What Cannot be Read, Cannot be Leveraged?
|
|
- Maude O’Connor’
- 5 years ago
- Views:
Transcription
1 What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, Christian Rossow CISPA, Saarland University, Germany
2 Overview Code Reuse Attacks/Defenses JavaScript JavaScript JIT Compilation Existing JIT Attacks/Defenses New JIT Gadget Creation New JIT Defense Native Code 2
3 Revisiting Code Reuse 3
4 Code Reuse Find useful code fragments Chain gadgets and functions together Trigger execution of the gadget chain saved RBP array[].text 4881C C7C0 595AC EC5DC3 pop rcx pop rdx ret libraries int execv(..) 4
5 Code Reuse Defenses Fine-grained ASLR Find useful code fragments Chain gadgets and functions together Trigger execution of the gadget chain Defenses: Randomize memory segments saved RBP array[] ASLR libraries int?????????????? execv(..).text 4881C791121?????????? C7C0????????????? 595AC3 c60001?????? EC5DC3?????? pop rcx pop movb rdx [rax],1 ret Fine-grained code randomization 5
6 JIT-ROP [S&P 13] Leak and collect code pointers JS Memory Map G1 GN Stack Read code pages to find gadgets and function pointers GN: execv(..) Libraries Chain gadgets and functions together & Heap Trigger execution of the gadget chain G1: pop rdi; ret Executable 6
7 Execute-no-Read (XnR) Schemes Memory Map Mark code pages non-readable [CCS 14, S&P 15, CCS 15, CODASPY 15, NDSS 16] JS G1 GN Stack Randomize code GN: execv(..) Libraries Hide code pointers & Heap G1: pop rdi; ret Executable 7
8 JIT code reuse without reading code?! 8
9 JIT Spraying [WOOT 10] Create JS functions containing operations on immediate values Trigger JIT-compilation of created functions JavaScript function f(){ x=0x3c909090& 0x3C909090& 0x3C909090; } JIT Compile unaligned x86 mov eax,0x3c and eax,0x3c and eax,0x3c and eax,0x3c Divert the CF in the middle of one of the constants nop, nop, nop cmp al, 0x25 nop, nop, nop cmp al, 0x25 Unaligned Jump 9
10 Defenses in Browsers Constant Blinding (IE + Chrome) Store constant XORed with a random key to a register XOR the register again with the key mov eax,0x3c mov eax,0x f xor eax,0x1981f6af 0x3C NOP Insertion (IE) Randomly add random number of NOP instructions mov eax,0x3c and eax,0x3c mov eax,0x3c lea esp,[esp] and eax,0x3c Only large constants (>2B) are blinded 10
11 2B Gadgets The Devil is in the Constants [NDSS 15] JavaScript x86 Encode OPs in 2B unblinded constants function r8(a){ return a+0x5841; } JIT Compile add eax, 0x5841 <epilogue> ret Use intended return instruction from JIT-compiled code x86 Find and use emitted gadgets Limitations: pop r8 <epilogue> ret Requires readable code to find gadgets Aligned return instruction 11
12 Gadgets via Control Flow Instructions 12
13 Emitting Gadgets via Control Flow Instructions Displacement: Encodes the offset from a base address, e.g., from rax or rip Used in: Instructions accessing the memory: mov rax, [rbx+0x ] ; read memory at rbx+0x Control flow instructions (implicit base address is rip) : jz 0x ; jump at address rip+0x if zero flag is set call 0x ; call the function at address rip+0x DITC, JIT-Spraying Prefixes Opcode ModR/M SIB Displacement Immediate 1B 1-3B 1B 1B 1,2,4,8 B 1,2,4,8 B Constant Blinding We will use JavaScript statements that are compiled to conditional jumps and direct calls to emit gadgets 13
14 Conditional Jumps in JS JavaScript if statement: Emits conditional jumps after compilation Displacement field denotes the size of the compiled if body Change the size of if body changes the value in the displacement field JavaScript function f(c){ if(c) { //Statements //Compiled //Size=Gadget } return; } JIT Compile x86 test eax, eax jz 0x ; Compiled ; If Body ; Size=gadget <epilogue> ret Size=Gadget Alternatives to if statement: while/for/switch/break The size of the compiled if statement's body determines emitted Gadget 14
15 Direct Calls in JS Direct calls in JS: Displacement: the distance between the caller and the callee Create a large JS function: Use i=i+j (16B) 0x100`000 times Emitted values [0x000005, 0xFFFFF5] Prepend the function with i=1 (8B) to change 5 into 13 (0xD) JS function f(){ var i, j; i=i+j; i=1; // 8B i=i+j; /* i=i+j 0x100`000 /* i=i+j Times 0x100`000 */ Times */ i=i+j; return; i=i+j; } return; } JIT Compile x86 call ;8B 0x from i=1 call 0x D call 0x54C3fff5 call 0x54C3FFFD call 0x54C380C5 call 0x54C380CD call 0x54C30005 call 0x54C3000D call 0x call 0x D 0x1`000`000 Find callee/caller address: Compiler s heap Return address from stack JS objects (e.g., from Math.random) Goal: Created Calls: call 0x54C380CD call 0x54XXXXX5 0x54XXXXXD 15
16 Applying Concepts to Modern Browsers 16
17 Gadgets in Chrome 51 (64-bit) Direct calls (syscall, pop rcx, pop rdx): Align LSHB of displacements to 0xd Emit direct calls (j++ 0x80`000 times) pop r8; ret pop r9; ret pop rcx; ret pop rdx; ret int 0x80; ret Conditional jumps (pop r8, pop r9): Stack two if statements (for pop r8 and pop r9) Fill the inner (pop r8) with 0xc35841 bytes Add additional 0xed bytes to the outer if body +0x13 bytes from if statement=0x100 Goal: Gadget generation time 1.3 seconds 4158c3 4159c3 59c3 5ac3 cd80c3 JS function syscall(){ var j=0; // align displacements // LSHB to 0xd j++;j++;j++;j++; // j++ 0x80`000 times } function popr8r9(r8,r9){ var i=0, j=0; if(r9){ // j=0x times // => 0xbd j++;j=i;j=i; // => 0xed if(r8){ // => 0x100 // j=0x times // => 0x1641 // j++ 399`888 times // => 0xC35841 } // => 0xC35941 } } 17
18 Limitations in Internet Explorer Challenges in IE: 1. Limited JIT-compiled function size Maximum function size 1MB No 3B displacements in conditional jumps No huge functions with direct calls 2. NOP insertion Non-predictable offsets inside the function Steps to make direct calls work: 1. Get code page at the correct distance from the callee 2. Fill the page with gadget emitting functions 3. Emit the direct call at the correct address, or recompile 18
19 Allocating Code Page at a Correct Distance IE code-page size is 0x20`000 bytes Memory Map Fn3 Fn4 Compile 200 JavaScript functions of size 0x10`000 bytes each to allocate 100 code pages 0x9BC3BC00 Fn199 Fn200 0x1234BC00 Choose the code page at the correct distance 0x5678BC00 Math.random Fn7 Fn8 0x0ABCBC00 Fn1 Fn2 19
20 Gadgets in IE Emitting Gadgets (1) Deallocate the function (2) Fill the code page up to the correct distance from the callee 0x9BC3BC00 Fn3 Fn4 Math.random (1) Math.random (2) f1 f2 f3 Math.random 0x9BC38C00 (3) Compile gadget-emitting JS function (4) Check if the direct call was emitted at the correct place (5) If yes, then gadget is found, else deallocate the function and goto (3) f1 f2 f3 Math.random (5:N) Check Math.random address Found (5:Y) (4) (3) f1 f2 f3 call 0x9BC380CX Math.random 0x9BC380CX 20
21 Gadgets in IE 11 (32-bit) popa; ret Goal: int 0x80; ret Direct calls (syscall, popa): Use i=math.random() 250 times ( 0x1`000 bytes ) Check the address of emitted direct call 61c3 cd80c3 JS function syscall(){ var j=0; i=math.random(); //i=math.random(); 240x check(math.random()); //i=math.random(); 10x } Emitting gadgets: (1) Find and fill up the correct code page ( 4 seconds) (2) Compile syscall and popa at correct places ( 4 seconds) (3) Recompile syscall until the gadget is emitted ( 2 seconds) function popa(){ var j=0; i=math.random(); //i=math.random(); 232x check(math.random()); //i=math.random(); 18x } Average gadget generation time 32 seconds 21
22 Gadgets in Browsers Conditional jumps + Work in Chrome and Firefox - Only upto 2B gadgets possible in IE Conditional Jumps Direct Calls Direct calls + Work in Chrome and IE - Do not work in Firefox 22
23 Removing the Gadgets 23
24 Defense Direct Calls For each direct call: 0x00: call ADDRESS (1) 0x00: mov r10,absolute_address 0x0a: call r10 (1) If the address of the callee is known, replace the call with the indirect call (2) If the address is not known: (a) (b) convert the direct call into the indirect one blind the emitted relative address (2.a) 0x00: lea r10,[rip+address] 0x07: call r10 (2.b) 0x00: lea r10,[rip+(address& KEY)] 0x07: lea r10,[r10+(address&~key)] 0x0e: call r10 24
25 Defense Conditional Jumps For each conditional jump: (1) Convert a direct (relative) jump into an indirect one 0x00: jz ADDRESS 0x06: <if_body> XXXX: <else> (1) 0x00: NOP ; 2-byte NOP 0x02: lea r10,[rip+(address& KEY)] 0x09: lea r10,[r10+(address&~key)] 0x10: jmp r10 0x13: <if_body> YYYY: <else> (2) Add the inverted conditional jump to jump into <if_body> (2) 0x00: jnz 0x11 0x02: lea r10,[rip+(address& KEY)] 0x09: lea r10,[r10+(address&~key)] 0x10: jmp r10 0x13: <if_body> YYYY: <else> 25
26 Defense Overhead Cost of the defense in V8: V8 s JS Benchmark Suite: 2% performance overhead on average Microbenchmarks: 14% and 10% overhead on average V8 s JS Benchmark Suite (Code-size): 26% overhead (1,123 kb 1,411 kb) Original Modified Overhead Richards 36,263 35, % DeltaBlue 63,641 62, % Crypto 33,366 32, % RayTrace 77,198 75, % EarleyBoyer 44,900 43, % RegExp 6,525 6, % Splay 21,095 20, % NavierStokes 31,924 31, % Total 32,255 31, % 26
27 Summary Displacement fields of x86 instructions can be used to inject arbitrary 3 byte values in JIT-compiled code Predictable code output from JIT compilers allows adversaries to generate and reuse gadgets without reading the code Gadgets in displacements fields can be removed by converting direct jumps/calls into indirect ones Thank you! 27
Dachshund. Digging for and Securing Against (Non-)Blinded Constants in JIT Code
Dachshund Digging for and Securing Against (Non-)Blinded Constants in JIT Code Giorgi Maisuradze, Michael Backes, Chris;an Rossow CISPA, Saarland University, Germany NDSS Symposium 2017 Overview Code reuse
More informationWhat Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses Giorgi Maisuradze, Michael Backes, and Christian Rossow, Saarland University https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/maisuradze
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationRemix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationVirtual Machine Tutorial
Virtual Machine Tutorial CSA2201 Compiler Techniques Gordon Mangion Virtual Machine A software implementation of a computing environment in which an operating system or program can be installed and run.
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
More informationDachshund: Digging for and Securing Against (Non-)Blinded Constants in JIT Code
Dachshund: Digging for and Securing Against (Non-)Blinded Constants in JIT Code Giorgi Maisuradze CISPA, Saarland University Saarland Informatics Campus giorgi.maisuradze@cispa.saarland Michael Backes
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationAssembly Language Programming 64-bit environments
Assembly Language Programming 64-bit environments October 17, 2017 Some recent history Intel together with HP start to work on 64-bit processor using VLIW technology. Itanium processor is born with the
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86
More informationCSE 351 Midterm - Winter 2015 Solutions
CSE 351 Midterm - Winter 2015 Solutions February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 12
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 12 CS24 MIDTERM Midterm format: 6 hour overall time limit, multiple sittings (If you are focused on midterm, clock should be running.) Open book
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More information143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017
143A: Principles of Operating Systems Lecture 5: Calling conventions Anton Burtsev January, 2017 Stack and procedure calls Stack Main purpose: Store the return address for the current procedure Caller
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationCSE 351 Midterm - Winter 2015
CSE 351 Midterm - Winter 2015 February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove
More informationRISC I from Berkeley. 44k Transistors 1Mhz 77mm^2
The Case for RISC RISC I from Berkeley 44k Transistors 1Mhz 77mm^2 2 MIPS: A Classic RISC ISA Instructions 4 bytes (32 bits) 4-byte aligned Instructions operate on memory and registers Memory Data types
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationControl-flow Enforcement Technology H.J. Lu. Intel November, 2018
Control-flow Enforcement Technology H.J. Lu Intel November, 2018 Introduction Control-flow Enforcement Technology (CET) An upcoming Intel processor family feature that blocks return/jumporiented programming
More informationCSCI 2021: x86-64 Control Flow
CSCI 2021: x86-64 Control Flow Chris Kauffman Last Updated: Mon Mar 11 11:54:06 CDT 2019 1 Logistics Reading Bryant/O Hallaron Ch 3.6: Control Flow Ch 3.7: Procedure calls Goals Jumps and Control flow
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationProcedures and the Call Stack
Procedures and the Call Stack Topics Procedures Call stack Procedure/stack instructions Calling conventions Register-saving conventions Why Procedures? Why functions? Why methods? int contains_char(char*
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationBasics. Crash Dump Analysis 2015/2016. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics.
Basics http://d3s.mff.cuni.cz Crash Dump Analysis 2015/2016 CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Processors Basic functionality of processors Execute machine code Sequence of
More informationHideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationKasper Lund, Software engineer at Google. Crankshaft. Turbocharging the next generation of web applications
Kasper Lund, Software engineer at Google Crankshaft Turbocharging the next generation of web applications Overview Why did we introduce Crankshaft? Deciding when and what to optimize Type feedback and
More informationCS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor
CS 261 Fall 2018 0000000100000f50 55 48 89 e5 48 83 ec 10 48 8d 3d 3b 00 00 00 c7 0000000100000f60 45 fc 00 00 00 00 b0 00 e8 0d 00 00 00 31 c9 89 0000000100000f70 45 f8 89 c8 48 83 c4 10 5d c3 Mike Lam,
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationMachine-Level Programming (2)
Machine-Level Programming (2) Yanqiao ZHU Introduction to Computer Systems Project Future (Fall 2017) Google Camp, Tongji University Outline Control Condition Codes Conditional Branches and Conditional
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More information143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017
143A: Principles of Operating Systems Lecture 4: Calling conventions Anton Burtsev October, 2017 Recap from last time Stack and procedure calls What is stack? Stack It's just a region of memory Pointed
More informationAssembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly III: Procedures Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Mechanisms in Procedures Passing control To beginning of procedure code
More informationMidterm 1 topics (in one slide) Bits and bitwise operations. Outline. Unsigned and signed integers. Floating point numbers. Number representation
Midterm 1 topics (in one slide) CSci 2021: Review Lecture 1 Stephen McCamant University of Minnesota, Computer Science & Engineering Number representation Bits and bitwise operators Unsigned and signed
More informationIntel x86-64 and Y86-64 Instruction Set Architecture
CSE 2421: Systems I Low-Level Programming and Computer Organization Intel x86-64 and Y86-64 Instruction Set Architecture Presentation J Read/Study: Bryant 3.1 3.5, 4.1 Gojko Babić 03-07-2018 Intel x86
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationPrinceton University Computer Science 217: Introduction to Programming Systems. Assembly Language: Function Calls
Princeton University Computer Science 217: Introduction to Programming Systems Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems x86-64 solutions Pertinent
More informationComputer Systems C S Cynthia Lee
Computer Systems C S 1 0 7 Cynthia Lee 2 Today s Topics LECTURE: More assembly code! NEXT TIME: More control flow Some misc. instructions you might see in your assign5 binary bomb Details of function call
More informationReview addressing modes
Review addressing modes Op Src Dst Comments movl $0, %rax Register movl $0, 0x605428 Direct address movl $0, (%rcx) Indirect address movl $0, 20(%rsp) Indirect with displacement movl $0, -8(%rdi, %rax,
More informationFunctions. Ray Seyfarth. August 4, Bit Intel Assembly Language c 2011 Ray Seyfarth
Functions Ray Seyfarth August 4, 2011 Functions We will write C compatible function C++ can also call C functions using extern "C" {...} It is generally not sensible to write complete assembly programs
More informationUndermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationMachine Program: Procedure. Zhaoguo Wang
Machine Program: Procedure Zhaoguo Wang Requirements of procedure calls? P() { y = Q(x); y++; 1. Passing control int Q(int i) { int t, z; return z; Requirements of procedure calls? P() { y = Q(x); y++;
More information6.035 Project 3: Unoptimized Code Generation. Jason Ansel MIT - CSAIL
6.035 Project 3: Unoptimized Code Generation Jason Ansel MIT - CSAIL Quiz Monday 50 minute quiz Monday Covers everything up to yesterdays lecture Lexical Analysis (REs, DFAs, NFAs) Syntax Analysis (CFGs,
More informationComputer Architecture I: Outline and Instruction Set Architecture. CENG331 - Computer Organization. Murat Manguoglu
Computer Architecture I: Outline and Instruction Set Architecture CENG331 - Computer Organization Murat Manguoglu Adapted from slides of the textbook: http://csapp.cs.cmu.edu/ Outline Background Instruction
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 5
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2017 Lecture 5 LAST TIME Began exploring x86-64 instruction set architecture 16 general-purpose registers Also: All registers are 64 bits wide rax-rdx are
More informationComputer Systems C S Cynthia Lee
Computer Systems C S 1 0 7 Cynthia Lee 2 Today s Topics Function call and return in x86-64 Registers Call stack NEXT TIME: NEW topic: the build process Taking a look at each step of the process Preprocessor,
More informationCSE 401/M501 Compilers
CSE 401/M501 Compilers x86-64 Lite for Compiler Writers A quick (a) introduction or (b) review [pick one] Hal Perkins Autumn 2018 UW CSE 401/M501 Autumn 2018 J-1 Administrivia HW3 due tonight At most 1
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationx86-64 Programming II
x86-64 Programming II CSE 351 Winter 2018 Instructor: Mark Wyse Teaching Assistants: Kevin Bi Parker DeWilde Emily Furst Sarah House Waylon Huang Vinny Palaniappan http://xkcd.com/409/ Administrative Homework
More informationMachine Programming 3: Procedures
Machine Programming 3: Procedures CS61, Lecture 5 Prof. Stephen Chong September 15, 2011 Announcements Assignment 2 (Binary bomb) due next week If you haven t yet please create a VM to make sure the infrastructure
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems x86-64 solutions Pertinent instructions and conventions 2 Function Call Problems (1) Calling and returning
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationFrom Assembly to JavaScript and Back
From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore About me IT Security since 2010 PostDoc Systems Security Group @ Horst Görtz Institute / Ruhr-University
More informationCSE 351 Midterm - Winter 2017
CSE 351 Midterm - Winter 2017 February 08, 2017 Please read through the entire examination first, and make sure you write your name and NetID on all pages! We designed this exam so that it can be completed
More informationCS 261 Fall Mike Lam, Professor. x86-64 Control Flow
CS 261 Fall 2016 Mike Lam, Professor x86-64 Control Flow Topics Condition codes Jumps Conditional moves Jump tables Motivation Can we translate the following C function to assembly, using only data movement
More informationCS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: February 28, 2018 at 06:32 CS429 Slideset 9: 1 Mechanisms in Procedures
More informationThe Stack & Procedures
The Stack & Procedures CSE 351 Spring 2017 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis Administrivia Homework 2 due
More informationUniversity of Washington
Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine code: Computer system: get_mpg: pushq %rbp movq %rsp, %rbp... popq %rbp
More information238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018
238P: Operating Systems Lecture 3: Calling conventions Anton Burtsev October, 2018 What does CPU do internally? (Remember Lecture 01 - Introduction?) CPU execution loop CPU repeatedly reads instructions
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationRuntime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include
2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationLecture 3 CIS 341: COMPILERS
Lecture 3 CIS 341: COMPILERS HW01: Hellocaml! Announcements is due tomorrow tonight at 11:59:59pm. HW02: X86lite Will be available soon look for an announcement on Piazza Pair-programming project Simulator
More informationWhere We Are. Optimizations. Assembly code. generation. Lexical, Syntax, and Semantic Analysis IR Generation. Low-level IR code.
Where We Are Source code if (b == 0) a = b; Low-level IR code Optimized Low-level IR code Assembly code cmp $0,%rcx cmovz %rax,%rdx Lexical, Syntax, and Semantic Analysis IR Generation Optimizations Assembly
More informationShuffler: Fast and Deployable Continuous Code Re-Randomization
Shuffler: Fast and Deployable Continuous Code Re-Randomization David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis,
More informationx86 Programming II CSE 351 Winter
x86 Programming II CSE 351 Winter 2017 http://xkcd.com/1652/ Administrivia 2 Address Computation Instruction v leaq src, dst lea stands for load effective address src is address expression (any of the
More informationAssembly Programming IV
Assembly Programming IV CSE 351 Spring 2017 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis 1 Administrivia Homework 2 due
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationAreas for growth: I love feedback
Assembly part 2 1 Areas for growth: I love feedback Speed, I will go slower. Clarity. I will take time to explain everything on the slides. Feedback. I give more Kahoot questions and explain each answer.
More informationMIPS Procedure Calls. Lecture 6 CS301
MIPS Procedure Calls Lecture 6 CS301 Function Call Steps Place parameters in accessible location Transfer control to function Acquire storage for procedure variables Perform calculations in function Place
More informationBack To The Epilogue
Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue
More informationProcessor state. Information about currently executing program. %rax, %rdi, ... %r14 %r15. %rsp. %rip CF ZF SF OF. Temporary data
Processor state Information about currently executing program Temporary data %rax, %rdi, current parameters, local variables Location of runtime stack %rsp Location of current instruction %rip Status of
More informationIA-32 & AMD64. Crash Dump Analysis 2015/2016. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics.
IA-32 & AMD64 http://d3s.mff.cuni.cz Crash Dump Analysis 2015/2016 CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics IA-32 Overview 32bit CISC architecture Starts with 80386 Also known as
More informationCS Bootcamp x86-64 Autumn 2015
The x86-64 instruction set architecture (ISA) is used by most laptop and desktop processors. We will be embedding assembly into some of our C++ code to explore programming in assembly language. Depending
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationSystem Software Assignment 1 Runtime Support for Procedures
System Software Assignment 1 Runtime Support for Procedures Exercise 1: Nested procedures Some programming languages like Oberon and Pascal support nested procedures. 1. Find a run-time structure for such
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationComputer Organization: A Programmer's Perspective
A Programmer's Perspective Instruction Set Architecture Gal A. Kaminka galk@cs.biu.ac.il Outline: CPU Design Background Instruction sets Logic design Sequential Implementation A simple, but not very fast
More informationThe Stack & Procedures
The Stack & Procedures CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan http://xkcd.com/648/
More informationLecture V Toy Hardware and Operating System
2. THE Machine Lecture V Page 1 Lecture V Toy Hardware and Operating System 1. Introduction For use in our OS projects, we introduce THE Machine where THE is an acronym 1 for Toy HardwarE. We also introduce
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationAssembly II: Control Flow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly II: Control Flow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Processor State (x86-64) RAX 63 31 EAX 0 RBX EBX RCX RDX ECX EDX General-purpose
More informationSigned/Unsigned Integer Arithmetic in C. Vineel Kovvuri
Signed/Unsigned Integer Arithmetic in C Vineel Kovvuri http://vineelkovvuri.com Contents 1 Introduction 2 2 How signed-ness is represented in the hardware? 2 3 How signed-ness is interpreted in assembly?
More informationCS356: Discussion #15 Review for Final Exam. Marco Paolieri Illustrations from CS:APP3e textbook
CS356: Discussion #15 Review for Final Exam Marco Paolieri (paolieri@usc.edu) Illustrations from CS:APP3e textbook Processor Organization Pipeline: Computing Throughput and Delay n 1 2 3 4 5 6 clock (ps)
More informationCS 480 Fall Runtime Environments. Mike Lam, Professor. (a.k.a. procedure calls and heap management)
CS 480 Fall 2015 Mike Lam, Professor Runtime Environments (a.k.a. procedure calls and heap management) Subprograms General characteristics Single entry point Caller is suspended while subprogram is executing
More informationAssembly Programming III
Assembly Programming III CSE 410 Winter 2017 Instructor: Justin Hsia Teaching Assistants: Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui Facebook Stories puts a Snapchat clone above the News
More informationMetacircular Virtual Machine Layering for Run-Time Instrumentation. Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.
Metacircular Virtual Machine Layering for Run-Time Instrumentation Erick Lavoie, Bruno Dufour, Marc Feeley Université de Montréal ericklavoie.com 1 Motivation 2 2 Context Program comprehension Benchmark
More information