CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Similar documents
Program Exploitation Intro

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

W4118: PC Hardware and x86. Junfeng Yang

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Lab 10: Introduction to x86 Assembly

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

x86 Assembly Tutorial COS 318: Fall 2017

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

x86 assembly CS449 Fall 2017

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Practical Malware Analysis

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Buffer Overflow Attack (AskCypert CLaaS)

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Compiler Construction D7011E

Machine Programming 3: Procedures

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

CS642: Computer Security

Function Call Convention

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

CS 161 Computer Security

CS 161 Computer Security

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

buffer overflow exploitation

X86 Stack Calling Function POV

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer-Overflow Attacks on the Stack

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

COMP 210 Example Question Exam 2 (Solutions at the bottom)

Lecture 4 CIS 341: COMPILERS

CPS104 Recitation: Assembly Programming

Università Ca Foscari Venezia

Buffer-Overflow Attacks on the Stack

Return-orientated Programming

CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Sistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T

Process Layout and Function Calls

Exercise 6: Buffer Overflow and return-into-libc Attacks

The Geometry of Innocent Flesh on the Bone

CMPSC 497 Buffer Overflow Vulnerabilities

Midterm 1 Review. Memory Safety & Web Attacks

University of Washington

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Subprograms: Local Variables

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1

Exploits and gdb. Tutorial 5

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

18-600: Recitation #3

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Microprocessors ( ) Fall 2010/2011 Lecture Notes # 15. Stack Operations. 10 top

CS241 Computer Organization Spring 2015 IA

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CSE351 Spring 2018, Midterm Exam April 27, 2018

Buffer Overflows Defending against arbitrary code insertion and execution

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

U23 - Binary Exploitation

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

ANITA S SUPER AWESOME RECITATION SLIDES

Intel assembly language using gcc

ROP It Like It s Hot!

CS61 Section Solutions 3

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Intro to x86 Binaries. From ASM to exploit

CMSC Lecture 03. UMBC, CMSC313, Richard Chang

CS429: Computer Organization and Architecture

Machine Programming 1: Introduction

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

IA-32 Architecture. CS 4440/7440 Malware Analysis and Defense

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

The x86 Architecture

6/20/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:

Assembly Language Lab # 9

Chapter 11. Addressing Modes

CSE 361S Intro to Systems Software Lab Assignment #4

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Systems I. Machine-Level Programming V: Procedures

Machine-level Programming (3)

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Transcription:

Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through it with a debugger. In this class, we ll be using 32-bit x86 and GDB. Note: Feel free to come by office hours held by any of the staff. Don t hesitate to ask for help! Our office hours exist to help you. Please visit us if you have any questions or doubts about the material. A few useful GDB commands For OS X users: lldb uses different commands. You will be expected to know gdb. run (r) break (b) func *addr line : add a breakpoint at the specified spot step (s): continue to next line, next (n): next line, skip function calls stepi (si), nexti (ni): same, but at the instruction level continue (c): until next breakpoint enter : repeat previous command print (p) [ /f ] var $register : print the specified value (in format f) list (l) [line]: show source code around the current line or line layout split: splits the GDB interface into source, assembly, and commands sections. disassemble (disas) [func]: show the assembly for the current context, or func x/nx[b w] addr: print n bytes (b) or 4-byte words (w) of memory as hex (x) (If displaying bytes, keep in mind that x86 is little-endian!) Page 1 of 4

Intro to x86 assembly 32-bit x86 prefixes its registers with e- (eax, ebp, esp...). x86 64 uses r- (rax, rbp, rsp...). In AT&T syntax, the suffixes -b, -i, -l, and -q clarify if the instruction operates on bytes, 16-bit words, 32-bit words, or 64-bit words. Source is on the left, destination on the right. There are 8 general-purpose registers: EAX, EBX, ECX, EDX, ESI, EDI, ESP, and EBP. The registers EBP (base pointer) and ESP (stack pointer) are usually used to delimit the current function s stack frame. The stack grows down (towards lower addresses), by decrementing ESP (subl $0x18, %esp) or using the shortcut push: pushl %ebp (decrement ESP by 4 and copy EBP there). Correspondingly, popl %ebp puts the memory (ESP,ESP+4) into EBP and increments ESP. The usual function prologue is push %ebp mov %esp %ebp sub X %esp And the corresponding exit is // save the top of the previous frame // start new frame by moving EBP down to ESP // X = size of local variables add X %esp // * (sometimes mov %ebp %esp ) pop %ebp // * ret // pops return address from stack, goes there * sometimes these two lines are replaced with just leave. Conversely to ret, call addr pushes EIP (the instruction pointer, that is, the address of the next instruction) onto the stack as a saved return address before jumping to addr. A more thorough overview of 32-bit x86 can be found at https://www.cs.virginia.edu/ ~evans/cs216/guides/x86.html Discussion 1 Page 2 of 4 CS 161 Fa 16

Figure 1: Left: memory layout for 32-bit Linux. The stack (left, at top) grows downward. Right: the contents of one frame on the stack (exercise: match the entries up with the instructions in the function prologue and exit). Question 1 A Short Discussion on Canaries (10 min) Discussion 1 Page 3 of 4 CS 161 Fa 16

Question 2 C Memory Defenses (30 min) In the Thursday Lecture, Professor Raluca described some C memory vulnerabilities and defenses for those insisting on writing C or C++ code. Mark the following statements as True or False and justify your solution. Please feel free to discuss with students around you. 1. Stack canaries can not protect against all buffer overflow attacks in the stack. 2. A format-string vulnerability can allow an attacker to overwrite a saved return address even when stack canaries are enabled. 3. If you have data execution prevention/executable space protection/nx bit, an attacker can write code into memory to execute. 4. If you have a non-executable stack and heap, buffer overflows are no longer exploitable. 5. If you have a non-executable stack and heap, an attacker can use Return Oriented Programming. 6. If you use a memory-safe language, buffer overflow attacks are impossible. 7. ALSR, stack canaries, and NX all combined are insufficient to prevent exploitation of all buffer overflow attacks. Solution: 1. True, stack canaries defeated if they are revealed by information leakage, or if there is not sufficient entropy, an attacker can guess the value. Remember, the attack just needs to work once in the real world. 2. True, with format string vulnerabilities, the attacker can learn the contents of the stack frame, other parts of memory, and write to other addresses in memory. Stack canaries won t save you here. 3. Many attacks rely on writing malicious code to memory and then executing them. If we make writable parts of memory non-executable, these attacks cannot succeed. Discussion 1 Page 4 of 4 CS 161 Fa 16

4. False, an attacker can still use techniques like Return Oriented Programming. 5. True, Return oriented programming is a technique that uses existing instructions already in memory to change the original program flow. 6. True, buffer overflow attacks do not work with memory safe languages. 7. True, all of these protections can be overcome. Short answer! 1. What would happen if the stack canary was between the return address and the saved frame/base pointer? 2. What if the canary was above the return address? Solution: 1. An attacker can overwrite the saved frame pointer so when the program tries to return, it uses the wrong address as the return address. 2. It doesn t stop an attacker from overwriting the return address. Although if an attacker had absolutely no idea where the return address, it could potentially detect stack smashing. Discussion 1 Page 5 of 4 CS 161 Fa 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback