CS241 Computer Organization Spring Buffer Overflow
|
|
- Brendan Nash
- 5 years ago
- Views:
Transcription
1 CS241 Computer Organization Spring 2015 Buffer Overflow
2 Outline! Linking & Loading, continued! Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R: Chapter 5, section 5.11 C Traps & Pitfalls (course website, on-line references) Quiz today on IA32 (HW4) Quiz Tuesday, April 7th on run-time stack (HW5) Lab#3 BufferLab goes live tomorrow HW#7 due today HW#6 due: Tuesday, April 7th
3 Linker Symbols Global symbols Symbols defined by module m that can be referenced by other modules. E.g.: non-static C functions and non-static global variables. External symbols Global symbols that are referenced by module m but defined by some other module. Local symbols Symbols that are defined and referenced exclusively by module m. E.g.: C functions and variables defined with the static attribute. Local linker symbols are not local program variables
4 Resolving Symbols Global External Local int buf[2] = {1, 2}; extern int buf[]; int main() { swap(); return 0; } External main.c Linker knows nothing of temp static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp; Global swap.c
5 Relocating Code and Data Relocatable Object Files Executable Object File System code System data.text.data 0 Headers System code main.o main().text main() swap().text int buf[2]={1,2}.data More system code swap.o swap() int *bufp0=&buf[0] int *bufp1.text.data.bss System data int buf[2]={1,2} int *bufp0=&buf[0] Uninitialized data.symtab.debug.data.bss
6 Relocation Info (main) main.c int buf[2] = {1,2}; int main() { swap(); return 0; } main.o <main>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 83 ec 08 sub $0x8,%esp 6: e8 fc ff ff ff call 7 <main+0x7> 7: R_386_PC32 swap b: 31 c0 xor %eax,%eax d: 89 ec mov %ebp,%esp f: 5d pop %ebp 10: c3 ret Disassembly of section.data: <buf>: 0: Source: objdump
7 Relocation Info (swap,.text) swap.c extern int buf[]; static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp; swap.o Disassembly of section.text: <swap>: 0: 55 push %ebp 1: 8b mov 0x0,%edx 3: R_386_32 bufp0 7: a mov 0x4,%eax 8: R_386_32 buf c: 89 e5 mov %esp,%ebp e: c movl $0x4,0x0 15: : R_386_32 bufp1 14: R_386_32 buf 18: 89 ec mov %ebp,%esp 1a: 8b 0a mov (%edx),%ecx 1c: mov %eax,(%edx) 1e: a mov 0x0,%eax 1f: R_386_32 bufp1 23: mov %ecx,(%eax) 25: 5d pop %ebp 26: c3 ret
8 Relocation Info (swap,.data) swap.c extern int buf[]; static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; Disassembly of section.data: <bufp0>: 0: : R_386_32 buf } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp;
9 Executable After Relocation (.text) b4 <main>: 80483b4: 55 push %ebp 80483b5: 89 e5 mov %esp,%ebp 80483b7: 83 ec 08 sub $0x8,%esp 80483ba: e call 80483c8 <swap> 80483bf: 31 c0 xor %eax,%eax 80483c1: 89 ec mov %ebp,%esp 80483c3: 5d pop %ebp 80483c4: c3 ret c8 <swap>: 80483c8: 55 push %ebp 80483c9: 8b 15 5c mov 0x804945c,%edx 80483cf: a mov 0x ,%eax 80483d4: 89 e5 mov %esp,%ebp 80483d6: c movl $0x ,0x dd: e0: 89 ec mov %ebp,%esp 80483e2: 8b 0a mov (%edx),%ecx 80483e4: mov %eax,(%edx) 80483e6: a mov 0x ,%eax 80483eb: mov %ecx,(%eax) 80483ed: 5d pop %ebp 80483ee: c3 ret
10 Executable After Relocation (.data) Disassembly of section.data: <buf>: : c <bufp0>: c:
11 Strong and Weak Symbols Program symbols are either strong or weak Strong: procedures and initialized globals Weak: uninitialized globals p1.c p2.c strong int foo=5; int foo; weak strong p1() { } p2() { } strong
12 Linker s Symbol Rules Rule 1: Multiple strong symbols are not allowed Each item can be defined only once Otherwise: Linker error Rule 2: Given a strong symbol and multiple weak symbol, choose the strong symbol References to the weak symbol resolve to the strong symbol Rule 3: If there are multiple weak symbols, pick an arbitrary one Can override this with gcc fno-common
13 Linker Puzzles int x; p1() {} p1() {} Link time error: two strong symbols (p1) int x; p1() {} int x; p2() {} References to x will refer to the same uninitialized int. Is this what you really want? int x; int y; p1() {} double x; p2() {} Writes to x in p2 might overwrite y! Evil! int x=7; int y=5; p1() {} double x; p2() {} Writes to x in p2 will overwrite y! Nasty! int x=7; p1() {} int x; p2() {} References to x will refer to the same initialized variable. Nightmare scenario: two identical weak structs, compiled by different compilers with different alignment rules.
14 Global Variables Avoid if you can Otherwise Use static if you can Initialize if you define a global variable Use extern if you use external global variable
15 Packaging Commonly Used Functions How to package functions commonly used by programmers? Math, I/O, memory management, string manipulation, etc. Awkward, given the linker framework so far: Option 1: Put all functions into a single source file Programmers link big object file into their programs Space and time inefficient Option 2: Put each function in a separate source file Programmers explicitly link appropriate binaries into their programs More efficient, but burdensome on the programmer
16 Solution: Static Libraries Static libraries (.a archive files) Concatenate related relocatable object files into a single file with an index (called an archive). Enhance linker so that it tries to resolve unresolved external references by looking for the symbols in one or more archives. If an archive member file resolves reference, link into executable.
17 Creating Static Libraries atoi.c printf.c random.c Translator Translator... Translator atoi.o printf.o random.o Archiver (ar) unix> ar rs libc.a \ atoi.o printf.o random.o libc.a C standard library Archiver allows incremental updates Recompile function that changes and replace.o file in archive.
18 Commonly Used Libraries libc.a (the C standard library) 8 MB archive of 900 object files. I/O, memory allocation, signal handling, string handling, data and time, random numbers, integer math libm.a (the C math library) 1 MB archive of 226 object files. floating point math (sin, cos, tan, log, exp, sqrt, ) % ar -t /usr/lib/libc.a sort fork.o fprintf.o fpu_control.o fputc.o freopen.o fscanf.o fseek.o fstab.o % ar -t /usr/lib/libm.a sort e_acos.o e_acosf.o e_acosh.o e_acoshf.o e_acoshl.o e_acosl.o e_asin.o e_asinf.o e_asinl.o
19 Linking with Static Libraries addvec.o multvec.o main2.c vector.h Archiver (ar) Translators (cpp, cc1, as) libvector.a libc.a Static libraries Relocatable object files main2.o addvec.o printf.o and any other modules called by printf.o Linker (ld) p2 Fully linked executable object file
20 Using Static Libraries Linker s algorithm for resolving external references: Scan.o files and.a files in the command line order. During the scan, keep a list of the current unresolved references. As each new.o or.a file, obj, is encountered, try to resolve each unresolved reference in the list against the symbols defined in obj. If any entries in the unresolved list at end of scan, then error. Problem: Command line order matters! Moral: put libraries at the end of the command line. unix> gcc -L. libtest.o -lmine unix> gcc -L. -lmine libtest.o libtest.o: In function `main': libtest.o(.text+0x4): undefined reference to `libfun'
21 Loading Executable Object Files Executable Object File ELF header Program header table (required for executables).init section.text section.rodata section.data section 0 0xc x Kernel virtual memory User stack (created at runtime) Memory-mapped region for shared libraries Memory invisible to user code %esp (stack pointer).bss section.symtab.debug.line.strtab Section header table (required for relocatables) 0x Run-time heap (created by malloc) Read/write segment (.data,.bss) Read-only segment (.init,.text,.rodata) Unused brk Loaded from the executable file
22
23 Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?
24 Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM MSN MSN AIM AIM
25 Internet Worm and IM War (cont.) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! many Unix functions do not check argument sizes. allows target buffers to overflow.
26 String Library Code Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c!= EOF && c!= '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } No way to specify limit on number of characters to read Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification
27 Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } int main() { printf("type a string:"); echo(); return 0; } unix>./bufdemo Type a string: unix>./bufdemo Type a string: Segmentation Fault unix>./bufdemo Type a string: abc Segmentation Fault
28 Buffer Overflow Disassembly f0 <echo>: 80484f0: 55 push %ebp 80484f1: 89 e5 mov %esp,%ebp 80484f3: 53 push %ebx 80484f4: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx 80484f7: 83 ec 14 sub $0x14,%esp 80484fa: 89 1c 24 mov %ebx,(%esp) 80484fd: e8 ae ff ff ff call 80484b0 <gets> : 89 1c 24 mov %ebx,(%esp) : e8 8a fe ff ff call a: 83 c4 14 add $0x14,%esp d: 5b pop %ebx e: c9 leave f: c3 ret 80485f2: e8 f9 fe ff ff call 80484f0 <echo> 80485f7: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 80485fa: c9 leave 80485fb: 31 c0 xor %eax,%eax 80485fd: c3 ret
29 Buffer Overflow Stack Before call to gets Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf %ebp /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Stack Frame for echo echo: pushl %ebp movl %esp, %ebp pushl %ebx leal -8(%ebp),%ebx subl $20, %esp movl %ebx, (%esp) call gets... # Save %ebp on stack # Save %ebx # Compute buf as %ebp-8 # Allocate stack space # Push buf on stack # Call gets
30 Buffer Overflow Stack Example Before call to gets Stack Frame for main Carnegie Mellon unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x (gdb) run Breakpoint 1, 0x in echo () (gdb) print /x $ebp $1 = 0xffffc638 (gdb) print /x *(unsigned *)$ebp $2 = 0xffffc658 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x80485f7 Before call to gets Stack Frame 0xffffc658 for main Return Address Saved %ebp f7 ff ff c6 58 0xffffc638 [3] [2] [1] [0] Stack Frame for echo buf xx xx xx xx buf Stack Frame for echo 80485f2: call 80484f0 <echo> 80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point
31 Buffer Overflow Example #1 Before call to gets Input Stack Frame for main 0xffffc658 Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc f7 ff ff c6 58 0xffffc buf Stack Frame for echo Overflow buf, but no problem
32 Buffer Overflow Example #2 Before call to gets Input Stack Frame for main 0xffffc658 Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc f7 ff ff c6 00 0xffffc buf Stack Frame for echo Base pointer corrupted a: 83 c4 14 add $0x14,%esp # deallocate space d: 5b pop %ebx # restore %ebx e: c9 leave # movl %ebp, %esp; popl %ebp f: c3 ret # Return
33 Buffer Overflow Example #3 Before call to gets Stack Frame for main 0xffffc658 Input ABC Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc xffffc buf Stack Frame for echo Return address corrupted 80485f2: call 80484f0 <echo> 80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point
34 Malicious Use of Buffer Overflow Stack after call to gets() void foo(){ bar();... } return address A B foo stack frame int bar() { char buf[64]; gets(buf);... return...; } data written by gets() B pad exploit code bar stack frame Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code
35 Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines Internet worm Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger Worm attacked fingerd server by sending phony argument: finger exploit-code padding new-returnaddress exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker.
36 Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines IM War AOL exploited existing buffer overflow bug in AIM clients exploit code: returned 4-byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location.
37 Date: Wed, 11 Aug :30: (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: Mr. Smith, I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response. I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year.... It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now *exploiting their own buffer overrun bug* to help in its efforts to block MS Instant Messenger.... Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security. Sincerely, Phil Bucking Founder, Bucking Consulting philbucking@yahoo.com It was later determined that this originated from within Microsoft!
38 Code Red Worm History June 18, Microsoft announces buffer overflow vulnerability in IIS Internet server July 19, over 250,000 machines infected by new virus in 9 hours White house must change its IP address. Pentagon shut down public WWW servers for day When We Set Up CS:APP Web Site Received strings of form GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN...NNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" "-" "-"
39 Code Red Exploit Code Starts 100 threads running Spread self Generate random IP addresses & send attack string Between 1st & 19th of month Attack Send 98,304 packets; sleep for 4-1/2 hours; repeat Denial of service attack Between 21st & 27th of month Deface server s home page After waiting 2 hours
40 Code Red Effects Later Version Even More Malicious Code Red II As of April, 2002, over 18,000 machines infected Still spreading Paved Way for NIMDA Variety of propagation methods One was to exploit vulnerabilities left behind by Code Red II ASIDE (security flaws start at home).rhosts used by Internet Worm Attachments used by MyDoom (1 in 6 s Monday morning!)
41 Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } Use library routines that limit string lengths fgets instead of gets strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string Or use %ns where n is a suitable integer
42 System-Level Protections Randomized stack offsets At start of program, allocate random amount of space on stack Makes it difficult for hacker to predict beginning of inserted code Nonexecutable code segments In traditional x86, can mark region of memory as either read-only or writeable Can execute anything readable Add explicit execute permission unix> gdb bufdemo (gdb) break echo (gdb) run (gdb) print /x $ebp $1 = 0xffffc638 (gdb) run (gdb) print /x $ebp $2 = 0xffffbb08 (gdb) run (gdb) print /x $ebp $3 = 0xffffc6a8
43 Worms and Viruses Worm: A program that Can run by itself Can propagate a fully working version of itself to other computers Virus: Code that Add itself to other programs Cannot run independently Both are (usually) designed to spread among computers and to wreak havoc
Sungkyunkwan University
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationLecture 16: Linking Computer Architecture and Systems Programming ( )
Systems Group Department of Computer Science ETH Zürich Lecture 16: Linking Computer Architecture and Systems Programming (252-0061-00) Timothy Roscoe Herbstsemester 2012 Last time: memory hierarchy L1/L2
More informationSystems I. Linking II
Systems I Linking II Topics Relocation Static libraries Loading Dynamic linking of shared libraries Relocating Symbols and Resolving External References Symbols are lexical entities that name functions
More informationExample C program. 11: Linking. Why linkers? Modularity! Static linking. Why linkers? Efficiency! What do linkers do? 10/28/2013
Example C program 11: Linking Computer Architecture and Systems Programming 252 61, Herbstsemester 213 Timothy Roscoe main.c int buf[2] = 1, 2; swap(); return ; swap.c static int *bufp = &buf[]; void swap()
More informationExample C Program The course that gives CMU its Zip! Linking March 2, Static Linking. Why Linkers? Page # Topics
15-213 The course that gives CMU its Zip! Topics Linking March 2, 24 Static linking Dynamic linking Case study: Library interpositioning Example C Program main.c int buf[2] = 1, 2; int main() swap(); return
More informationLinking February 24, 2005
15-213 The course that gives CMU its Zip! Linking February 24, 2005 Topics Static linking Dynamic linking Case study: Library interpositioning 13-linking.ppt Example C Program main.c int buf[2] = {1, 2};
More informationSystems Programming and Computer Architecture ( ) Timothy Roscoe
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 AS 2016 Linking 1 12: Linking Computer Architecture
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationMachine-Level Programming V: Miscellaneous Topics Sept. 24, 2002
15-213 The course that gives CMU its Zip! Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code class09.ppt
More informationExample C Program. Linking CS Instructor: Sanjeev Se(a. int buf[2] = {1, 2}; extern int buf[]; int main() { swap(); return 0; }
Linking Instructor: Sanjeev Se(a 1 Example C Program main.c int buf[2] = {1, 2; int main() { swap(); return 0; swap.c extern int buf[]; static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationLinking Oct. 26, 2009"
Linking Oct. 26, 2009" Linker Puzzles" int x; p1() {} p1() {} int x; p1() {} int x; p2() {} int x; int y; p1() {} int x=7; int y=5; p1() {} double x; p2() {} double x; p2() {} int x=7; p1() {} int x; p2()
More informationGiving credit where credit is due
JDEP 284H Foundations of Computer Systems Machine-Level Programming V: Wrap-up Dr. Steve Goddard goddard@cse.unl.edu Giving credit where credit is due Most of slides for this lecture are based on slides
More informationCSE 2421: Systems I Low-Level Programming and Computer Organization. Linking. Presentation N. Introduction to Linkers
CSE 2421: Systems I Low-Level Programming and Computer Organization Linking Read/Study: Bryant 7.1 7.10 Gojko Babić 11-15-2017 Introduction to Linkers Linking is the process of collecting and combining
More informationLinux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example
Machine-Level Programming IV: Miscellaneous Topics Sept. 24, 22 class09.ppt 15-213 The course that gives CMU its Zip! Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code
More informationA Simplistic Program Translation Scheme
A Simplistic Program Translation Scheme m.c ASCII source file Translator p Binary executable object file (memory image on disk) Problems: Efficiency: small change requires complete recompilation Modularity:
More informationLinking Oct. 15, 2002
15-213 The course that gives CMU its Zip! Topics Linking Oct. 15, 2002 Static linking Object files Static libraries Loading Dynamic linking of shared libraries class15.ppt Linker Puzzles int x; p1() {}
More informationE = 2 e lines per set. S = 2 s sets tag. valid bit B = 2 b bytes per cache block (the data) CSE351 Inaugural EdiNon Spring
Last Time Caches E = 2 e lines per set Address of word: t bits s bits b bits S = 2 s sets tag set index block offset data begins at this offset v tag 0 1 2 B 1 valid bit B = 2 b bytes per cache block (the
More informationComputer Organization: A Programmer's Perspective
A Programmer's Perspective Linking Gal A. Kaminka galk@cs.biu.ac.il A Simplistic Program Translation Scheme m.c ASCII source file Translator p Binary executable object file (memory image on disk) Problems:
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationLINKING. Jo, Heeseung
LINKING Jo, Heeseung PROGRAM TRANSLATION (1) A simplistic program translation scheme m.c ASCII source file Translator p Binary executable object file (memory image on disk) Problems: - Efficiency: small
More informationCS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: January 13, 2017 at 08:55 CS429 Slideset 25: 1 Relocating Symbols
More informationRelocating Symbols and Resolving External References. CS429: Computer Organization and Architecture. m.o Relocation Info
Relocating Symbols and Resolving External References CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: January 13,
More informationExercise Session 7 Computer Architecture and Systems Programming
Systems Group Department of Computer Science ETH Zürich Exercise Session 7 Computer Architecture and Systems Programming Herbstsemester 2014 Review of last week s excersice structs / arrays in Assembler
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics Slides courtesy of: Randy Bryant & Dave O Hallaron 1 Today Structures Alignment Unions Memory Layout Buffer Overflow Vulnerability Protection 2 R.A. Rutenbar,
More informationLinking. Computer Systems Organization (Spring 2017) CSCI-UA 201, Section 3. Instructor: Joanna Klukowska
Linking Computer Systems Organization (Spring 2017) CSCI-UA 201, Section 3 Instructor: Joanna Klukowska Slides adapted from Randal E. Bryant and David R. O Hallaron (CMU) Mohamed Zahran (NYU) Example C
More informationComputer Systems. Linking. Han, Hwansoo
Computer Systems Linking Han, Hwansoo Example C Program int sum(int *a, int n); int array[2] = {1, 2}; int sum(int *a, int n) { int i, s = 0; int main() { int val = sum(array, 2); return val; } main.c
More informationCOMPILING OBJECTS AND OTHER LANGUAGE IMPLEMENTATION ISSUES. Credit: Mostly Bryant & O Hallaron
COMPILING OBJECTS AND OTHER LANGUAGE IMPLEMENTATION ISSUES Credit: Mostly Bryant & O Hallaron Word-Oriented Memory Organization Addresses Specify Byte Locations Address of first byte in word Addresses
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationMachine- Level Programming V: Advanced Topics
Machine- Level Programming V: Advanced Topics Andrew Case Slides adapted from Jinyang Li, Randy Bryant & Dave O Hallaron 1 Today Structures and Unions Memory Layout Buffer Overflow Vulnerability ProtecEon
More informationMachine-Level Prog. V Miscellaneous Topics
Machine-Level Prog. V Miscellaneous Topics Today Buffer overflow Extending IA32 to 64 bits Next time Memory Fabián E. Bustamante, Spring 2010 Internet worm and IM war November, 1988 Internet Worm attacks
More informationMachine-Level Programming IV: Structured Data
Machine-Level Programming IV: Structured Data Topics Arrays Structs Basic Data Types Integral 2 Stored & operated on in general registers Signed vs. unsigned depends on instructions used Intel GAS Bytes
More informationOutline. 1 Background. 2 ELF Linking. 3 Static Linking. 4 Dynamic Linking. 5 Summary. Linker. Various Stages. 1 Linking can be done at compile.
Outline CS 6V81-05: System Security and Malicious Code Analysis Revealing Internals of Linkers Zhiqiang Lin Department of Computer Science University of Texas at Dallas March 26 th, 2012 1 Background 2
More informationCS 201 Linking Gerson Robboy Portland State University
CS 201 Linking Gerson Robboy Portland State University 1 15-213, F 02 A Simplistic Program Translation Scheme m.c ASCII source file Translator p Binary executable object file (memory image on disk) Problems:
More informationLinking and Loading. CS61, Lecture 16. Prof. Stephen Chong October 25, 2011
Linking and Loading CS61, Lecture 16 Prof. Stephen Chong October 25, 2011 Announcements Midterm exam in class on Thursday 80 minute exam Open book, closed note. No electronic devices allowed Please be
More informationBuffer overflows. Specific topics:
Buffer overflows Buffer overflows are possible because C does not check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack Specific topics: Address
More informationRevealing Internals of Linkers. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Revealing Internals of Linkers Zhiqiang Lin Department of Computer Science University of Texas at Dallas March 26 th, 2012 Outline 1 Background 2
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More informationMachine-Level Prog. V Miscellaneous Topics
Machine-Level Prog. V Miscellaneous Topics Today Buffer overflow Extending IA32 to 64 bits Next time Memory Fabián E. Bustamante, 2007 Internet worm and IM war November, 1988 Internet Worm attacks thousands
More informationLinker Puzzles The course that gives CMU its Zip! Linking Mar 4, A Simplistic Program Translation Scheme. A Better Scheme Using a Linker
15-213 The course that gives CMU its Zi! Toics Static linking Object files Linking Mar 4, 2003 Static libraries Loading Dynamic linking of shared libraries Linker Puzzles 1() { 1() { 1() { 1() { int x=7;
More informationMachine-level Programs Adv. Topics
Computer Systems Machine-level Programs Adv. Topics Han, Hwansoo x86-64 Linux Memory Layout 0x00007FFFFFFFFFFF Stack Runtime stack (8MB limit) E. g., local variables Heap Dynamically allocated as needed
More informationMachine Programming 5: Buffer Overruns and Stack Exploits
Machine Programming 5: Buffer Overruns and Stack Exploits CS61, Lecture 6 Prof. Stephen Chong September 22, 2011 Thinking about grad school in Computer Science? Panel discussion Tuesday September 27th,
More informationSungkyunkwan University
Linking Case study: Library interpositioning main.c int buf[2] = {1, 2}; int main() { swap(); return 0; } swap.c extern int buf[]; int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; } bufp1
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CENG331 - Computer Organization Instructor: Murat Manguoglu Adapted from slides of the textbook: http://csapp.cs.cmu.edu/ Today Memory Layout Buffer Overflow
More informationLecture 12-13: Linking
CSCI-UA.0201-003 Computer Systems Organization Lecture 12-13: Linking Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Source Code to Execution C source Assembly Assembly Compiler Assembly
More informationComputer Systems CEN591(502) Fall 2011
Computer Systems CEN591(502) Fall 2011 Sandeep K. S. Gupta Arizona State University 9 th lecture Machine-Level Programming (4) (Slides adapted from CSAPP) Announcements Potentially Makeup Classes on Sat
More informationSystemprogrammering och operativsystem Laborationer. Linker Puzzles. Systemprogrammering 2007 Föreläsning 1 Compilation and Linking
Systemprogrammering och operativsystem 2007 Denna kurs behandlar programmering nära operativsystemet. Det operativsystem vi använder är Unix (Solaris på Sun-maskiner och Linux på PC), men principerna gäller
More information(Extract from the slides by Terrance E. Boult
What software engineers need to know about linking and a few things about execution (Extract from the slides by Terrance E. Boult http://vast.uccs.edu/~tboult/) A Simplistic Program Translation Scheme
More informationMachine- Level Programming V: Advanced Topics
Machine- Level Programming V: Advanced Topics CS 485: Systems Programming Fall 2015 Instructor: James Griffioen Adapted from slides by R. Bryant and D. O Hallaron (hjp://csapp.cs.cmu.edu/public/instructors.html)
More informationLinking. Today. Next time. Static linking Object files Static & dynamically linked libraries. Exceptional control flows
Linking Today Static linking Object files Static & dynamically linked libraries Next time Exceptional control flows Fabián E. Bustamante, 2007 Example C program main.c void swap(); int buf[2] = {1, 2;
More informationMachine-Level Programming V: Buffer overflow
Carnegie Mellon Machine-Level Programming V: Buffer overflow Slides adapted from Bryant and O Hallaron Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition 1 Recall: Memory
More informationCSC 252: Computer Organization Spring 2018: Lecture 9
CSC 252: Computer Organization Spring 2018: Lecture 9 Instructor: Yuhao Zhu Department of Computer Science University of Rochester Action Items: Assignment 2 is due tomorrow, midnight Assignment 3 is out
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. O Hallaron 1 Today Memory Layout Buffer
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-20 Wed Young W. Lim Link 2. Object Files 2017-09-20 Wed 1 / 33 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGİN Slides adapted from Bryant & O Hallaron s slides 1 Today Memory Layout Buffer Overflow
More informationCarnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition
1 Machine-Level Programming V: Advanced Topics 15-213/18-213/14-513/15-513: Introduction to Computer Systems 9 th Lecture, September 25, 2018 2 Today Memory Layout Buffer Overflow Vulnerability Protection
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics 15-213: Introduction to Computer Systems 9 th Lecture, June 7 Instructor: Brian Railing 1 Today Memory Layout Buffer Overflow Vulnerability Protection Unions
More informationLink 7. Static Linking
Link 7. Static Linking Young W. Lim 2018-12-21 Fri Young W. Lim Link 7. Static Linking 2018-12-21 Fri 1 / 41 Outline 1 Linking - 7. Static Linking Based on Static Library Examples Linking with Static Libraries
More informationLink 2. Object Files
Link 2. Object Files Young W. Lim 2017-09-23 Sat Young W. Lim Link 2. Object Files 2017-09-23 Sat 1 / 40 Outline 1 Linking - 2. Object Files Based on Oject Files ELF Sections Example Program Source Codes
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationX86 Assembly Buffer Overflow III:1
X86 Assembly Buffer Overflow III:1 Admin Link to buffer overflow demo http://nsfsecurity.pr.erau.edu/bom/ ASM quick-reference from Larry Zhang (thanks!) http://www.cs.uaf.edu/2010/fall/cs301/support/x86/gcc.html
More informationCSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization
Spring 2013 CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization Kitty Reeves TWRF 8:00-8:55am 1 Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing,
More informationu Linking u Case study: Library interpositioning
u Linking u Case study: Library interpositioning int sum(int *a, int n); int array[2] = {1, 2}; int sum(int *a, int n) { int i, s = 0; int main() { int val = sum(array, 2); return val; } main.c } for (i
More informationWhy do we need Pointers? Call by Value vs. Call by Reference in detail Implementing Arrays Buffer Overflow / The Stack Hack
Chapter 16 Why do we need Pointers? Call by Value vs. Call by Reference in detail Implementing Arrays Buffer Overflow / The Stack Hack A problem with parameter passing via stack Consider the following
More informationToday. Linking. Example C Program. Sta7c Linking. Linking Case study: Library interposi7oning
Today Linking Linking Case study: Library interposi7oning 15-213 / 18-213: Introduc2on to Computer Systems 12 th Lecture, Feb. 23, 2012 Instructors: Todd C. Mowry & Anthony Rowe 1 2 Example C Program Sta7c
More informationLinking. Explain what ELF format is. Explain what an executable is and how it got that way. With huge thanks to Steve Chong for his notes from CS61.
Linking Topics How do you transform a collection of object files into an executable? How is an executable structured? Why is an executable structured as it is? Learning Objectives: Explain what ELF format
More informationA SimplisHc Program TranslaHon Scheme. TranslaHng the Example Program. Example C Program. Why Linkers? - Modularity. Linking
A SimplisHc Program TranslaHon Scheme Linking ASCII (Text) source file The American Standard Code for InformaHon Interchange (ASCII) CSCI 221: Machine Architecture and OrganizaHon Pen- Chung Yew Department
More informationMachine Programming 1: Introduction
Machine Programming 1: Introduction CS61, Lecture 3 Prof. Stephen Chong September 8, 2011 Announcements (1/2) Assignment 1 due Tuesday Please fill in survey by 5pm today! Assignment 2 will be released
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationBuffer Overflows. CSE 351 Autumn Instructor: Justin Hsia
Buffer Overflows CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan http://xkcd.com/804/
More informationLink 4. Relocation. Young W. Lim Wed. Young W. Lim Link 4. Relocation Wed 1 / 22
Link 4. Relocation Young W. Lim 2017-09-13 Wed Young W. Lim Link 4. Relocation 2017-09-13 Wed 1 / 22 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationLink 7.A Static Linking
Link 7.A Static Linking Young W. Lim 2019-01-04 Fri Young W. Lim Link 7.A Static Linking 2019-01-04 Fri 1 / 27 Outline 1 Linking - 7.A Static Linking Based on Static Library Examples Linking with Static
More informationBuffer Overflows. CSE 351 Autumn 2018
Buffer Overflows CSE 351 Autumn 2018 Instructor: Teaching Assistants: Justin Hsia Akshat Aggarwal An Wang Andrew Hu Brian Dai Britt Henderson James Shin Kevin Bi Kory Watson Riley Germundson Sophie Tian
More informationBuffer Overflows. CSE 410 Winter Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui
Buffer Overflows CSE 410 Winter 2017 Instructor: Justin Hsia Teaching Assistants: Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui Administrivia Lab 2 & mid quarter survey due tonight Lab 3 released
More informationAssembly I: Basic Operations. Jo, Heeseung
Assembly I: Basic Operations Jo, Heeseung Moving Data (1) Moving data: movl source, dest Move 4-byte ("long") word Lots of these in typical code Operand types Immediate: constant integer data - Like C
More informationASSEMBLY I: BASIC OPERATIONS. Jo, Heeseung
ASSEMBLY I: BASIC OPERATIONS Jo, Heeseung MOVING DATA (1) Moving data: movl source, dest Move 4-byte ("long") word Lots of these in typical code Operand types Immediate: constant integer data - Like C
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationLinking. CS 485 Systems Programming Fall Instructor: James Griffioen
Linking CS 485 Systems Programming Fall 2015 Instructor: James Griffioen Adapted from slides by R. Bryant and D. O Hallaron (hip://csapp.cs.cmu.edu/public/instructors.html) 1 Today Linking Case study:
More informationTurning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p
Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationToday. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses
Today Machine-Level Programming V: Advanced Topics CSci 2021: Machine Architecture and Organization Lectures #14-15, February 19th-22nd,2016 Your instructor: Stephen McCamant Memory Layout Buffer Overflow
More informationLink 4. Relocation. Young W. Lim Thr. Young W. Lim Link 4. Relocation Thr 1 / 26
Link 4. Relocation Young W. Lim 2017-09-14 Thr Young W. Lim Link 4. Relocation 2017-09-14 Thr 1 / 26 Outline 1 Linking - 4. Relocation Based on Relocation Relocation Entries Relocating Symbol Reference
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationToday. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses
Today Machine-Level Programming V: Advanced Topics CSci 2021: Machine Architecture and Organization October 17th, 2018 Your instructor: Stephen McCamant Memory Layout Buffer Overflow Vulnerability Protection
More informationIntroduction Presentation A
CSE 2421/5042: Systems I Low-Level Programming and Computer Organization Introduction Presentation A Read carefully: Bryant Chapter 1 Study: Reek Chapter 2 Skim: Reek Chapter 1 08/22/2018 Gojko Babić Some
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationCS , Fall 2002 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2002 Exam 1 October 8, 2002 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front. Write
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationSummary. Alexandre David
3.8-3.12 Summary Alexandre David 3.8.4 & 3.8.5 n Array accesses 12-04-2011 Aalborg University, CART 2 Carnegie Mellon N X N Matrix Code Fixed dimensions Know value of N at compile 2me #define N 16 typedef
More informationCS , Fall 2001 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2001 Exam 1 October 9, 2001 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front. Write
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationAssembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction
Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction E I P CPU isters Condition Codes Addresses Data Instructions Memory Object Code Program Data OS Data Topics Assembly Programmer
More informationBuffer Overflows Many of the following slides are based on those from Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron
More informationCarnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition
1 Linking 15-213: Introduction to Computer Systems 13 th Lecture, October 10th, 2017 Instructor: Randy Bryant 2 Today Linking Motivation What it does How it works Dynamic linking Case study: Library interpositioning
More informationGenerating Programs and Linking. Professor Rick Han Department of Computer Science University of Colorado at Boulder
Generating Programs and Linking Professor Rick Han Department of Computer Science University of Colorado at Boulder CSCI 3753 Announcements Moodle - posted last Thursday s lecture Programming shell assignment
More information