Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Size: px

Start display at page:

Download "Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics."

Dulcie Robertson
5 years ago
Views:

1 Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used by Operating System Linux Memory Layout Runtime stack (8MB limit) Dynamically allocated storage When call malloc, calloc, new Dynamically Linked Libraries Library routines (e.g., printf, malloc) Linked into object code when first executed Statically allocated data E.g., arrays & strings declared in code Executable machine instructions Read-only F6B 2 Datorarkitektur 20 Linux Memory Allocation Initially Linked Some More & Example (gdb) break main (gdb) run Breakpoint 1, 0x4856f in main () (gdb) print $esp $3 = (void *) 0xbffffc78 Initially Main Address 0x4856f should be read 0x04856f Address 0xbffffc78 F6B 3 Datorarkitektur 20 F6B 4 Datorarkitektur 20

2 Dynamic Linking Example (gdb) print malloc $1 = <text variable, no debug info> 0x48454 <malloc> (gdb) run Program exited normally. (gdb) print malloc $2 = void *(unsigned int) 0x62 <malloc> Initially Final Code in text segment that invokes dynamic linker Address 0x48454 should be read 0x62 Code in DLL region Linked Memory Allocation Example char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p1, *p2, *p3, *p4; int useless() return 0; int main() p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements... */ F6B 5 Datorarkitektur 20 F6B 6 Datorarkitektur 20 Example Addresses $esp 0xbffffc78 p3 0x5b50 p1 0x0b Final malloc 0x62 p4 0x1904a6 p2 0x1904a538 beyond 0x1904a524 big_array 0x14a520 huge_array 0x04a510 main() 0x04856f useless() 0x Initial malloc 0x C operators Operators Associativity () [] ->. left to right! ~ * & (type) sizeof right to left * / % left to right + - left to right << >> left to right < <= > >= left to right ==!= left to right & left to right ^ left to right left to right && left to right left to right?: right to left = += -= *= /= %= &= ^=!= <<= >>= right to left, left to right Note: Unary +, -, and * have higher precedence than binary forms F6B 7 Datorarkitektur 20 F6B 8 Datorarkitektur 20

3 C pointer declarations int *p int *p[13] int *(p[13]) int **p int (*p)[13] int *f() int (*f)() int (*(*f())[13])() p is a pointer to int p is an array[13] of pointer to int p is an array[13] of pointer to int p is a pointer to a pointer to an int p is a pointer to an array[13] of int f is a function returning a pointer to int f is a pointer to a function returning int f is a function returning ptr to an array[13] of pointers to functions returning int int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints F6B 9 Datorarkitektur 20 Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers MSN server MSN client AIM client AIM server AIM client F6B 10 Datorarkitektur 20 Internet Worm and IM War (cont.) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! many Unix functions do not check argument sizes. allows target buffers to overflow. F6B 11 Datorarkitektur 20 String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read /* Get string from stdin */ char *gets(char *dest) int c = getc(); char *p = dest; while (c!= EOF && c!= '\n') *p++ = c; c = getc(); *p = '\0'; return dest; Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification F6B 12 Datorarkitektur 20

4 Vulnerable Buffer Code /* Echo Line */ void echo() char buf[4]; /* Way too small! */ gets(buf); puts(buf); int main() printf("type a string:"); echo(); return 0; Buffer Overflow Executions unix>./bufdemo Type a string: unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string: Segmentation Fault F6B 13 Datorarkitektur 20 F6B 14 Datorarkitektur 20 Buffer Overflow Saved /* Echo Line */ void echo() char buf[4]; /* Way too small! */ gets(buf); puts(buf); echo: pushl # Save on stack movl %esp, subl $20,%esp # Allocate space on stack pushl %ebx # Save %ebx addl $-12,%esp # Allocate space on stack leal -4(),%ebx # Compute buf as -4 pushl %ebx # Push buf on stack call gets # Call gets... F6B 15 Datorarkitektur 20 Buffer Overflow Example Saved unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x48583 (gdb) run Breakpoint 1, 0x48583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x4864d 48648: call 4857c <echo> 4864d: mov 0xffffffe8(),%ebx # Return Point Before call to gets Return 04 Address 86 4d bfsaved ff f8 f8 0xbffff8f8 [3][2][1][0] xx xx xx xx buf F6B 16 Datorarkitektur 20

5 Buffer Overflow Example #1 Buffer Overflow Example #2 Before Call to gets Input = 123 Input = Saved Return 04 Address 86 4d bfsaved ff f8 f8 0xbffff8f8 [3][2][1][0] buf No Problem Saved echo code: Return 04 Address 86 4d bfsaved ff 35 0xbfff35 [3][2][1][0] buf Saved value of set to 0xbfff35 Bad news when later attempt to restore 48592: push %ebx 48593: call 483e4 <_init+0x50> # gets 48598: mov 0xffffffe8(),%ebx 4859b: mov,%esp 4859d: pop # gets set to invalid value 4859e: ret F6B 17 Datorarkitektur 20 F6B 18 Datorarkitektur 20 Buffer Overflow Example #3 Saved Return 04 Address 86 38Saved [3][2][1][0] buf Invalid address No longer pointing to desired return point Input = : call 4857c <echo> 4864d: mov 0xffffffe8(),%ebx # Return Point and return address corrupted F6B 19 Datorarkitektur 20 return address A Malicious Use of Buffer Overflow void foo() bar();... void bar() char buf[64]; gets(buf);... data written by gets() after call to gets() Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code F6B 20 Datorarkitektur 20 B B pad exploit code foo stack frame bar stack frame

6 Exploits Based on Buffer Overflows Avoiding Overflow Vulnerability Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. Internet worm Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger Worm attacked fingerd server by sending phony argument: finger exploit-code padding new-return-address exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker. /* Echo Line */ void echo() char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); Use Library Routines that Limit String Lengths fgets instead of gets strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string F6B 21 Datorarkitektur 20 F6B 22 Datorarkitektur 20 Final Observations Memory Layout OS/machine dependent (including kernel version) Basic partitioning: stack/data/text/heap/dll found in most machines Type Declarations in C Notation obscure, but very systematic Working with Strange Code Important to analyze nonstandard cases E.g., what happens when stack corrupted due to buffer overflow Helps to step through with GDB F6B 23 Datorarkitektur 20

Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example

Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example Machine-Level Programming IV: Miscellaneous Topics Sept. 24, 22 class09.ppt 15-213 The course that gives CMU its Zip! Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code