Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

Published byNathaniel Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz."— Presentation transcript:

1 David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz

2 Control Flow Hijack: Always control + computation computation + control shellcode (aka payload)padding&buf 2 "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f” "\x73\x68\x68\x2f\x62\x69\x6e\x89” "\xe3\xb0\x0b\xcd\x80”; Previously: Executable code as input

3 Control Flow Hijack: Always control + computation computation + control shellcode (aka payload)padding&buf 3 Today: Return Oriented Programming Execution without injecting code

4 ROP Overview Idea: We forge shell code out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code (we need to know the addresses of gadgets) 4

5 ASLR on Linux 5 Randomized Stack Heap Unrandomized Program Image Libc

6 ASLR on Windows Check with 6 Randomized Stack Heap Unrandomized Program Image Libc Check with EMET tool

7 Motivation: Return-to-libc Attack Overwrite return address with address of libc function setup fake return address and argument(s) ret will “call” libc function No injected code! 7 … argv argc return addr caller’s ebp “/bin/sh" argv[1] buf %ebp %esp ptr to “/bin/sh” &system ret transfers control to system, which finds arguments on stack

8 Question With ASLR, we cannot forge a correct value for ptr since ASLR will randomize addresses. What can we do? 8 … argv argc return addr caller’s ebp “/bin/sh" argv[1] buf %ebp %esp ptr to “/bin/sh” &system Randomized!

9 9 … argv argc return addr caller’s ebp buf “/bin/sh” argv[1] buf gadgets to compute ptr to “/bin/sh” &system Idea! Get a copy of ESP to calculate address of “/bin/sh” on randomized stack. This works because ASLR only protects against knowing absolute addresses, while we will find it’s relative address. Computed “/bin/sh” Writes

10 Return Oriented Programming Techniques 1.Return chaining 2.Semantic equivalence 3.ROP on Windows 10

11 Return Chaining Suppose we want to call 2 functions in our exploit: foo(arg1, arg2) bar(arg3, arg4) Stack unwinds up First function returns into code to advance stack pointer – e.g., pop; pop; ret 11 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo Overwritten ret addr What does this do?

12 Return Chaining When foo is executing, &pop-pop-ret is at the saved EIP slot. When foo returns, it executes pop-pop-ret to clear up arg1 (pop), arg2 (pop), and transfer control to bar (ret) 12 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo

13 There are many semantically equivalent ways to achieve the same net shellcode effect 13 Let’s practice thinking in gadgets

14 ... v2v2 v1v1 a 1 : mov eax, [esp] ; eax has v1 a 2 : mov ebx, [esp+8] ; ebx has v2 a 3 : mov [ebx], eax ; Mem[v2] = eax Implementation 1 An example operation 14 Desired Logic Stack Mem[v2] = v1 esp

15 implementing with gadgets 15 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax a 2 : ret a 3 : pop ebx a 4 : ret a 5 : mov [ebx], eax Implementation 2 Suppose a 5 and a 3 on stack esp eax ebx eip v1v1 a1a1

16 implementing with gadgets 16 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax a 2 : ret a 3 : pop ebx a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a1a1 a3a3

17 implementing with gadgets 17 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax a 2 : ret a 3 : pop ebx a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a3a3 v2v2

18 implementing with gadgets 18 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a4a4 a5a5 v2v2

19 implementing with gadgets 19 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a5a5 v2v2 Gadget 1Gadget 2

20 Equivalence 20 Desired Logic a3a3 v2v2 a2a2 v1v1 Stack Mem[v2] = v1 a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Implementation 2 semantically equivalent esp “Gadgets”

21 Return-Oriented Programming (ROP) Find needed instruction gadgets at addresses a 1, a 2, and a 3 in existing code Overwrite stack to execute a 1, a 2, and then a 3 21 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp

22 Return-Oriented Programming (ROP) 22 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp a3a3 v2v2 a2a2 v1v1 a1a1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Desired store executed!

23 Equivalence 23 Desired Logic a3a3 v2v2 a2a2 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Implementation 2 a 1 : pop eax; ret... a 3 : mov [ebx], eax... a 2 : pop ebx; ret Address independent!

24 Gadgets A gadget is a set of instructions for carrying out a semantic action – mov, add, etc. Gadgets typically have a number of instructions – One instruction = native instruction set – More instructions = synthesize <- ROP Gadgets in ROP generally (but not always) end in return 24

25 25 Image by Dino Dai Zovi

26 Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add $0x80, %eax; pop %ebp; ret a 2 : pop %eax; ret 26 Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into eax and add 0x80. Known Gadgets ret instr

27 Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add eax, 0x80; pop %ebp; ret a 2 : pop %eax; ret 27 a1a1 0xBBBBBBBB a2a2 saved ebp buf AAAAA... a 2 0xBBBBBBBB a 1 Overwrite buf gadget 1 + data gadget 2

28 RO(P?) Programming 1.Disassemble code 2.Identify useful code sequences as gadgets 3.Assemble gadgets into desired shellcode 28

29 Disassembling Code 29

30 Recall: Execution Model 30 Process Memory Stack Heap Processor Fetch, decode, execute read and write Code EIP

31 Disassembly user@box:~/l2$ objdump -d./file... 00000000 : 0:55 push %ebp 1:89 e5 mov %esp,%ebp 3:83 ec 10 sub $0x10,%esp 6:8b 45 0c mov 0xc(%ebp),%eax 9:03 45 08 add 0x8(%ebp),%eax c:03 45 10 add 0x10(%ebp),%eax f:89 45 fc mov %eax,0xfffffffc(%ebp) 12:8b 45 fc mov 0xfffffffc(%ebp),%eax 15:83 e0 01 and $0x1,%eax 18:84 c0 test %al,%al 1a:74 03 je 1f 1c:ff 45 fc incl 0xfffffffc(%ebp) 1f:8b 45 fc mov 0xfffffffc(%ebp),%eax 22:c9 leave 23:c3 ret Address Executable instructions Disassemble

32 Linear-Sweep Disassembly 32 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions Algorithm: 1.Decode Instruction 2.Advance EIP by len push ebp

33 Linear-Sweep Disassembly 33 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp... push ebp mov %esp, %ebp

34 Linear-Sweep Disassembly 34 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp mov %esp, %ebp Algorithm: 1.Decode Instruction 2.Advance EIP by len Note we don’t follow jumps: we just increment by instruction length

35 Disassemble from any address 35 0x550x890xe50x830xec0x10...0xc9 push ebp Normal Execution mov %esp, %ebp Disassembler EIP It’s perfectly valid to start disassembling from any address and all byte sequences will have a unique disassembly

36 Recursive Descent Follow jumps and returns instead of linear sweep Undecidable: indirect jumps – Where does jmp *eax go? 36

37 ROP and Disassembly Compiler-created gadget: A sequence of instructions inserted by the compiler ending in ret. Unintended gadget: A sequence of instructions not created by the compiler, e.g., by starting disassembly at an unaligned start. 37

38 Example: ecb_crypt() 38 c7 45 d4 01 00 f7 c7 07 00 0f 95 45 c3 movl $0x00000001, -44(%ebp) test $0x00000007, %edi setnzb -61(%ebp) add %dh, %bh movl $0x0F000000, (%edi) xchg %ebp, %eax inc %ebp ret Slide credit: Hovav Shacham Blackhat 2008 Talk IntendedUnintended

39 ROP Programming 1.Disassemble code 2.Identify useful code sequences as gadgets 3.Assemble gadgets into desired shellcode 39

40 Example in 04-exercises 40

41 ROPing Windows BOOL WINAPI VirtualProtect( LPVOID lpAddress, // dynamically determined base addr to pages to change SIZE_T dwSize, // size of the region in bytes DWORD flNewProtect, // 0x40 = EXECUTE_READWRITE PDWORD flProtect // A ptr to a variable for prev. arg ); 41 VirtualProtect() can un-DEP a memory region

42 VirtualProtect Diagram 42 flProtect (a ptr to mem) flNewProtect (static) dwSize (dynamic) lpAddress (dynamic) &VirtualProtect Craft lpAddress Craft dwSize LPVOID WINAPI VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD DWORD flNewProtect, DWORD flProtect );

43 ROPing Windows: An Example Exploit (pre-Win 8) 43 2. gadgets to get stack pointer and save it to a register (push %esp; pop %eax; ret) & jump below the parameters (add esp, offset; ret) (data) Pointer to VirtualProtect (static) lpAddress placeholder: base addr to pages to change dwSize placeholder: size of the region in bytes flNewProtect placeholder: EXECUTE_READWRITE flProtect : A ptr to a variable for prev. arg 3. Gadget to overwrite placeholder for Param 1 with value (Pointer to shellcode = saved ESP + offset) 4. Gadget to overwrite placeholder for Param 2 with value 5. Gadget to overwrite placeholder for Param 3 with value 6. Gadget to overwrite placeholder for Param 4 7. Change value of ESP back to where pointer to VirtualProtect is, then ret Padding/NOPS Shellcode From https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ esp 1. Stack Pivot Data Code Key Gadgets to run shellcode (not shown)

44 ROPing Windows: An Example Exploit (pre-Win 8) 44 Shellcode Padding/NOPS 7. Change value of ESP back to where pointer to VirtualProtect is, then ret 6. Gadget to overwrite placeholder for Param 4 5. Gadget to overwrite placeholder for Param 3 with value 4. Gadget to overwrite placeholder for Param 2 with value 3. Gadget to overwrite placeholder for Param 1 with value (Pointer to shellcode = saved ESP + offset) 1.flProtect : A ptr to a variable for prev. arg 2.flNewProtect placeholder: EXECUTE_READWRITE 3.dwSize placeholder: size of the region in bytes 4.lpAddress placeholder: base addr to pages to change Pointer to VirtualProtect (static) and space for params: 2. gadgets to get stack pointer and save it to a register (push %esp; pop %eax; ret) & adjust esp (add esp, offset; ret) From https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ Gadgets to run shellcode (not shown) esp 1. Stack Pivot (initially placeholder Values. ROPed)

45 Stack Pivots Pointing esp to controlled data Fact: Functions often access arguments with respect to esp Defn: A stack pivot redirects esp at attacker- controlled data Example: Attacker controls heap data pointed to be ESI. One stack pivot may be: xchg esi, esp; ret Now esp points to the attacker-controlled data. 45

46 Other References Thorough introduction: https://www.corelan.be/index.php/2010/06 /16/exploit-writing-tutorial-part-10- chaining-dep-with-rop-the-rubikstm-cube/ Adopting to Win8: http://vulnfactory.org/blog/2011/09/21/def eating-windows-8-rop-mitigation/ 46

47 ROP Programming 1.Disassemble code 2.Identify useful code sequences ending in ret as gadgets 3.Assemble gadgets into desired shellcode 47 Disassemble all sequences ending in ret

48 ROP: Shacham et al. 1.Disassemble code 2.Identify useful code sequences as gadgets ending in ret 3.Assemble gadgets into desired shellcode 48 Automatic Hard work* * There is research like Q (a CMU ROP compiler) that automates this

49 49 Questions?

50 END 50

51 Q: Automating ROP 1.Q: Exploit Hardening Made Easy, Schwartz et al, USENIX Security 2011 51

52 Overview* 52 Executable Code Computation (QooL) Q Inputs Q ROP Shellcode * Exploit hardening step not discussed here.

53 53 Executable Code Linear sweep @ all offsets Step 1: Disassemble code Step 2: Identify useful code sequences (not necessarily ending in ret) Randomized testing of semantics Prove semantics Gadget Database Like before “useful” = Q-Op

54 Q-OpSemanticsReal World Example MoveRegG(t 1, t 2 )t 1 := t 2 xchg %eax, %ebp; ret LoadConstG(t 1, c)t 1 := cpop %ebp; ret ArithmeticG(t 1, t 2, t 3, op)t 1 := t 2 op t 3 ;add %edx, %eax; ret LoadMemG(t 1, t 2, c)t 1 := [t 2 + c]movl 0x60(%eax), %eax; ret StoreMemG(t 1,c, t 2 )[t 1 +c] := t 2 mov %dl, 0x13(%eax); ret ArithmeticLoadG(t 1, t 2, c, op)t 1 := t 1 op [t 2 + c]add0x1376dbe4(%ebx), %ecx; (…); ret ArithmeticStoreG(t 1, t 2, c, op)[t 1 +c] := [t 1 +c] op t 2 add %al, 0x5de474c0(%ebp); ret Q-Ops (aka Q Semantic Types) (think instruction set architecture) 54

55 Q-OpSemanticsReal World Example MoveRegG(t 1, t 2 )t 1 := t 2 xchg %eax, %ebp; ret LoadConstG(t 1, c)t 1 := cpop %ebp; ret ArithmeticG(t 1, t 2, t 3, op)t 1 := t 2 op t 3 ;add %edx, %eax; ret LoadMemG(t 1, t 2, c)t 1 := [t 2 + c]movl 0x60(%eax), %eax; ret StoreMemG(t 1,c, t 2 )[t 1 +c] := t 2 mov %dl, 0x13(%eax); ret ArithmeticLoadG(t 1, t 2, c, op)t 1 := t 1 op [t 2 + c]add0x1376dbe4(%ebx), %ecx; (…); ret ArithmeticStoreG(t 1, t 2, c, op)[t 1 +c] := [t 1 +c] op t 2 add %al, 0x5de474c0(%ebp); ret Q-Ops (aka Q Semantic Types) (think instruction set architecture) 55 This is not RISC: more types = more opportunities later This is not RISC: more Q-Ops gives more opportunities later Must be careful attackers, e.g., give c-60 to get c

56 Randomized testing tells us we likely found a gadget that implements a Q-Op – Fast: filters out many candidates – Enables more expensive second stage 56 Executable Code Linear sweep @ all offsets Randomized testing of semantics Prove semantics Gadget Database

57 Randomized Testing Example 57 sbb %eax, %eax; neg %eax; ret EAX0x0298a7bc CF0x1 ESP0x81e4f104 EAX0x1 ESP0x81e4f108 CF0x1 Before Simulation After Simulation Semantically EAX := CF (MoveRegG ) What does this do? Probably

58 Turn probably into a proof that a gadget implements a Q-Op 58 Executable Code Linear sweep @ all offsets Randomized testing of semantics Prove semantics Gadget Database

59 Proving equivalence 59 Assembly sbb %eax, %eax; neg %eax; ret BAP eax := eax-(eax+CF) eax := -eax esp := esp+4 Semantic Gadget EAX := CF Weakest Precondition (eax = eax-(eax+CF) eax = -eax esp = esp+4) == (EAX = CF) Prover Yes/No

60 Proving Equivalence 60 Weakest precondition [Dijkstra76] is an algorithm for reducing a program to a statement in logic – Q uses predicate logic Satisfiability Modulo Theories (SMT) solver, a “Decision Procedure”, determine if statement is true – true  semantic gadget – Note: “Theorem prover”=undecidable, “SAT solver” = propositional logic WP details not discussed here. (It’s a textbook verification technique)

61 61 Executable Code Linear sweep @ all offsets Randomized testing of semantics Prove semantics Gadget Database Disassemble code Identify useful code sequences as gadgets Assemble gadgets into desired shellcode

62 Q-Op Gadget Examples Q-OpGadget eax := valuepop %ebp; ret; xchg %eax, %ebp; ret ebx := valuepop %ebx; pop %ebp; ret [ebx +0x5e5b3cc4] := [ebx + offset] | alor %al, 0x5e5b3cc4(%ebx); pop %edi; pop %ebp; ret eax := valuepop %ebp; ret; xchg %eax, %ebp; ret ebp := valuepop %ebp; ret [ebp + 0xf3774ff] := [ebp + offset] + aladd %al,0xf3774ff(%ebp); movl $0x85, %dh; ret 62 Note: extra side-effects handled by Q apt-get Gadgets

63 63 QooL Program ROP Shellcode Executable Code Linear sweep @ all offsets Randomized testing of semantics Prove semantics Gadget Database Gadget Assignment Q-Op Arrangement

64 QooL Language Motivation: Write shellcode in high-level language, not assembly 64 QooL Syntax

65 Example 65 f = [got offset execve] f(“/bin/sh”) f = LoadMem[got execve offset] arg = “/bin/sh” (in hex) StoreMem(t, adrr) f(addr) SemanticsQooL Program

66 Q-Op Arrangement 66 QooL Program Gadget Assignment Q-Op Arrangement Analogy: Compiling C down to assembly

67 Every-Munch Algorithm Every Munch: Conceptually compile QooL program into a set of Q-Op programs – Each member tries to use different Q-Ops for the same high-level instructions Analogy: Compile C statement to a set of assembly instructions – C: a = a*2; – Assembly: a = a *2; a = a << 1; a = a + a; 67 QooL Program Gadget Assignment Q-Op Arrangement

68 68 StoreMem[a] = v [a] := v t 1 := a; t 2 := v; [t 1 ] = t 2 ; QooL t 1 := a; t 2 := -1; [t 1 ] := [t 1 ] | t 2 ; t3 := v + 1; [t 1 ] := [t 1 ] + t 3 ;... Q-Op Programs Ultimately pick the smallest Q-Op program that has corresponding gadgets in the target program Optimization: Q uses lazy evaluation so programs generated on demand

69 Gadget Assignment 69 Output: Set of Q-Op programs using temp regs QooL Program Gadget Assignment Q-Op Arrangement Gadget Database ROP Shellcode Assignment chooses a single Q-Op program using real gadgets and register names Analogy: Register assignment in a compiler

70 Example 70 Q-Op Assembly Gadget Legend t 1 := v 1 t 2 := v 2 [t 1 ] := t 2 pop %eax ret pop %ebx ret mov [ecx], eax ret ✗ Conflict: %ebx and %ecx mismatch

71 Example 71 Q-Op Assembly Gadget Legend t 1 := v 1 t 2 := v 2 [t 1 ] := t 2 pop %eax ret pop %ebx ret mov [eax], ebx ret ✓

72 Recap 72 QooL Program ROP Shellcode Executable Code Linear sweep @ all offsets Randomized testing of semantics Prove semantics Gadget Database Gadget Assignment Q-Op Arrangement

73 Real Exploits Q ROP’ed (and hardened) 9 exploits 73 NameTotal Time OS Free CD to MP3 Converter130sWindows 7 Fatplayer133sWindows 7 A-PDF Converter378sWindows 7 A-PDF Converter (SEH exploit)357sWindows 7 MP3 CD Converter Pro158sWindows 7 rsync65sLinux opendchub225sLinux gv237sLinux Proftpd44sLinux

74 ROP Probability Given program size, what is the probability Q can create a payload? – Measure over all programs in /usr/bin Depends on target computation – Call libc function in GOT – Call libc function not in GOT 74

75 ROP Probability 2/1/201275 Probability that attack works Call libc functions in 80% of programs >= true (20KB) Program Size (bytes)

76 Q ROP Limitations Q’s gadgets types are not Turing-complete – Calling system(“/bin/sh”) or mprotect() usually enough – Shacham showed libc has a Turing-complete set of gadgets. Q does not find conditional gadgets – Potential automation of interesting work on ROP without Returns [CDSSW10] Q does not minimize ROP payload size 76

77 Research Summary 1.Disassemble code 2.Identify useful code sequences as gadgets 3.Assemble gadgets into desired shellcode 77 Q: Automatic, not Turing complete Shachem: Automatic Shacham: Manual, Turing- complete

78 Backup slides here. Titled cherries because they are for the pickin. (credit due to maverick for wit) 78

79 Motivation: Return-to-libc Attack Principle: Overwrite to transfer control to existing piece of logic, called a gadget. No injected code! 79 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp “/bin/sh” &system

80 Stencils 80 ABC

81 Other Colors from Adobe Kuler ABC Mac application for Adobe Kuler: http://www.lithoglyph.com/mondrianum/ http://kuler.adobe.com/ 81 Don’t use these unless absolutely necessary. We are not making skittles, so there is no rainbow of colors necessary.

82 82 What if we don’t know the address of “/bin/sh” ? Use existing application logic that does!

83 Scorecard for ret2libc No injected code  DEP ineffective Requires setting up the stack frame... or does it. 83

84 Gadget Examples Save address of esp Execute our own shellcode Shacham: gadgets are Turing-complete 84 xor ecx, ecx mul ecx push ecx push 0x68732f2f push 0x6e69622f mov ebx, esp mov al, 0xb int 0x80 Our example shellcode The trick is to find the desired instruction sequences, or semantically equivalent ones

85 Gadgets, Historically Shacham et al. manually identified which sequences ending in ret in libc were useful gadgets Common shellcode was created with these gadgets. Everyone used libc, so gadgets and shellcode universal 85 Semantics a3a3 v2v2 a2a2 v1v1 Mem[v2] = v1 a 1 : pop eax; ret... a 3 : mov [ebx], eax... a 2 : pop ebx; ret Gadgets

Download ppt "David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google