Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Published byAshley Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "Assembly, Stacks, and Registers Kevin C. Su 9/26/2011."— Presentation transcript:

1 Assembly, Stacks, and Registers Kevin C. Su 9/26/2011

2  BombLab  Assembly review  Stacks ◦ EBP / ESP  Stack Discipline  Buffer Overflow  BufLab  Summary

3  Hopefully everyone has started by now  If there are any questions/if you need help, ◦ Email the staff list: 15-213-staff@cs.cmu.edu ◦ Office hours: Sun-Thurs 5:30 to 8:30  Due tomorrow at midnight.

4  BombLab  Assembly Review  Stacks ◦ EBP / ESP  Stack Discipline  Buffer Overflow  BufLab  Summary

5  Instructions ◦ mov ◦ add/sub/or/and/… ◦ leal ◦ test/cmp ◦ jmp/je/jg/…  Differences between ◦ test / and ◦ mov / leal

6  x86 ◦ 6 General Purpose Registers ◦ EBP / ESP  x86-64 ◦ 14 General Purpose Registers ◦ RBP / RSP ◦ Difference between RAX and EAX

7  x86 ◦ Argument 1: %ebp+8 ◦ Argument 2: %ebp+12 ◦ …  x86-64 ◦ Argument 1: %rdi ◦ Argument 2: %rdx ◦ …

8  Assembly  Stacks ◦ EBP / ESP  Stack Discipline  Buffer Overflow  BufLab  Summary

9  Vital role in handling procedure calls  Similar to “Stack” data structure  FILO  %esp => points to the top of the stack  %ebp => points to the base of the stack

10  Example stack ◦ foo calls:  bar(argument 1)

11  PUSH – pushes an element onto the stack

12  POP – pops an element off of the stack

13  Stack layout for a function call

14  Function Parameters ◦ Pushed on by the calling function  First parameter starts at %EBP + 8 ◦ Why?  Calling foo(x, y, z) ◦ In what order do we push the arguments on the stack and why?

15  Return address ◦ What is it’s address in terms of %EBP?  For the called function to return  (This will be a target for buflab)

16  Saved %EBP ◦ Positioned above the last stack frame  Remember, ◦ %ESP = %EBP ◦ %EBP = popped old %EBP ◦ Pop the return address  %EBP and %ESP are back to their old values

17  Next is space for all local variables ◦ What happens to them after the function is over?  This is where the buffer overflow will occur  Callee may also have to save registers

18  BombLab  Assembly Review  Stacks ◦ EBP / ESP  Stack Discipline  Buffer Overflow  BufLab  Summary

19  %ebp ◦ Where does it point? ◦ What happens during a function call?  %esp ◦ Where does it point? ◦ What happens during a function call?

20  Order of objects on the stack ◦ Argument 2 ◦ Argument 1 ◦ Return Address ◦ Saved %ebp ◦ Local variables for called function  Grows downwards!

21  Calling a function ◦ Push arguments ◦ Push return address ◦ Jump to new function ◦ Save old %ebp on stack ◦ Subtract from stack pointer to make space

22  Returning ◦ Pop the old %ebp ◦ Pop the return address and return to it  Think eip = stack.pop()

23  Useful things ◦ Return address  %ebp + 4 ◦ Old %ebp  %ebp ◦ Argument 1  %ebp + 8 ◦ Argument 2  %ebp + 12

24  BombLab  Assembly Review  Stacks ◦ EBP / ESP  Buffer Overflow  BufLab  Summary

25  Covered in lecture tomorrow ◦ Make sure to pay attention!  Seminal Paper ◦ Smashing the Stack for Fun and Profit  A method of gaining control over a program  Actual exploitation ◦ Server is running a program ◦ Buffer Overflow vulnerability ◦ Take control of program => Take control of server

26  Calling the function foo(1, 2) ◦ Note how the stack is set up (useful for BufLab) 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP BUF[11] BUF[10] BUF[9] BUF[8] Last 4 bytes of BUF BUF[7] BUF[6] BUF[5] BUF[4] Middle 4 bytes of BUF BUF[3] BUF[2] BUF[1] BUF[0] First 4 bytes of BUF …

27  strcpy(BUF, userInput) //char BUF[12]  Let user input = 0x1234567890ABCDEFDEADBEEEF 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP BUF[11] BUF[10] BUF[9] BUF[8] Last 4 bytes of BUF BUF[7] BUF[6] BUF[5] BUF[4] Middle 4 bytes of BUF BUF[3] BUF[2] BUF[1] BUF[0] First 4 bytes of BUF …

28  Let user input = 0x1234567890ABCDEFDEADBEEEF  First 4 copied in (What’s the endianness?) 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP BUF[11] BUF[10] BUF[9] BUF[8] Last 4 bytes of BUF BUF[7] BUF[6] BUF[5] BUF[4] Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

29  Let user input = 0x1234567890ABCDEFDEADBEEEF  Next 4 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP BUF[11] BUF[10] BUF[9] BUF[8] Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

30  Let user input = 0x1234567890ABCDEFDEADBEEF  Last 4 available bytes 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

31  Let user input = 0x1234567890ABCDEFDEADBEEF  What if the user entered in 8 more bytes? 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0xFF FF FF C8 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

32  Let user input = 0x1234567890ABCDEFDEADBEEF  Concatenate 0x1122334455667788 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x08 06 5A AD Return Address 0x44 33 22 11 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

33  Let user input = 0x1234567890ABCDEFDEADBEEF  Concatenate 0x1122334455667788 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x88 77 66 55 Return Address 0x44 33 22 11 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

34  Oh no! We’ve overwritten the return address  What happens when the function returns? 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x88 77 66 55 Return Address 0x44 33 22 11 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

35  Function will return to 0x55667788 ◦ Controlled by user 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x88 77 66 55 Return Address 0x44 33 22 11 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

36  Instead of entering garbage, we could’ve entered arbitrary code. Then we’d have control of the program. 0x00 00 00 02 Argument 2 0x00 00 00 01 Argument 1 0x88 77 66 55 Return Address 0x44 33 22 11 Old %EBP 0xEF BE AD DE Last 4 bytes of BUF 0xEF CD AB 90 Middle 4 bytes of BUF 0x78 56 34 12 First 4 bytes of BUF …

37  BombLab  Assembly Review  Stacks ◦ EBP / ESP  Buffer Overflow  BufLab  Summary

38  Buffer Overflows are the premise of BufLab  You will inject code, then make the program execute your code  You can use this to branch to other existing functions, set arbitrary values in variables, or execute anything you want!

39  BombLab  Assembly Review  Stacks ◦ EBP / ESP  Buffer Overflow  BufLab  Summary

40  Purpose of %ebp  Purpose of %esp

41  Essential for function calls  3 important things stored on stack: ◦ Arguments ◦ Return address ◦ Old %EBP  Which would be a target for BufLab?

42  Unbounded string copy  Allow a user to overwrite any part of the stack  Can execute arbitrary code ◦ Set variables ◦ Call functions ◦ Shellcode too

43  Pick up your datalabs.  Style grading: ◦ Comments ◦ Clear code, broken into logical pieces ◦ Meaningful variable names  If you haven’t corrected your recitation in autolab, please do it after this class.

44  Questions?  Good luck on BufLab (out tomorrow).

Download ppt "Assembly, Stacks, and Registers Kevin C. Su 9/26/2011."

Similar presentations

Calling sequence ESP.

Calling sequence ESP.
15/18-213: Introduction to Computer Systems

15/18-213: Introduction to Computer Systems
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.

RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Similar presentations

Ads by Google