Lecture 4 Processes. Dynamic Analysis. GDB

Similar documents
Lecture 2 Assembly Language

Outline. Outline. Common Linux tools to explore object/executable files. Revealing Internals of Loader. Zhiqiang Lin

Systems Programming. Fatih Kesgin &Yusuf Yaslan Istanbul Technical University Computer Engineering Department 18/10/2005

Making things work as expected

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Lecture 10 Code Reuse

Debug for GDB Users. Action Description Debug GDB $debug <program> <args> >create <program> <args>

CS5460/6460: Operating Systems. Lecture 21: Shared libraries. Anton Burtsev March, 2014

CS 270 Systems Programming. Debugging Tools. CS 270: Systems Programming. Instructor: Raphael Finkel

Reviewing gcc, make, gdb, and Linux Editors 1

Reverse Engineering Malware Dynamic Analysis of Binary Malware II

ECE 471 Embedded Systems Lecture 4

CSE 351. GDB Introduction

Infecting the Embedded Supply Chain

Fixing/Making Holes in Binaries

Profilers and Debuggers. Introductory Material. One-Slide Summary

U Reverse Engineering

Runtime Process Insemination

A tale of ELFs and DWARFs

Outline. Unresolved references

(Extract from the slides by Terrance E. Boult

ECE 498 Linux Assembly Language Lecture 1

18-600: Recitation #3

July 14, EPITA Systems/Security Laboratory (LSE) Code sandboxing. Alpha Abdoulaye - Pierre Marsais. Introduction. Solutions.

W4118: interrupt and system call. Junfeng Yang

ECE 471 Embedded Systems Lecture 5

21. This is a screenshot of the Android Studio Debugger. It shows the current thread and the object tree for a certain variable.

Embedded Systems Programming

Exercise Session 6 Computer Architecture and Systems Programming

Offensive Security My First Buffer Overflow: Tutorial

Source level debugging. October 18, 2016

Protecting Against Unexpected System Calls

Introducing LLDB for Linux on Arm and AArch64. Omair Javaid

Language Translation. Compilation vs. interpretation. Compilation diagram. Step 1: compile. Step 2: run. compiler. Compiled program. program.

Lab6 GDB debugging. Conventions. Department of Computer Science and Information Engineering National Taiwan University

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Systems software design. Software build configurations; Debugging, profiling & Quality Assurance tools

COS 318: Operating Systems. Overview. Andy Bavier Computer Science Department Princeton University

Section 1: Tools. Contents CS162. January 19, Make More details about Make Git Commands to know... 3

Assembly Language Programming Linkers

ECE 598 Advanced Operating Systems Lecture 10

CSE 374 Programming Concepts & Tools. Brandon Myers Winter 2015 Lecture 11 gdb and Debugging (Thanks to Hal Perkins)

Università Ca Foscari Venezia

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

COS 318: Operating Systems

Process Environment. Pradipta De

Interrupts & System Calls

System Debug. This material exempt per Department of Commerce license exception TSU Xilinx, Inc. All Rights Reserved

Using the Debugger. Michael Jantz Dr. Prasad Kulkarni

Data and File Structures Laboratory

CS2141 Software Development using C/C++ Debugging

Programs. Function main. C Refresher. CSCI 4061 Introduction to Operating Systems

Using a debugger. Segmentation fault? GDB to the rescue!

Project 4: Application Security

Scalable Post-Mortem Debugging Abel Mathew. CEO -

Malware

A recompilation and instrumentation-free monitoring architecture for detecting heap memory errors and exploits

Assembly Language Programming Debugging programs

Vulnerability Analysis I:

Today s Big Adventure

CS3210: Tutorial Session 2. Kyuhong Park-- edited by Kyle Harrigan

CptS 360 (System Programming) Unit 4: Debugging

Today s Big Adventure

Debugging and Profiling

Advances in Linux process forensics with ECFS

In-Memory Fuzzing in JAVA

Secure Systems Engineering

Mitchell Adair January, 2014

COS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University

Know your Unknowns. Techniques for analyzing unknown software. (and dynamic reversing in general)

Binary Analysis and Reverse Engineering

What's New in CDT 7.0? dominique dot toupin at ericsson dot com

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Debugging with GDB and DDT

CSE 374 Programming Concepts & Tools

Application Note: AN00193 Getting Started with Debugging in xtimecomposer

Operating Systems CMPSC 473. Process Management January 29, Lecture 4 Instructor: Trent Jaeger

T Jarkko Turkulainen, F-Secure Corporation

Using gdb to find the point of failure

Kent Academic Repository

Problem Set 1: Unix Commands 1

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

2012 LLVM Euro - Michael Spencer. lld. Friday, April 13, The LLVM Linker

Project 4: Application Security

Use Dynamic Analysis Tools on Linux

OS lpr. www. nfsd gcc emacs ls 1/27/09. Process Management. CS 537 Lecture 3: Processes. Example OS in operation. Why Processes? Simplicity + Speed

a translator to convert your AST representation to a TAC intermediate representation; and

CS140 - Summer Handout #8

CSE 124 Discussion (10/3) C/C++ Basics

Class Information ANNOUCEMENTS

The Process Model (1)

CSC 2400: Computer Systems. Using the Stack for Function Calls

CSc 466/566 Computer Security

CSE 361S Intro to Systems Software Lab Assignment #4

CS241 Computer Organization Spring Data Alignment

The X86 Assembly Language Instruction Nop Means

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Introduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

Confinement (Running Untrusted Programs)

Transcription:

Lecture 4 Processes. Dynamic Analysis. GDB Computer and Network Security 23th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 1/45

Engineering Reminder: Static Analysis, Binary Inspection, Reverse static analysis may be done on source code or machine code for reversing or for profiling or for code validation (e.g. Coverity Scan, lint) binary inspection look into binary files (executables or other) forensics, understanding the internals, reversing reverse engineering reverse the binary representation (file, protocol) to its original format understanding, reimplementing or exploiting CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 2/45

Outline Dynamic Analysis Tools for Dynamic Analysis GDB Dynamic Linking and Loading CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 3/45

Dynamic Analysis starts from executable files investigate processes requires process to run runtime analysis blackbox analysis CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 4/45

Processes unit of work in the operating system virtual memory address space, threads, resources isolated from each other at load time the executable gives birth to a process CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 5/45

Process Memory Layout http://www.tenouk.com/bufferoverflowc/bufferoverflow1_files/image022.png CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 6/45

Interesting Process Information the process memory map (virtual memory areas) memory addresses: code, variables memory region access rights machine code (to be disassembled) process state: registers, (call) stack, code CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 7/45

Why Dynamic Analysis get output for input (blackbox) glimpse into the internals monitor/inspect resource usage debug execution and test attacks (step by step) CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 8/45

What Do We Investigate? code: system calls, library calls, function calls, step-by-step code state: thread information, process maps, open files, resources data: registers, variables, raw memory data CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 9/45

Inspecting Code function call tracing disassembling step by step instructions look into code where required in the process virtual address space CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 10/45

Inspecting Data variables: global (data) and local (stack) runtime metadata: return addresses, function arguments, command line arguments, GOT and PLT (to be discussed later) registers raw memory data: heap, stack, random address CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 11/45

Inspecting State process memory map thread state open file descriptors CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 12/45

Outline Dynamic Analysis Tools for Dynamic Analysis GDB Dynamic Linking and Loading CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 13/45

Types of Tools blackbox inspection: function call tracers (strace, ltrace, dtrace/dtruss), fuzzers profilers: most often for performance: perf, callgrind, vtune debugging: GDB, LLDG, valgrind CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 14/45

Fuzzing generate random input and detect program flaws program is run smart fuzzer try to direct AFL, libfuzzer CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 15/45

strace/ltrace strace./a.out strace -e read,write./a.out strace -e file./a.out strace -e file -f./a.out strace -e file -s 512 -f./a.out similar options for ltrace CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 16/45

lsof/pmap PID as argument lsof -p 12345 pmap 12345 CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 17/45

perf default profiler on Linux sampling profiler, doesn t instrument the code uses events sampling perf stat -e cache-misses -a./mem-walk sudo perf list some actions and events may require privileged access CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 18/45

GDB default debugger on GNU/Linux distributions command line; there are some GUI front-ends incorporated in Linux-based IDEs debugging, dynamic analysis / process investigation gdb./a.out gdb -q./a.out CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 19/45

LLDB LLVM Debugger used on Mac OS X similar features to GDB command line; most commands are equivalent to GDB http://lldb.llvm.org/lldb-gdb.html CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 20/45

Hardware Support for Debugging useful for debugging embedded devices JTAG: Joint Test Action Group uses dedicated debug port Lauterbach Trace32: in circuit debugger (device using JTAG) CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 21/45

Outline Dynamic Analysis Tools for Dynamic Analysis GDB Dynamic Linking and Loading CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 22/45

GDB and Security not just for debugging follow what a process does (step instructions) inspect data (memory, registers) CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 23/45

GDB for Dynamic Analysis process state inspection register inspection (machine) code inspection memory inspection memory alteration function call tracing CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 24/45

GDB Basics starting a process stepping instructions breakpoints disassemble show registers display data trace function calls alter data CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 25/45

Starting a Process run run < input file run arg1 arg2 arg3 set args arg1 arg2 arg3 and then issue run start: breakpoint at main / starting point CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 26/45

Stepping Instructions si and ni ni doesn t go into nested functions very useful for understaning programs and validating attacks CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 27/45

Breakpoints b symbol-name b *address: b *0x80123456 continue: continue until the next breakpoint help breakpoints CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 28/45

Disassembling during runtime disass symbol-name: disass printf help disassemble CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 29/45

Displaying Data show memory data or registers info registers p $eax p *0x80123456 x/10x 0x12345678: examine memory and display in hex x/10s 0x12345678: examine memory and display in string x/10i 0x12345678: examine memory and display in instructions help p help x CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 30/45

Find Data in Memory find "sh" find 0x01020304 find 0x400000, 100000, "sh" CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 31/45

Trace Function Calls backtrace: show function trace up, down: update current call stack http://web.mit.edu/gnu/doc/html/gdb_8.html CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 32/45

Alter Data set variable num = 10 set {int}$0x8038290 = 10 set $eax = 0x12345678 CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 33/45

PEDA Python Exploit Development Assistance enhancement for GDB create cyclic patterns Return Oriented Programming features custom view: code, registers, stack shellcode features telescope an address (follow pointers) CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 34/45

Outline Dynamic Analysis Tools for Dynamic Analysis GDB Dynamic Linking and Loading CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 35/45

Times in Getting from Source Code to Process compile time: when translating source code to object code in object files (using gcc, gas, nasm) link time: when aggregating multiple object files into an executable file (using gcc, ld) load time: when executable is loaded in memory and a process is created (using./program) run time: while the process is running (using strace -p, lsof -p) CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 36/45

Linking and Loading linking is getting object files together into an executable or dynamic-linking file for the linker, object files are input and executables are output loading is getting an executable into memory and starting a process for the loader, executable file is input, process is output CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 37/45

Static linking all symols are solved at link time all code is part of the executable static executables large executable files, but with no dependencies, highly portable CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 38/45

Load Time Dynamic Linking symbols are marked as stubs inside the executable file symbols are solved at load time, the moment the process is created symbols are picked from dynamic-linking library files provides reduced size executable files but requires dependencies to be satisfied CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 39/45

Run Time Dynamic Linking linking (and loading) is done at runtime it may be implicit (lazy binding) or explicit dlopen, dlsym for the explicit case: explicitly load a library and locate a symbol CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 40/45

Lazy Binding postpone linking of a symbol until it is called usually done for functions through the use of a trampoline section (PLT for ELF) the first time a function is called, the dynamic linker also does the binding CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 41/45

Locating Libraries for stating linking, use the -L argument to gcc for dynamic linking, the dynamic linker/loader is used: ld-linux.so man ld-linux.so searches for 1. values in LD_LIBRARY_PATH 2. the /etc/ld.so.cache file; populated by ldconfig 3. the default /lib and /usr/lib library folders CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 42/45

PLT used for external library function calls generic trampoline code to jump to initially jump to per-function binder (.plt in ELF) writable data area storing function pointers (.got.plt) initially store pointers to binder code (symbol solver) after the first call store actual pointer to function call CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 43/45

GOT Global Offset Table.got in ELF for global variables.got.plt in ELF for external library function pointers local uses of external library symbol point to GOT GOT if filled by the dynamic linker at the beginning CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 44/45

static analysis dynamic analysis process blackbox profiling debugging fuzzing strace / ltrace lsof / pmap perf GDB LLDB JTAG breakpoint info examine ni, si backtrace, up, down write searchmem dynamic linking dynamic loading lazy binding trampoline PLT Keywords GOT CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 45/45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback