecx ecx - ecx - cf; or ecx -cf Unlikely to find this; instead look for cmp; and sbb; sequences
28 Performing a logical AND with a constant Pop the constant into a register using pop; Use an and; sequence
29 Updating the stack pointer Use an add ; sequence
30 Putting it together Useful instruction sequences movl %eax, % Conditional jump gadget Load constant in edx gadget Unconditional jump gadget addl %eax, %
31 Putting it together eax 10 ecx 108 edx 17 movl %eax, % addl %eax, %
32 Putting it together eax 10 ecx 108 edx 17 movl %eax, % addl %eax, %
33 Putting it together movl %eax, % eax 10 ecx 108 edx 17 cf = 1 addl %eax, %
34 Putting it together movl %eax, % eax 10 ecx 108 edx 17 cf = 1 addl %eax, %
35 Putting it together movl %eax, % eax 10 ecx 0xffffffff edx 17 cf = 1 addl %eax, %
36 Putting it together movl %eax, % eax 10 ecx 0xffffffff edx 17 addl %eax, %
37 Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %
38 Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %
39 Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %
40 Putting it together movl %eax, % eax 20 = ecx 0xffffffff edx 17 addl %eax, %
41 Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %
42 Putting it together eax 20 = ecx 0xffffffff edx 17 movl %eax, % addl %eax, %
43 Putting it together eax 20 = ecx 0xffffffff edx movl %eax, % addl %eax, %
44 Putting it together eax 20 = ecx 0xffffffff edx movl %eax, % addl %eax, %
45 And again! eax 500 ecx 108 edx 17 movl %eax, % addl %eax, %
46 And again! eax 500 ecx 108 edx 17 movl %eax, % addl %eax, %
47 And again! eax 500 ecx 108 edx 17 cf = 0 movl %eax, % addl %eax, %
48 And again! eax 500 ecx 108 edx 17 cf = 0 movl %eax, % addl %eax, %
49 And again! eax 500 ecx 0 edx 17 movl %eax, % addl %eax, %
50 And again! movl %eax, % eax 500 ecx 0 edx 17 addl %eax, %
51 And again! eax 20 = ecx 0 edx 17 movl %eax, % addl %eax, %
52 And again! movl %eax, % eax 20 = ecx 0 edx 17 addl %eax, %
53 And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %
54 And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %
55 And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %
56 And again! movl %eax, % eax 0 ecx 0 edx 17 addl %eax, %
57 And again! movl %eax, % eax 0 ecx 0 edx addl %eax, %
58 And again! movl %eax, % eax 0 ecx 0 edx addl %eax, %
59 And again! eax ecx 0 edx movl %eax, % addl %eax, %
60 And again! eax ecx 0 edx movl %eax, % addl %eax, %
61 And again! movl %eax, % eax ecx 0 edx addl %eax, %
62 And again! movl %eax, % eax ecx 0 edx addl %eax, %
63 Compare eax 10 ecx 108 edx 17 eax 20 ecx 0xffffffff edx if (eax < ebx) edx = ; else edx = ; eax 500 ecx 108 edx 17 eax ecx 0 edx
Return-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationAn Introduction to x86 ASM
An Introduction to x86 ASM Malware Analysis Seminar Meeting 1 Cody Cutler, Anton Burtsev Registers General purpose EAX, EBX, ECX, EDX ESI, EDI (index registers, but used as general in 32-bit protected
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationFunction Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)
Function Calls COS 217 Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site) 1 Goals of Today s Lecture Finishing introduction to assembly language o EFLAGS register
More informationmith College Computer Science CSC231 Assembly Week #10 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #10 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Start With https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View! Processor
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View Processor
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationCS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Warren Hunt, Jr. and Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 1, 2014 at 12:03 CS429 Slideset 6: 1 Topics
More informationTopic 6: Code Generation
Compilers 2008 Topic 6: 6.4 Conditional Instructions Status Flags Conditionals A special register exists called the FLAGS register Consists of a sequence of bits, which are set (1) or unset (0). These
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationmith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Watch at a Later Time https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationAssembly Language: IA-32 Instructions
Assembly Language: IA-32 Instructions 1 Goals of this Lecture Help you learn how to: Manipulate data of various sizes Leverage more sophisticated addressing modes Use condition codes and jumps to change
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationComputer Systems C S Cynthia Lee
Computer Systems C S 1 0 7 Cynthia Lee 2 Today s Topics LECTURE: More assembly code! NEXT TIME: More control flow Some misc. instructions you might see in your assign5 binary bomb Details of function call
More informationLecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422
Lecture 04 Control Flow II Stehen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422 Function calls on 32-bit x86 Stack grows down (from high to low addresses)
More informationInstruction Set Architecture
CISC 360 Instruction Set Architecture Michela Taufer October 9, 2008 Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective, R. Bryant and D. O'Hallaron, Prentice Hall, 2003 Chapter
More informationCISC 360 Instruction Set Architecture
CISC 360 Instruction Set Architecture Michela Taufer October 9, 2008 Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective, R. Bryant and D. O'Hallaron, Prentice Hall, 2003 Chapter
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationY86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View
Computer Architecture I Instruction Set Architecture Assembly Language View Processor state Registers, memory, Instructions addl, movl, andl, How instructions are encoded as bytes Layer of Abstraction
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationAssembly Language: Overview!
Assembly Language: Overview! 1 Goals of this Lecture! Help you learn:" The basics of computer architecture" The relationship between C and assembly language" IA-32 assembly language, through an example"
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationChapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary
Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary 1 Outline Introduction to assembly programing Introduction to Y86 Y86 instructions,
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationBranching and Looping
Branching and Looping Ray Seyfarth August 10, 2011 Branching and looping So far we have only written straight line code Conditional moves helped spice things up In addition conditional moves kept the pipeline
More informationMachine Programming 2: Control flow
Machine Programming 2: Control flow CS61, Lecture 4 Prof. Stephen Chong September 13, 2011 Announcements Assignment 1 due today, 11:59pm Hand in at front during break or email it to cs61- staff@seas.harvard.edu
More informationQuestion 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110
Questions 1 Question 4.1 1: (Solution, p 5) Define the fetch-execute cycle as it relates to a computer processing a program. Your definition should describe the primary purpose of each phase. Question
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationModule: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Advanced Program Vulnerabilities and Defenses Professor Trent Jaeger 29 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant adapted by Jason Fritts http://csapp.cs.cmu.edu CS:APP2e Hardware Architecture - using Y86 ISA For learning aspects
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationCS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G
CS 33: Week 3 Discussion x86 Assembly (v1.0) Section 1G Announcements - HW2 due Sunday - MT1 this Thursday! - Lab2 out Info Name: Eric Kim (Section 1G, 2-4 PM, BH 5419) Office Hours (Boelter 2432) - Wed
More informationCompiler Construction D7011E
Compiler Construction D7011E Lecture 8: Introduction to code generation Viktor Leijon Slides largely by Johan Nordlander with material generously provided by Mark P. Jones. 1 What is a Compiler? Compilers
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1
CSE P 501 Compilers x86 Lite for Compiler Writers Hal Perkins Autumn 2011 10/25/2011 2002-11 Hal Perkins & UW CSE J-1 Agenda Learn/review x86 architecture Core 32-bit part only for now Ignore crufty, backward-compatible
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationWhat is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation
Compiler Construction SMD163 Lecture 8: Introduction to code generation Viktor Leijon & Peter Jonsson with slides by Johan Nordlander Contains material generously provided by Mark P. Jones What is a Compiler?
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationControl flow. Condition codes Conditional and unconditional jumps Loops Switch statements
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Familiar C constructs l l l l l l if else while do while for break continue Two
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationCSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II
1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls"
CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationmith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu Back to Conditional Jumps Review sub eax, 10 jz there xxx xxx there:yyy yyy Review cmp eax, 10 jz
More informationx86 Assembly Crash Course Don Porter
x86 Assembly Crash Course Don Porter Registers ò Only variables available in assembly ò General Purpose Registers: ò EAX, EBX, ECX, EDX (32 bit) ò Can be addressed by 8 and 16 bit subsets AL AH AX EAX
More informationMachine-Level Programming II: Control and Arithmetic
Machine-Level Programming II: Control and Arithmetic CSCI 2400: Computer Architecture Instructor: David Ferry Slides adapted from Bryant & O Hallaron s slides 1 Today Complete addressing mode, address
More information