Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recitation: Attack Lab

Published byBriana Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "Recitation: Attack Lab"— Presentation transcript:

1 15-213 Recitation: Attack Lab
Jenna MacCarley 28 Sep 2015

2 Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

3 Agenda Stack review Attack lab overview
Phases 1-3: Buffer overflow attacks Phases 4-5: ROP attacks

4 x86-64: Register Conventions
Arguments passed in registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 Return value: %rax Callee-saved: %rbx, %r12, %r13, %r14, %rbp, %rsp Caller-saved: %rdi, %rsi, %rdx, %rcx, %r8, %r9, %rax, %r10, %r11 Stack pointer: %rsp Instruction pointer: %rip

5 x86-64: The Stack Grows downward towards lower memory addresses
%rsp points to top of stack push %reg: subtract 8 from %rsp, put val in %reg at (%rsp) pop %reg: put val at (%rsp) in %reg, add 8 to %rsp %rsp Top Bottom 0x7fffffffffff

6 x86-64: Stack Frames Every function call has its own stack frame.
Think of a frame as a workspace for each call. Local variables Callee & Caller-saved registers Optional arguments for a function call

7 x86-64: Function Call Setup
Caller: Allocates stack frame large enough for saved registers, optional arguments Save any caller-saved registers in frame Save any optional arguments (in reverse order) in frame call foo: push %rip to stack, jump to label foo Callee: Push any callee-saved registers, decrease %rsp to make room for new frame

8 x86-64: Function Call Return
Callee: Increase %rsp, pop any callee-saved registers (in reverse order), execute ret: pop %rip

9 Attack Lab Overview: Phases 1-3
Exploit x86-64 by overwriting the stack Overflow a buffer, overwrite return address Execute injected code Key Advice Brush up on your x86-64 conventions! Use objdump –d to determine relevant offsets Use GDB to determine stack addresses

10 Buffer Overflows Exploit strcpy vulnerability to overwrite important info on stack When this function returns, where will it begin executing? Recall ret:pop %rip What if we want to inject new code to execute? 0xAABBCCDD 0xFFFFFFFF Old Return address buf

11 Demonstration: Generating Byte Codes
Use gcc and objdump to generate byte codes for assembly instruction sequences

12 Attack Lab Overview: Phases 4-5
Utilize return-oriented programming to execute arbitrary code Useful when stack is non-executable or randomized Find gadgets, string together to form injected code Key Advice Use mixture of pop & mov instructions + constants to perform specific task

13 ROP Example void foo(char *input){
char buf[32]; ... strcpy (buf, input); return; } Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into %rbx and move it into %rax Gadgets: address1: mov %rbx, %rax; ret address2: pop %rbx; ret Inspired by content created by Professor David Brumley

14 ROP Example: Solution Gadgets: Address 1: mov %rbx, %rax; ret
Next address in ROP chain…. Address 1 0xBBBBBBBB Address 2 0xFFFFFFFF 0xFFFFFFFF (filler…..) Gadgets: Address 1: mov %rbx, %rax; ret Address 2: pop %rbx; ret Old Return address void foo(char *input){ char buf[32]; ... strcpy (buf, input); return; } buf

15 ROP Demonstration: Looking for Gadgets
How to identify useful gadgets in your code

16 Tools objdump –d View byte code and assembly instructions, determine stack offsets ./hex2raw Pass raw ASCII strings to targets gdb Step through execution, determine stack addresses gcc –c Generate object file from assembly language file

17 More Tips Draw stack diagrams
Be careful of byte ordering (little endian)

18 Also...

19 Questions?

Download ppt "Recitation: Attack Lab"

Similar presentations

15/18-213: Introduction to Computer Systems

15/18-213: Introduction to Computer Systems
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.

RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.

Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
1 Carnegie Mellon Assembly and Bomb Lab 15-213: Introduction to Computer Systems Recitation 4, Sept. 17, 2012.

1 Carnegie Mellon Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4, Sept. 17, 2012.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Similar presentations

Ads by Google