CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

Fabián E. Bustamante, Spring 2007 Machine-Level Programming II: Control Flow Today Condition codes Control flow structures Next time Procedures.
Smashing the Stack for Fun and Profit
CS 4284 Systems Capstone Godmar Back Processes and Threads.
Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Web:
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Machine Programming – Procedures and IA32 Stack CENG334: Introduction to Operating Systems Instructor: Erol Sahin Acknowledgement: Most of the slides are.
Instruction Set Architectures
PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
6.828: PC hardware and x86 Frans Kaashoek
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
CNIT 127: Exploit Development Ch 1: Before you begin.
Low Level Programming Lecturer: Duncan Smeed The Interface Between High-Level and Low-Level Languages.
Functions/Methods in Assembly
Compiler Construction Code Generation Activation Records
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
University of Amsterdam Computer Systems – the instruction set architecture Arnoud Visser 1 Computer Systems The instruction set architecture.
1 Assembly Language: Function Calls Jennifer Rexford.
Precept 7: Introduction to IA-32 Assembly Language Programming
Exploiting & Defense Day 1 Recap
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
A job ad at a game programming company
CS 177 Computer Security Lecture 9
Reading Condition Codes (Cont.)
Machine-Level Programming 2 Control Flow
Instruction Set Architecture
Homework Reading Lab with your assigned section starts next week
Assembly language.
Credits and Disclaimers
C function call conventions and the stack
Exploiting & Defense Day 2 Recap
Aaron Miller David Cohen Spring 2011
Homework In-line Assembly Code Machine Language
Introduction to Compilers Tim Teitelbaum
Homework Reading Continue work on mp1
Assembly Language Programming V: In-line Assembly Code
Recitation: Attack Lab
Computer Architecture adapted by Jason Fritts then by David Ferry
Machine-Level Programming 4 Procedures
Machine-Level Programming 2 Control Flow
Assembly Language Programming II: C Compiler Calling Sequences
Machine-Level Programming 2 Control Flow
Machine-Level Programming III: Procedures Sept 18, 2001
MIPS Procedure Calls CSE 378 – Section 3.
Practical Session 4.
Machine-Level Programming 2 Control Flow
Machine Level Representation of Programs (IV)
Machine-Level Programming: Introduction
System Calls David Ferry CSCI 3500 – Operating Systems
Computer Architecture CST 250
X86 Assembly Review.
CSC 497/583 Advanced Topics in Computer Security
Credits and Disclaimers
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson

From Last Time ACL-based permissions (UNIX style) – Read, Write, eXecute can be restricted on users and groups – Processes (usually) run with the permissions of the invoking user passwd RUID: ace /etc/shadow write EUID: root input

Processes are the front line of system security Control a process and you get the privileges of its UID So how do you control a process? – Send specially formed input to process passwd RUID: ace /etc/shadow write EUID: root input

Privilege Escalation article published last Thursday!

Today – Enough x86 to understand (some) process vulnerabilities Memory Layout Some x86 instruction semantics Tools for inspecting assembly Next Time – How such attacks occur

Why do we need to look at assembly? We understand code in this form Vulnerabilities exploited in this form int foo(){ int a = 0; return a + 7; } pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret Compiler “WYSINWYX: What you see is not what you eXecute” [Balakrishnan and Reps TOPLAS 2010]

X86: The De Facto Standard Extremely popular for desktop computers Alternatives – ARM: popular on mobile – MIPS: very simple – Itanium: ahead of its time

x86: Popular but Crazy CISC (complex instruction set computing) – Over 100 distinct opcodes in the set Register poor – Only 8 registers of 32-bits, only 6 are general- purpose Variable-length instructions Built of many backwards-compatible revisions – Many security problems preventable… in hindsight

A Little History Intel introduces 8086 (16 bit) and (32-bit) 1989 i486 (32-bit) Intel attempts to trademark the number 486, gets denied 1993 Pentium “five” Science-y? 1995 Pentium Pro 2003 AMD makes x86-64 (64 bit) … This is not a joke. It’s the real reason

Let’s Dive in To X86! X86

Registers ESI EDI ESP EBP DX CX BX AX EDX ECX EBX EAX AL BL CL DL AH BH CH DH (stack pointer) (base pointer) 32 bits

Process memory layout.text – Machine code of executable.data – Global initialized variables.bss – Below Stack Section global uninitialized vars.text.data.bss heap stack Free memory Env heap – Dynamic variables stack – Local variables – Function call data Env – Environment variables – Program arguments High memory addresses Low memory addresses Grows upward Grows downward

Heap and Stack Design heap stack Free memory High memory addresses Low memory addresses Grows upward Grows downward Allow for more efficient use of finite free memory – Growing in opposite directions allows extra flexibility at runtime Stack – Local variables, function bookkeeping Heap – Dynamic memory heap stack

Heap and Stack use: Example Free memory High memory addresses Low memory addresses main(): call foo() call bar() foo(): f_glob = malloc(0x100) call bar() bar() b_loc = 7; main foo bar 7 0x100 bytes bar 7

Reminder: These are conventions Dictated by compiler Only instruction support by processor – Almost no structural notion of memory safety Use of uninitialized memory Use of freed memory Memory leaks So how are they actually implemented?

Instruction Syntax subl $16, %ebx movl (%eax), %ebx Examples: Instruction ends with data length opcode, src, dst Constants preceded by $ Registers preceded by % Indirection uses ( )

Register Instructions: sub Subtract from a register value %eax 7 registers memory subl %eax, %ebx %ebx 92

Frame Instructions: push Put a value on the stack – Pull from register – Value goes to %esp – Subtract from %esp Example: pushl %eax %eax 7 registers memory Frame pushl %eax %esp N %ebp M %eax 7 registers memory Frame %esp N-4 %ebp M 7

Frame Instructions: pop Take a value from the stack – Pull from stack pointer – Value goes from %esp – Add to %esp %eax 9 registers memory Frame popl %eax %esp K %ebp M %eax 7 registers memory Frame %esp K+4 %ebp M 7 7

Control flow instructions: jmp %eip points to the currently executing instruction (in the text section) Has unconditional and conditional forms Uses relative addressing %eip K registers memory Frame jmp -20 %esp N %ebp M %eip K-20 registers memory Frame %esp N %ebp M

Control flow instructions: call Saves the current instruction pointer to the stack Jumps to the argument value %eip K registers memory Frame A: call FOO %esp N %ebp M %eip FOO registers memory Frame FOO: (1 st of foo) %esp N-4 %ebp M A+2

Control flow instructions: ret Pops the stack into the instruction pointer %eip K registers memory Frame K: ret %ebp M %esp N A %eip A Frame A: (caller instr) %ebp M %esp N+4 registers memory

Stack instructions: leave Equivalent to movl %ebp, %esp popl %ebp registers memory Stack leave %ebp M %esp N A %ebp A %esp M registers memory Stack

Implementing a function call Stack data main: … subl $8, %esp movl $2, 4(%esp) movl $l, (%esp) call foo addl $8, %esp … (main)(foo) foo: pushl %ebp movl %esp, %ebp subl $16, %esp movl $3, -4(%ebp) movl 8(%ebp), %eax addl $9, %eax leave ret eip main eip+2 main ebp esp ebp esp 21 %eax 110 eip 3 esp ebp eip

Function Calls: High level points Locals are organized into stack frames – Callees exist at lower address than the caller On call: – Save %eip so you can restore control – Save %ebp so you can restore data Implementation details are largely by convention – Somewhat codified by hardware

Data types / Endianness x86 is a little-endian architecture %eax 0xdeadbeef pushl %eax esp 0xde0xad0xbe0xef esp 4 bytes1111

Arrays bar: pushl %ebp movl %esp, %ebp subl $5, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal -5(%ebp), %eax movl %eax, (%esp) call strcpy leave ret (bar) caller eip+2 caller ebp void bar(char * in){ char name[5]; strcpy(name, in); } &in.text.data HEAP esp ebp ‘D’ 0x44 ‘r’ 0x72 ‘e’ 0x65 ‘w’ 0x77 ‘\0’ 0x00

Assembly Code Tools Let’s look at some programs for observing these phenomena

Tools: GCC gcc –O0 –S program.c –o program.S –m32 gcc –O0 –g program.c –o program –m32

Tools: GDB gdb program (gdb) run (gdb) decompile foo (gdb) quit

Tools: objdump objdump –Dwrt program

Tools: od od –x program

Memory Safety: Why and Why Not The freedom from these shenanigans X86 has little inbuilt notion of memory safety – Compiler or analysis can

Summary Basics of x86 – Process layout – ISA details – Most of the instructions that you’ll need Introduced the concept of a buffer overflow Some tools to play around with x86 assembly Next time: exploiting these vulnerabilities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.