CS642: Computer Security

Similar documents
X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Assembly Language: Function Calls" Goals of this Lecture"

x86 assembly CS449 Fall 2017

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS241 Computer Organization Spring 2015 IA

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CPEG421/621 Tutorial

Program Exploitation Intro

Process Layout and Function Calls

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

x86 Assembly Tutorial COS 318: Fall 2017

Credits and Disclaimers

Access. Young W. Lim Sat. Young W. Lim Access Sat 1 / 19

Instruction Set Architectures

Machine Programming 3: Procedures

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Access. Young W. Lim Fri. Young W. Lim Access Fri 1 / 18

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

x86 architecture et similia

The x86 Architecture

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Instruction Set Architectures

Compiler Construction D7011E

Assembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

W4118: PC Hardware and x86. Junfeng Yang

CSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

X86 Stack Calling Function POV

Assembly Language: IA-32 Instructions

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Instruction Set Architecture

Homework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Intel assembly language using gcc

Machine Programming 2: Control flow

x86 assembly CS449 Spring 2016

Intro to GNU Assembly Language on Intel Processors

Reverse Engineering II: The Basics

CS241 Computer Organization Spring Introduction to Assembly

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only

CSE 351: Week 4. Tom Bergan, TA

Credits and Disclaimers

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

How Software Executes

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

CSC 8400: Computer Systems. Machine-Level Representation of Programs

Module 3 Instruction Set Architecture (ISA)

System calls and assembler

U23 - Binary Exploitation

Introduction to IA-32. Jo, Heeseung

Lab 10: Introduction to x86 Assembly

INTRODUCTION TO IA-32. Jo, Heeseung

Machine-level Programming (3)

Instruction Set Architecture

Instruction Set Architecture

MACHINE-LEVEL PROGRAMMING I: BASICS

The Hardware/Software Interface CSE351 Spring 2013

This is a medical robot, guided by a skilled surgeon and designed to get to places doctors are unable to reach without opening a pacent up.

CPS104 Recitation: Assembly Programming

Software. Hardware. x86 basics. ISA View. a brief history of x86 10/6/15. Program, Application. Programming Language. Compiler/Interpreter

Function Call Convention

Machine Program: Procedure. Zhaoguo Wang

The von Neumann Machine

Practical Malware Analysis

CS61 Section Solutions 3

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

ASSEMBLY III: PROCEDURES. Jo, Heeseung

CPSC W Term 2 Problem Set #3 - Solution

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer Overflow Attack

Assembly III: Procedures. Jo, Heeseung

MODE (mod) FIELD CODES. mod MEMORY MODE: 8-BIT DISPLACEMENT MEMORY MODE: 16- OR 32- BIT DISPLACEMENT REGISTER MODE

CS429: Computer Organization and Architecture

CS213. Machine-Level Programming III: Procedures

Implementing Threads. Operating Systems In Depth II 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

CMSC 313 Lecture 12 [draft] How C functions pass parameters

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Instruction Set Architecture

CISC 360 Instruction Set Architecture

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

ANITA S SUPER AWESOME RECITATION SLIDES

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Today: Machine Programming I: Basics

x86 Assembly Crash Course Don Porter

Transcription:

X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu

From Last Week ACL- based permissions (UNIX style) Read, Write, execute can be restricted on users and groups Processes (usually) run with the permissions of the invoking user Example: passwd write /etc/shadow RUID: rist EUID: root

Processes are the front line of system security Control a process and you get the privileges of its UID So how do you control a process? Send specially formed input to process input passwd write /etc/shadow RUID: rist EUID: root

Roadmap Today Enough x86 to understand (some) process vulnerabiliues Next Time Live demo of an avack How such avacks occur

Why do we need to look at assembly? WYSINWYX: What you see is not what you execute [Balakrishnan and Reps TOPLAS 2010] VulnerabiliUes exploited in this form We understand code in this form int foo(){ int a = 0; return a + 7; } Compiler pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret

x86: Popular but crazy CISC (complex instrucuon set compuung) Over 100 disunct opcodes in the set Register poor Only 8 registers of 32- bits, only 6 are general- purpose Variable- length instrucuons Built of many backwards- compauble revisions Many security problems preventable in hindsight

A LiVle History Intel avempts to trademark the number 486, gets denied 1978 1982 1985 1989 1993 1995 2003 5 Science- y?

Process memory layout.text.data.bss heap unused stack Env Low memory addresses Grows upward Grows downward High memory addresses.text Machine code of executable.data Global iniualized variables.bss Below Stack SecUon global uniniualized heap Dynamic variables stack Local variables FuncUon call data Env Environment variables Program arguments

Registers 32 bits EAX AX AH AL EBX BX BH BL ECX CX CH CL EDX DX DH DL ESI EDI ESP (stack pointer) EBP (base pointer)

InstrucUon Syntax Examples: subl $16, %ebx movl (%eax), %ebx InstrucUon ends with data length opcode, src, dst Constants preceded by $ Registers preceded by % IndirecUon uses ( )

Register InstrucUons: sub registers memory %eax 7 subl %eax, %ebx %ebx 9 7 Subtract from a register value

The Stack Local storage Good place to keep data that doesn t fit into registers Grows from high addresses towards low addreses

Frame InstrucUons: push registers %eax 7 %ebp M %esp N Put a value on the stack memory pushl %eax Frame Pull from register Value goes to %esp Subtract from %esp registers %eax 7 %ebp M %esp N- 4 Example: pushl %eax memory 7 Frame

Frame InstrucUons: pop registers %eax 9 %ebp M %esp N Take a value from the stack memory popl %eax 7 Frame Pull from stack pointer Value goes from %esp Add to %esp registers %eax 7 %ebp M %esp N+4 memory Frame

Control flow instrucuons: jmp registers memory %eip jmp - 20 K %ebp M %esp Frame N %eip points to the currently execuung instrucuon (in the text secuon) Has uncondiuonal and condiuonal forms registers %eip K- 20 %ebp M %esp N Uses relauve addressing memory Frame

Control flow instrucuons: call registers memory %eip K A: call FOO %ebp M %esp Frame N Saves the current instrucuon pointer to the stack Jumps to the argument value registers %eip FOO %ebp M %esp N- 4 memory FOO: (1 st of foo) A Frame

Control flow instrucuons: ret registers memory %eip K: ret K %ebp M %esp N A Frame Pops the stack into the instrucuon pointer registers %eip A %ebp M %esp N+4 memory A: (caller instr) Frame

Stack instrucuons: leave registers memory %ebp M %esp N leave A Stack Equivalent to movl %ebp, %esp popl %ebp registers %ebp A %esp M memory Stack

ImplemenUng a funcuon call %eax 10 1 esp esp esp esp esp (main) (foo) 3 main ebp main eip+2 1 2 Stack data ebp ebp main: eip subl eip movl eip movl eip call eip addl $8, %esp $2, 4(%esp) $l, (%esp) foo $8, %esp foo: eip pushl eip movl eip subl eip movl eip movl eip addl eip leave eip ret %ebp %esp, %ebp $16, %esp $3, - 4(%ebp) 8(%ebp), %eax $9, %eax

FuncUon Calls: High level points Locals are organized into stack frames Callees exist at lower address than the caller On call: Save %eip so you can restore control Save %ebp so you can restore data ImplementaUon details are largely by convenuon Somewhat codified by hardware

Data types / Endianness x86 is a livle- endian architecture pushl %eax esp esp %eax 0xdeadbeef 0xef 0xbe 0xad 0xde 4 bytes 1 1 1 1

esp Arrays (bar).text HEAP.data D 0x44 r 0x72 e 0x65 w 0x77 \0 0x00 caller ebp caller eip+2 &in ebp void bar(char * in){ char name[5]; strcpy(name, in); } bar: pushl %ebp movl %esp, %ebp subl $5, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal - 5(%ebp), %eax movl %eax, (%esp) call strcpy leave ret

Next Time ExploiUng buffer overflows

Tools: GCC gcc O0 S program.c o program.s m32 gcc O0 g program.c o program m32

Tools: GDB gdb program (gdb) run (gdb) decompile foo (gdb) quit

Tools: objdump objdump Dwrt program

od x program Tools: od

Summary Basics of x86 Process layout ISA details Most of the instrucuons that you ll need Introduced the concept of a buffer overflow Some tools to play around with x86 assembly

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback