Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson

Published byJayson Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson"— Presentation transcript:

1 CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson davidson@cs.wisc.edu

2 From Last Time ACL-based permissions (UNIX style) – Read, Write, eXecute can be restricted on users and groups – Processes (usually) run with the permissions of the invoking user passwd RUID: ace /etc/shadow write EUID: root input

3 Processes are the front line of system security Control a process and you get the privileges of its UID So how do you control a process? – Send specially formed input to process passwd RUID: ace /etc/shadow write EUID: root input

4 Privilege Escalation article published last Thursday!

5 Today – Enough x86 to understand (some) process vulnerabilities Memory Layout Some x86 instruction semantics Tools for inspecting assembly Next Time – How such attacks occur

6 Why do we need to look at assembly? We understand code in this form Vulnerabilities exploited in this form int foo(){ int a = 0; return a + 7; } pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret Compiler “WYSINWYX: What you see is not what you eXecute” [Balakrishnan and Reps TOPLAS 2010]

7 X86: The De Facto Standard Extremely popular for desktop computers Alternatives – ARM: popular on mobile – MIPS: very simple – Itanium: ahead of its time

8 x86: Popular but Crazy CISC (complex instruction set computing) – Over 100 distinct opcodes in the set Register poor – Only 8 registers of 32-bits, only 6 are general- purpose Variable-length instructions Built of many backwards-compatible revisions – Many security problems preventable… in hindsight

9 A Little History Intel introduces 8086 (16 bit) 19781982 80186 and 80286 1985 80386 (32-bit) 1989 i486 (32-bit) Intel attempts to trademark the number 486, gets denied 1993 Pentium “five” Science-y? 1995 Pentium Pro 2003 AMD makes x86-64 (64 bit) … This is not a joke. It’s the real reason

10 Let’s Dive in To X86! X86

11 Registers ESI EDI ESP EBP DX CX BX AX EDX ECX EBX EAX AL BL CL DL AH BH CH DH (stack pointer) (base pointer) 32 bits

12 Process memory layout.text – Machine code of executable.data – Global initialized variables.bss – Below Stack Section global uninitialized vars.text.data.bss heap stack Free memory Env heap – Dynamic variables stack – Local variables – Function call data Env – Environment variables – Program arguments High memory addresses Low memory addresses Grows upward Grows downward

13 Heap and Stack Design heap stack Free memory High memory addresses Low memory addresses Grows upward Grows downward Allow for more efficient use of finite free memory – Growing in opposite directions allows extra flexibility at runtime Stack – Local variables, function bookkeeping Heap – Dynamic memory heap stack

14 Heap and Stack use: Example Free memory High memory addresses Low memory addresses main(): call foo() call bar() foo(): f_glob = malloc(0x100) call bar() bar() b_loc = 7; main foo bar 7 0x100 bytes bar 7

15 Reminder: These are conventions Dictated by compiler Only instruction support by processor – Almost no structural notion of memory safety Use of uninitialized memory Use of freed memory Memory leaks So how are they actually implemented?

16 Instruction Syntax subl $16, %ebx movl (%eax), %ebx Examples: Instruction ends with data length opcode, src, dst Constants preceded by $ Registers preceded by % Indirection uses ( )

17 Register Instructions: sub Subtract from a register value %eax 7 registers memory subl %eax, %ebx %ebx 92

18 Frame Instructions: push Put a value on the stack – Pull from register – Value goes to %esp – Subtract from %esp Example: pushl %eax %eax 7 registers memory Frame pushl %eax %esp N %ebp M %eax 7 registers memory Frame %esp N-4 %ebp M 7

19 Frame Instructions: pop Take a value from the stack – Pull from stack pointer – Value goes from %esp – Add to %esp %eax 9 registers memory Frame popl %eax %esp K %ebp M %eax 7 registers memory Frame %esp K+4 %ebp M 7 7

20 Control flow instructions: jmp %eip points to the currently executing instruction (in the text section) Has unconditional and conditional forms Uses relative addressing %eip K registers memory Frame jmp -20 %esp N %ebp M %eip K-20 registers memory Frame %esp N %ebp M

21 Control flow instructions: call Saves the current instruction pointer to the stack Jumps to the argument value %eip K registers memory Frame A: call FOO %esp N %ebp M %eip FOO registers memory Frame FOO: (1 st of foo) %esp N-4 %ebp M A+2

22 Control flow instructions: ret Pops the stack into the instruction pointer %eip K registers memory Frame K: ret %ebp M %esp N A %eip A Frame A: (caller instr) %ebp M %esp N+4 registers memory

23 Stack instructions: leave Equivalent to movl %ebp, %esp popl %ebp registers memory Stack leave %ebp M %esp N A %ebp A %esp M registers memory Stack

24 Implementing a function call Stack data main: … subl $8, %esp movl $2, 4(%esp) movl $l, (%esp) call foo addl $8, %esp … (main)(foo) foo: pushl %ebp movl %esp, %ebp subl $16, %esp movl $3, -4(%ebp) movl 8(%ebp), %eax addl $9, %eax leave ret eip main eip+2 main ebp esp ebp esp 21 %eax 110 eip 3 esp ebp eip

25 Function Calls: High level points Locals are organized into stack frames – Callees exist at lower address than the caller On call: – Save %eip so you can restore control – Save %ebp so you can restore data Implementation details are largely by convention – Somewhat codified by hardware

26 Data types / Endianness x86 is a little-endian architecture %eax 0xdeadbeef pushl %eax esp 0xde0xad0xbe0xef esp 4 bytes1111

27 Arrays bar: pushl %ebp movl %esp, %ebp subl $5, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal -5(%ebp), %eax movl %eax, (%esp) call strcpy leave ret (bar) caller eip+2 caller ebp void bar(char * in){ char name[5]; strcpy(name, in); } &in.text.data HEAP esp ebp ‘D’ 0x44 ‘r’ 0x72 ‘e’ 0x65 ‘w’ 0x77 ‘\0’ 0x00

28 Assembly Code Tools Let’s look at some programs for observing these phenomena

29 Tools: GCC gcc –O0 –S program.c –o program.S –m32 gcc –O0 –g program.c –o program –m32

30 Tools: GDB gdb program (gdb) run (gdb) decompile foo (gdb) quit

31 Tools: objdump objdump –Dwrt program

32 Tools: od od –x program

33 Memory Safety: Why and Why Not The freedom from these shenanigans X86 has little inbuilt notion of memory safety – Compiler or analysis can

34 Summary Basics of x86 – Process layout – ISA details – Most of the instructions that you’ll need Introduced the concept of a buffer overflow Some tools to play around with x86 assembly Next time: exploiting these vulnerabilities

Download ppt "CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson"

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Fabián E. Bustamante, Spring 2007 Machine-Level Programming II: Control Flow Today Condition codes Control flow structures Next time Procedures.

Fabián E. Bustamante, Spring 2007 Machine-Level Programming II: Control Flow Today Condition codes Control flow structures Next time Procedures.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CS 4284 Systems Capstone Godmar Back Processes and Threads.

CS 4284 Systems Capstone Godmar Back Processes and Threads.
Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Web:

Introduction to Machine/Assembler Language Noah Mendelsohn Tufts University Web:
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Machine Programming – Procedures and IA32 Stack CENG334: Introduction to Operating Systems Instructor: Erol Sahin Acknowledgement: Most of the slides are.

Machine Programming – Procedures and IA32 Stack CENG334: Introduction to Operating Systems Instructor: Erol Sahin Acknowledgement: Most of the slides are.
Instruction Set Architectures

Instruction Set Architectures
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.

Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

Similar presentations

Ads by Google