X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Similar documents
CS642: Computer Security

Assembly Language: Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

x86 assembly CS449 Fall 2017

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS241 Computer Organization Spring 2015 IA

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CPEG421/621 Tutorial

Instruction Set Architectures

Machine Programming 3: Procedures

Instruction Set Architectures

Process Layout and Function Calls

x86 Assembly Tutorial COS 318: Fall 2017

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

CS241 Computer Organization Spring Introduction to Assembly

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

Assembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012

x86 architecture et similia

W4118: PC Hardware and x86. Junfeng Yang

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

Program Exploitation Intro

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Access. Young W. Lim Sat. Young W. Lim Access Sat 1 / 19

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

Access. Young W. Lim Fri. Young W. Lim Access Fri 1 / 18

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Compiler Construction D7011E

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

The x86 Architecture

Credits and Disclaimers

Reverse Engineering II: The Basics

Practical Malware Analysis

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

x86 assembly CS449 Spring 2016

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Intel assembly language using gcc

How Software Executes

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Assembly Language: IA-32 Instructions

X86 Stack Calling Function POV

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

CSC 8400: Computer Systems. Machine-Level Representation of Programs

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

Introduction to IA-32. Jo, Heeseung

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

INTRODUCTION TO IA-32. Jo, Heeseung

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Lab 10: Introduction to x86 Assembly

Intro to GNU Assembly Language on Intel Processors

Machine Programming 2: Control flow

System calls and assembler

Module 3 Instruction Set Architecture (ISA)

MACHINE-LEVEL PROGRAMMING I: BASICS

CSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

T Reverse Engineering Malware: Static Analysis I

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

Instruction Set Architecture

CMPSC 497 Buffer Overflow Vulnerabilities

The von Neumann Machine

Instruction Set Architecture

Instruction Set Architecture

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CIT Week13 Lecture

CSE 351: Week 4. Tom Bergan, TA

The Hardware/Software Interface CSE351 Spring 2013

Homework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1

Complex Instruction Set Computer (CISC)

Function Call Convention

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Today: Machine Programming I: Basics

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Instruction Set Architecture

CISC 360 Instruction Set Architecture

CS429: Computer Organization and Architecture

Software. Hardware. x86 basics. ISA View. a brief history of x86 10/6/15. Program, Application. Programming Language. Compiler/Interpreter

How Software Executes

CMSC 313 Lecture 12 [draft] How C functions pass parameters

4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only

Credits and Disclaimers

ASSEMBLY III: PROCEDURES. Jo, Heeseung

Machine-level Programming (3)

Assembly III: Procedures. Jo, Heeseung

Machine/Assembler Language Putting It All Together

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

CS213. Machine-Level Programming III: Procedures

U23 - Binary Exploitation

Machine-Level Programming II: Control and Arithmetic

ASSEMBLY II: CONTROL FLOW. Jo, Heeseung

Transcription:

X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu

From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups Processes (usually) run with the permissions of the invoking user input passwd write /etc/shadow RUID: ace EUID: root

Processes are the front line of system security Control a process and you get the privileges of its UID So how do you control a process? Send specially formed input to process input passwd write /etc/shadow RUID: ace EUID: root

Privilege Escalation article published last Thursday!

Lecture Roadmap Today Enough x86 to understand (some) process vulnerabilities Memory Layout Some x86 instruction semantics Tools for inspecting assembly Next Time How such attacks occur

Why do we need to look at assembly? WYSINWYX: What you see is not what you execute [Balakrishnan and Reps TOPLAS 2010] Vulnerabilities exploited in this form We understand code in this form int foo(){ int a = 0; return a + 7; } Compiler pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret

X86: The De Facto Standard Extremely popular for desktop computers Alternatives ARM: popular on mobile MIPS: very simple Itanium: ahead of its time

x86: Popular but Crazy CISC (complex instruction set computing) Over 100 distinct opcodes in the set Register poor Only 8 registers of 32-bits, only 6 are generalpurpose Variable-length instructions Built of many backwards-compatible revisions Many security problems preventable in hindsight

A Little History Intel attempts to trademark the number 486, gets denied 1978 1982 1985 1989 1993 1995 2003 Intel introduces 8086 (16 bit) 80386 (32-bit) 80186 and 80286 i486 (32-bit) Pentium Pentium Pro AMD makes x86-64 (64 bit) This is not a joke. It s the real reason five Science-y?

Let s Dive in To X86! X86

Registers 32 bits EAX AX AH AL EBX BX BH BL ECX CX CH CL EDX DX DH DL ESI EDI ESP (stack pointer) EBP (base pointer)

Process memory layout Free.text.data.bss heap stack memory Env Low memory addresses Grows upward Grows downward High memory addresses.text Machine code of executable.data.bss Global initialized variables Below Stack Section global uninitialized vars heap Dynamic variables stack Env Local variables Function call data Environment variables Program arguments

Heap and Stack Design heap Grows upward Free memory Grows downward stack Low memory addresses High memory addresses Allow for more efficient use of finite free memory Growing in opposite directions allows extra flexibility at runtime Stack Local variables, function bookkeeping Heap Dynamic memory

Heap and Stack Design heap Grows upward Free memory stack Grows downward stack Low memory addresses High memory addresses Allow for more efficient use of finite free memory Growing in opposite directions allows extra flexibility at runtime Stack Local variables, function bookkeeping Heap Dynamic memory

Heap and Stack Design heap Grows upward heap Free memory Grows downward stack Low memory addresses High memory addresses Allow for more efficient use of finite free memory Growing in opposite directions allows extra flexibility at runtime Stack Local variables, function bookkeeping Heap Dynamic memory

Heap and Stack use: Example 0x100 bytes Free memory 7 bar 7 barfoo main Low memory addresses High memory addresses main(): call foo() call bar() foo(): f_glob = malloc(0x100) call bar() bar() b_loc = 7;

Reminder: These are conventions Dictated by compiler Only instruction support by processor Almost no structural notion of memory safety Use of uninitialized memory Use of freed memory Memory leaks So how are they actually implemented?

Instruction Syntax Examples: subl $16, %ebx movl (%eax), %ebx Instruction ends with data length opcode, src, dst Constants preceded by $ Registers preceded by % Indirection uses ( )

Register Instructions: sub registers memory %eax 7 subl %eax, %ebx %ebx 9 2 Subtract from a register value

Frame Instructions: push registers %eax 7 %ebp M %esp N Put a value on the stack memory pushl %eax Frame Pull from register Value goes to %esp Subtract from %esp registers %eax 7 %ebp M %esp N-4 Example: pushl %eax memory 7 Frame

Frame Instructions: pop registers %eax 9 %ebp M %esp K Take a value from the stack memory popl %eax 7 Frame Pull from stack pointer Value goes from %esp Add to %esp registers %eax 7 %ebp M %esp K+4 memory 7 Frame

Control flow instructions: jmp registers memory %eip jmp -20 K %ebp M %esp Frame N %eip points to the currently executing instruction (in the text section) Has unconditional and conditional forms registers %eip K-20 %ebp M %esp N Uses relative addressing memory Frame

Control flow instructions: call registers memory %eip K A: call FOO %ebp M %esp Frame N Saves the current instruction pointer to the stack Jumps to the argument value registers %eip FOO %ebp M %esp N-4 memory FOO: (1 st of foo) A+2 Frame

Control flow instructions: ret registers memory %eip K: ret K %ebp M %esp N A Frame Pops the stack into the instruction pointer registers %eip A %ebp M %esp N +4 memory A: (caller instr) Frame

Stack instructions: leave registers memory %ebp M %esp N leave A Stack Equivalent to movl %ebp, %esp popl %ebp registers %ebp A %esp M memory Stack

Implementing a function call %eax 10 1 esp esp esp esp esp (main) (foo) 3 main ebp main eip+2 1 2 Stack data ebp ebp main: eip eip eip eip eip subl movl movl call addl $8, %esp $2, 4(%esp) $l, (%esp) foo $8, %esp foo: pushl eip eip movl eip subl eip movl eip movl eip addl leave eip ret eip %ebp %esp, %ebp $16, %esp $3, -4(%ebp) 8(%ebp), %eax $9, %eax

Function Calls: High level points Locals are organized into stack frames Callees exist at lower address than the caller On call: Save %eip so you can restore control Save %ebp so you can restore data Implementation details are largely by convention Somewhat codified by hardware

Data types / Endianness x86 is a little-endian architecture pushl %eax esp esp %eax 0xdeadbeef 0xef 0xbe 0xad 0xde 4 bytes 1 1 1 1

esp Arrays (bar).text HEAP.data D 0x44 r 0x72 e 0x65 w 0x77 \0 0x00 caller ebp caller eip+2 &in void bar(char * in){ char name[5]; strcpy(name, in); } ebp bar: pushl %ebp movl %esp, %ebp subl $5, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal -5(%ebp), %eax movl %eax, (%esp) call strcpy leave ret

Assembly Code Tools Let s look at some programs for observing these phenomena

Tools: GCC gcc O0 S program.c o program.s m32 gcc O0 g program.c o program m32

gdb program (gdb) run (gdb) decompile foo (gdb) quit Tools: GDB

Tools: objdump objdump Dwrt program

od x program Tools: od

Memory Safety: Why and Why Not The freedom from these shenanigans X86 has little inbuilt notion of memory safety Compiler or analysis can

Summary Basics of x86 Process layout ISA details Most of the instructions that you ll need Introduced the concept of a buffer overflow Some tools to play around with x86 assembly Next time: exploiting these vulnerabilities

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback