Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.

Published byDorthy Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86."— Presentation transcript:

1 CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86 http://www.cs.virginia.edu/cs216 Image from www.clean-funny.com, GoldenBlue LLC.

2 2 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Java Security javac Compiler malcode.java malcode.class JVML Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

3 3 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Bytecode Verifier Checks JVML code satisfies safety properties –Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once –After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read.

4 4 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong.

5 5 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Improving the Odds Set up memory so that a single bit error is likely to be exploitable Mistreat the hardware memory to increase the odds that bits will flip Following slides adapted (with permission) from Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003.

6 6 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Making Bit Flips Useful Fill up memory with Filler objects, and one Pointee object: class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a6; Pointee a7;}

7 7 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Filling Up Memory Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; } a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object

8 8 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Wait for a bit flip… Remember: there are lots of Filler objects (fill up all of memory) If a bit flips, good chance (~70%) it will be in a field of a Filler object and it will now point to a Filler object instead of a Pointee object a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object

9 9 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Type Violation After the bit flip, the value of f.a2 is a Filler object, but f.a2 was declared as a Pointee object! a1 a2 a3 a4 a5 a6 a7 Filler Object a1 a2 f b a5 a6 a7 Pointee Object a1 a2 a3 a4 a5 a6 a7a7 Filler Object Can an attacker exploit this?

10 10 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Finding the Bit Flip while (true) { for (Enumeration e = fillers.elements (); e.hasMoreElements () ; ) { Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! … } else if (f.a2 != p) { … } Pointee p = new Pointee (); Vector fillers = new Vector (); try { while (true) { Filler f = new Filler (); f.a1 = p; f.a2 = p; f.a3 = p; …; f.a7 =p; fillers.add (f); } } catch (OutOfMemoryException e) { ; }

11 11 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;} Declared Type f.a1Pointee f.a1.bint fr == f.a1Filler fr.a4 == f.a1.bPointee

12 12 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Violating Type Safety Filler f = (Filler) e.nextElement (); if (f.a1 != p) { // bit flipped! Object r = f.a1; // Filler fr = (Filler) r; // Cast is checked at run-time f.a1.b = 1524383; // Address of the SecurityManager fr.a4.a1 = null; // Set it to a null // Do whatever you want! No security policy now… new File (“C:\thesis.doc”).delete (); class Filler {class Pointee { Pointee a1; Pointee a2; Pointee a3; Filler f; Pointee a4; int b; Pointee a5; Pointee a6; Pointee a7;}

13 13 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Getting a Bit Flip Wait for a Cosmic Ray –You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays –Expensive, not enough power to generate bit-flip High energy protons and neutrons –Work great - but, you need a particle accelerator Hmm….

14 14 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Using Heat 50-watt spotlight bulb Between 80° - 100°C, memory starts to have a few failures Attack applet is successful (at least half the time)! Hairdryer works too, but it fries too many bits at once Picture from Sudhakar Govindavajhala

15 15 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Should Anyone be Worried? Java virtual machine

16 16 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Recap Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures For details, see paper linked from notes

17 17 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm CS216 Roadmap Data RepresentationProgram Representation Bits 01001010 Addresses, Numbers, Characters 0x42381a, 3.14, ‘x’ Objects “Hello” Arrays [‘H’,’i’,\0] Python code High-level language C code Low-level language Virtual Machine language JVML Assemblyx86 Real World Problems Real World Physics

18 18 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm From JVML to x86 More complex instructions: –JVML: 1-byte opcodes, all instructions are 1 byte plus possible params on stack –x86: 1-, 2-, and 3-byte opcodes Lower-level memory: –JVML: stack and locations, managed by VM –x86: registers and memory, managed (mostly) by programmer Why is x86 instruction set more complex?

19 19 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm x86 History 1960s: Project Apollo 1971: Intel 4004 Processor –First commercial microprocessor –Target market: calculators

20 20 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Intel 4004 3-deep stack 16 4-bit registers

21 21 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm x86 History 1971: 4004 –46 instructions (41 8-bit wide, 5 16-bits) –Separate program and data store 1974: 8080 –8-bit processor –Used in MITS Altair 1978: 8086, 8088 –16-bit architecture –Assembly backwards compatible with 8080

22 22 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm x86 History 1982: 80186 –Backwards compatible with 8086 –Added some new instructions 1982: 80286 1986: 386 –First 32-bit version (but still backwards compatible with 16-bit 8086) 1989: 486 (Added a few instructions) 1993: Pentium (can’t trademark numbers) Now: Athlon 64, x86-64 –64-bit versions, but still backwards compatible

23 23 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm x86 Registers 32 bits EAX EBX ECX EDX ESI EDI ESP (stack pointer) EBP (base pointer) AX BX CX DX AH BH CH DH AL BL CL DL General-purpose Registers 16 bits 8 bits IP (instruction pointer)

24 24 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm x86 Instructions Variable length: 1-17 bytes long (average is ~3 bytes) Opcodes: 1-4 bytes long –e.g., 660F3A0FC108H = PALIGNR Parameters: registers, memory locations, constants –Need different opcodes to distinguish them

25 25 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Move Instruction mov [destination], [source] Copies the value in source into the location destination Many different versions depending on types of destination and source: –destination: register, memory –source: register, memory, constant Not all combinations are possible: cannot have both destination and source be memory locations

26 26 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Move Examples mov eax, [ebx] –[ ]: the value of the memory location referenced by –Copies the 4-byte value in location [ebx] into register eax mov [ebp+4], eax –Copies the 4-byte value in register eax into the location [ebp+4] (typically this is the first local variable)

27 27 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm More Moves mov [ebx], 2 –Ambiguous: is it moving 0b0000010 or 0b000000000000010 or 0b[30 zeros]10 mov BYTE PTR [ebx], 2 mov WORD PTR [ebx], 2 mov DWORD PTR [ebx], 2

28 28 UVa CS216 Spring 2006 - Lecture 20: Introducing Asm Charge Section this week: understanding x86 assembly Problem Set 7: out today, due in 1 week –Reading and writing x86 assembly code –Figuring out what code is generated for different program constructs Exam 2: out next Wednesday

Download ppt "CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86."

Similar presentations

Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Web:

Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Web:
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
Chapter 3 Addressing Modes

Chapter 3 Addressing Modes
Lect 3: Instruction Set and Addressing Modes. 386 Instruction Set (3.4) –Basic Instruction Set : 8086/8088 instruction set –Extended Instruction Set :

Lect 3: Instruction Set and Addressing Modes. 386 Instruction Set (3.4) –Basic Instruction Set : 8086/8088 instruction set –Extended Instruction Set :
Azir ALIU 1 What is an assembly language?. Azir ALIU 2 Inside the CPU.

Azir ALIU 1 What is an assembly language?. Azir ALIU 2 Inside the CPU.
Lecture 6 Machine Code: How the CPU is programmed.

Lecture 6 Machine Code: How the CPU is programmed.
© 2006 Pearson Education, Upper Saddle River, NJ 07458. All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.

© 2006 Pearson Education, Upper Saddle River, NJ All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.

Assembly Language Advantages 1. It reveals the secret of your computer’s hardware and software. 2. Speed. 3. Some special applications and occasions. Disadvantages.
ICS312 Set 3 Pentium Registers. Intel 8086 Family of Microprocessors All of the Intel chips from the 8086 to the latest pentium, have similar architectures.

ICS312 Set 3 Pentium Registers. Intel 8086 Family of Microprocessors All of the Intel chips from the 8086 to the latest pentium, have similar architectures.
© 2006 Pearson Education, Upper Saddle River, NJ 07458. All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.

© 2006 Pearson Education, Upper Saddle River, NJ All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.
Lect 4: Instruction Set and Addressing Modes. 386 Instruction Set (3.4)  Basic Instruction Set : 8086/8088 instruction set  Extended Instruction Set.

Lect 4: Instruction Set and Addressing Modes. 386 Instruction Set (3.4)  Basic Instruction Set : 8086/8088 instruction set  Extended Instruction Set.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
CDP ECE 291 -- Spring 2000 ECE 291 Spring 2000 Lecture 7: More on Addressing Modes, Structures, and Stack Constantine D. Polychronopoulos Professor, ECE.

CDP ECE Spring 2000 ECE 291 Spring 2000 Lecture 7: More on Addressing Modes, Structures, and Stack Constantine D. Polychronopoulos Professor, ECE.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
The Pentium Processor.

The Pentium Processor.
The Pentium Processor Chapter 3 S. Dandamudi. 2005 To be used with S. Dandamudi, “Introduction to Assembly Language Programming,” Second Edition, Springer,

The Pentium Processor Chapter 3 S. Dandamudi To be used with S. Dandamudi, “Introduction to Assembly Language Programming,” Second Edition, Springer,
INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING

INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

Similar presentations

Ads by Google