Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recitation 5: Attack Lab

Published byShona Long Modified over 6 years ago

Similar presentations

Presentation on theme: "Recitation 5: Attack Lab"— Presentation transcript:

1 15-213 Recitation 5: Attack Lab
26 Sept 2016

2 Agenda Reminders Stacks Attack Lab Activities

3 Reminders Bomb lab is due tomorrow!
“But if you wait until the last minute, it only takes a minute!” - NOT! Don't waste your grace days on this assignment Attack lab will be released tomorrow!

4 Stacks Last-In, First-Out x86 stack grows down
just like a stack of plates pushes and pops to preserve registers must be in opposite order x86 stack grows down lowest address is “top” Image credit: Wikimedia Commons

5 Stack Stack space is allocated in “frames”
Represents the state of a single function invocation Used primarily for two things: Storing callee save registers Storing the return address of a function Can also store: Local variables that don’t fit in registers Function arguments 7+

6 x86-64/Linux Stack Frame Current Stack Frame (“Top” to Bottom)
Carnegie Mellon x86-64/Linux Stack Frame Current Stack Frame (“Top” to Bottom) “Argument build:” Parameters for function about to call Local variables If can’t keep in registers Saved register context Old frame pointer (optional) Caller Stack Frame Return address Pushed by call instruction Arguments for this call Caller Frame Arguments 7+ Frame pointer %rbp Return Addr Old %rbp (Optional) Saved Registers + Local Variables Argument Build (Optional) Stack pointer %rsp

7 Stack Maintenance Functions free their frame before returning
Return instruction looks for the return address at the top of the stack What if the return address has been changed?

8 Attack Lab Activities Three activities
Each relies on a specially crafted assembly sequence to purposefully overwrite the stack Activity 1 – Overwrites the return addresses Activity 2 – Writes an assembly sequence onto the stack Activity 3 – Uses byte sequences in libc as the instructions

9 Form pairs One student needs a laptop Login to a shark machine
$ wget $ tar xf rec5.tar $ cd rec5 $ make $ gdb act1

10 Activity 1 (gdb) break clobber (gdb) run (gdb) x $rsp (gdb) backtrace
Q. Does the value at the top of the stack match any frame? (gdb) x /2gx $rdi // Here are the two key values (gdb) stepi // Keep doing this until (gdb) clobber () at support.s:16 ret Q. Has the return address changed? (gdb) fin Should exit normally, May segfault

11 Activity 1 Post In this activity, we overwrote part of the stack
Placing two return addresses onto the stack Return to printHi() Return to main Call clobber() Clobber executes In printHi() In main() ret ret 0x7fffffffe338 0x 0x 0x 0x

12 Activity 2 $gdb act2 (gdb) break clobber (gdb) run (gdb) x $rsp Q. What is the address of the stack and the return address? (gdb) x /4gx $rdi Q. What will the new return address be? (i.e., what is the first value?) (gdb) x/5i $rdi + 8 // Display as instructions Q. Why rdi + 8? Q. What are the three addresses? (gdb) break puts (gdb) break exit Q. Do these addresses look familiar?

13 Activity 2 Post Normally programs cannot execute instructions on the stack Main used mprotect to change the memory protection for this activity Clobber wrote a return address of the stack to the stack And a sequence of instructions Three addresses: “Hi\n”, puts(), exit() Why callq *%rsi? As the attacklab writeup notes, calling functions is hard. Return oriented programming is much easier.

14 Activity 3 $gdb act3 (gdb) break clobber (gdb) run (gdb) x /5gx $rdi Q. Which value will be first on the stack? Q. At the end of clobber, where will it return? (gdb) x /2i <return address> Q. What does this sequence do? Q. Do the same for the other addresses. Note that some are return addresses and some are for data. When you continue, what will the code now do?

15 How was it constructed? Think of possible executions
What are the bytes of the instructions? Write short assembly into foo.s gcc -c foo.s objdump -d foo.o OR: Convert them to byte sequences (Attacklab write-up has a table) Also important so you can switch between register names After determining the desired instruction(s) Use the Linux tool xxd to dump the raw bytes to a file Or: Objdump -d rtarget (or act3 or …) Search the file

16 If You Get Stuck Please read the writeup. Please read the writeup. Please read the writeup. Please read the writeup! CS:APP Chapter 3 View lecture notes and course FAQ at Office hours Sunday through Thursday 5:00-9:00pm in WeH 5207 Post a private question on Piazza man gdb, gdb's help command

17 Remember...

18 Appendix

19 Attack Lab Tools gcc -c file.s objdump -d file.o ./hex2raw gdb
convert the assembly code in file.s to object code in file.o objdump -d file.o disassemble the code in file.o; shows the actual bytes for the instructions ./hex2raw convert hex codes into raw ASCII strings to pass to targets gdb determine stack addresses paper and pencil for drawing stack diagrams

20 More Useful GDB Commands
x/[n]i <address> b <loc> if <cond> cond <bp> <cond> commands <bp> tbreak <loc> finish layout asm layout reg disassemble n instructions at <address> conditional breakpoint, stop only if <cond> true add condition to existing breakpoint <bp> execute commands when breakpoint <bp> hit set temporary breakpoint – auto-deletes when hit! run until current frame (function) returns, and print return value split the screen into separate disassembly and command windows show register window as well (after layout asm)

Download ppt "Recitation 5: Attack Lab"

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Ch. 8 Functions.

Ch. 8 Functions.
Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)
Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.

Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Run time vs. Compile time

Run time vs. Compile time
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Memory & Storage Architecture Seoul National University GDB commands Hyeon-gyu School of Computer Science and Engineering.

Memory & Storage Architecture Seoul National University GDB commands Hyeon-gyu School of Computer Science and Engineering.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Exploitation Of Windows Buffer Overflows. What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated.

Exploitation Of Windows Buffer Overflows. What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated.

Similar presentations

Ads by Google