Linux Userspace Process Memory Layout

Slides:



Advertisements
Similar presentations
Hand-Held Devices and Embedded Systems Course Student: Tomás Sánchez López Student ID:
Advertisements

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.
Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
The art of exploitation
Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.
Binary Loader What is done by binary loader? ● Read executable from the filesystem ● Parse the binary header ● Copy all segments into addresses specified.
Compilation (Semester A, 2013/14) Lecture 13: Assembler, Linker & Loader Noam Rinetzky Slides credit: Eli Bendersky, Mooly Sagiv & Sanjeev Setia.
CS 4284 Systems Capstone Godmar Back Linking and Loading.
Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
C and Data Structures Baojian Hua
Memory Layout C and Data Structures Baojian Hua
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.
UNIX ELF File Format. Elf File Format The a.out format served the Unix community well for over 10 years. However, to better support cross-compilation,
CS 3204 Operating Systems Godmar Back Lecture 11.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
CSU System Programming, NTNU CSIE1 / 99 Linkers and Libraries Advisor: Dr. Gwan-Hwan Hwang Lecturer: Che-Sheng Lin.
1 Program Layout in memory –Code –Data Global variables –Stack Local variables & function Invocation Frames –Heap Dynamically allocated memory Today’s.
Topic 2d High-Level languages and Systems Software
Lec 4Systems Architecture1 Systems Architecture Lecture 4: Compilers, Assemblers, Linkers & Loaders Jeremy R. Johnson Anatole D. Ruslanov William M. Mongan.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Linking Ⅱ.
CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows
University of Maryland Profile-Driven Selective Program Loading Tugrul Ince Jeff Hollingsworth Department of Computer Science University.
Different Types of Libraries
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.
1 Linking. 2 Outline What is linking and why linking Complier driver Static linking Symbols & Symbol Table Suggested reading: 7.1~7.5.
CSc 453 Linking and Loading
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
LECTURE 3 Translation. PROCESS MEMORY There are four general areas of memory in a process. The text area contains the instructions for the application.
Object Files & Linking. Object Sections Compiled code store as object files – Linux : ELF : Extensible Linking Format – Windows : PE : Portable Execution.
Program Execution in Linux David Ferry, Chris Gill CSE 522S - Advanced Operating Systems Washington University in St. Louis St. Louis, MO
Apr. 27, 2007 Tetsuyuki Kobayashi Aplix Corporation
Lecture 3 Translation.
Exploiting & Defense Day 1 Recap
Instruction Set Architecture
Assemblers, linkers, loaders
Static and dynamic analysis of binaries
Slides adapted from Bryant and O’Hallaron
Exploiting & Defense Day 2 Recap
143A: Principles of Operating Systems Lecture 8: Basic Architecture of a Program Anton Burtsev October, 2017.
Program Execution in Linux
CS 5204 Operating Systems Linking and Loading Godmar Back.
Software Development with uMPS
Recitation: Attack Lab
Topic 2e High-Level languages and Systems Software
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
CS 4284 Systems Capstone Linking and Loading Godmar Back.
CSE 351 Section 10 The END…Almost 3/7/12
Memory Allocation CS 217.
Understanding Program Address Space
Week 2: Buffer Overflow Part 1.
CTF Class 2018 By: Shawn Stone
Jeremy R. Johnson Anatole D. Ruslanov William M. Mongan
Program Execution in Linux
Computer Architecture and System Programming Laboratory
Machine-Level Programming II: Basics Comp 21000: Introduction to Computer Organization & Systems Spring 2016 Instructor: John Barr * Modified slides.
“Way easier than when we were students”
Program Assembly.
Reverse Engineering for CTFs
Week 7 - Friday CS222.
Process Address Spaces and Binary Formats
Presentation transcript:

Linux Userspace Process Memory Layout

Defeat Exploit Mitigations Content Intel Architecture Buffer Overflow Memory Layout C Arrays BoF Exploit Assembler Remote Exploit Shellcode Exploit Mitigations Function Calls Defeat Exploit Mitigations Debugging

Userspace Memory Layout In x32

Stack Heap Code x32 Memory Layout 0xc0000000 0xbfffffff 0x0804800

Stack Heap Code ELF File x32 Memory Layout char array[16]; malloc(16) 0xc0000000 0xbfffffff Stack char array[16]; malloc(16) Heap Code mapping ELF File 0x0804800 0x0000000

Stack Heap Code ELF File ESP EIP x32 Memory Layout char array[16]; 0xc0000000 0xbfffffff Stack char array[16]; ESP malloc(16) Heap EIP Code mapping ELF File 0x0804800 0x0000000

x32 Memory Layout Memory regions: Stack Heap There’s one contiguous memory region containing the stack for the process LIFO – Last in, First Out Contains function local variables Also contains: Saved Instruction Pointer (SIP) Current function adds data to the top (bottom) of the stack Heap There’s one contiguous memory region containing the heap Memory allocator returns specific pieces of the memory region For malloc() Also contains: heap management data

x32 Memory Layout Memory regions: Code Compiled program code

How do programs on disk look like ELF Format How do programs on disk look like

ELF Format Programs are stored in ELF files ELF: Executable and Linkable Format Previously: “a.out” (Linux 1.2) Like COFF, PE (EXE), COM, … ELF types: ET_EXEC: Executable File ET_REL: Relocatable File ET_DYN: Shared Object File ELF “views”: Sections Segments $ readelf –l <binary>

Segments Sections ELF Format Program Header Table Section Header Table ELF Header Program Header Table Segments Sections Section Header Table

ELF Format Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align PHDR 0x00000040 0x0000400040 0x0000000000400040 0x000001c0 0x00000001c0 R E 8 INTERP 0x00000200 0x0000400200 0x0000000000400200 0x0000001c 0x000000001c R 1 LOAD 0x00000000 0x0000400000 0x0000000000400000 0x00000b24 0x0000000b24 R E 200000 LOAD 0x00000b28 0x0000600b28 0x0000000000600b28 0x00000270 0x0000000278 RW 200000 DYNAMIC 0x00000b40 0x0000600b40 0x0000000000600b40 0x000001e0 0x00000001e0 RW 8 NOTE 0x0000021c 0x000040021c 0x000000000040021c 0x00000044 0x0000000044 R 4 GNU_EH_FRAME 0x000009ac 0x00004009ac 0x00000000004009ac GNU_STACK 0x00000000 0x0000000000 0x0000000000000000 0x00000000 0x0000000000 RW 10

ELF Format $ readelf –l challenge0 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 .eh_frame_hdr 07

Sections: ELF Format .text: Executable instructions .bss: Unitialized data (usually the heap) .data: initialized data .rodata: Read-Only data .got: Global Offset Table .plt: Procedure Linkage Table .init/.fini: Initialization instructions (“glibc”)

ELF Format 02 .init .plt .text .fini .rodata Program Headers: Type Offset PhysAddr FileSiz Flags Align (02) LOAD 0x0000000000000000 0x0000000000400000 0x0000000000000b24 R E 200000 (03) LOAD 0x0000000000000b28 0x0000000000600b28 0x0000000000000270 RW 200000 (07) GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 10 02 .init .plt .text .fini .rodata 03 .got .got.plt .data .bss 07

ELF Loader

03 Data Segment rw- 02 Executable Segment r-x ELF Format .plt .text ELF Header Program Header Table .plt 02 Executable Segment r-x .text .init .got 03 Data Segment rw- .data .bss 07 Stack rw- Section Header Table

Code Heap Stack ELF Format FILE Process .plt .text .init .got .data ELF Header Program Header Table Code .plt .text .init .got Heap .data .bss Stack Section Header Table

Stack Heap Code RSP RIP x64 Memory Layout 0x7fffffffe000 0x600000

Lets do an example some static and dynamic binary analysis

ELF Format char *globalVar = "Global"; void main(void) { char stackVar[16]; char *heapVar = (char *) malloc(4); printf("Global var: %p\n", globalVar); printf("Heap var: %p\n", heapVar); printf("Stack var: %p\n", stackVar); }

ELF Format Global var: 0x400654 Heap var: 0x601010 Stack var: 0x7fffffffe990 (2) LOAD 0x0000000000400000 R E 200000 (3) LOAD 0x0000000000600b28 RW 200000 (7) GNU_STACK 0x0000000000000000 RW 10

ELF Format See it at runtime # cat /proc/self/maps 00400000-0040c000 r-xp 00000000 08:01 391694 /bin/cat 0060b000-0060c000 r--p 0000b000 08:01 391694 /bin/cat 0060c000-0060d000 rw-p 0000c000 08:01 391694 /bin/cat … 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]

ELF Format Show Code section, and disassemble: $ objdump -d ./challenge1 ./challenge1: file format elf64-x86-64 Disassembly of section .init: 0000000000400588 <_init>: … 000000000040077f <handleData>: 40077f: 55 push %rbp 400780: 48 89 e5 mov %rsp,%rbp 400783: 48 83 ec 30 sub $0x30,%rsp 400787: 48 89 7d d8 mov %rdi,-0x28(%rbp) 40078b: 48 89 75 d0 mov %rsi,-0x30(%rbp)

ELF Format The process of creating a process from an ELF file is called: “Linking and Loading” Sections: Are for compiler (gcc), to link several object files together (.o) Segments: Are for the loader, to create the process Consists of one ore more sections

ELF Format Recap: Program Code is stored in ELF Files ELF Files contain segments Segments are copied 1:1 in the memory

Challenges Challenges: https://exploit.courses Challenge 0: Introduction to memory layout – basic Challenge 1: Introduction to memory layout - advanced

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.