Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

INSTRUCTION SET ARCHITECTURES
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Assembly Language Lecture 0: Introduction. Outline What is Assembly Language? Why learn Assembly Language? Grade Text Book.
ARM Core Architecture. Common ARM Cortex Core In the case of ARM-based microcontrollers a company named ARM Holdings designs the core and licenses it.
Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.
ELF binary # readelf -a foo.out ELF Header:
Advanced x86: BIOS and System Management Mode Internals System Management Mode (SMM) Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Introduction to Information Security ROP – Recitation 5.
Xeno Kovah && Corey Kallenberg
Advanced x86: BIOS and System Management Mode Internals SMM & Caching Xeno Kovah && Corey Kallenberg LegbaCore, LLC.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
1 Machine-Level Programming V: Control: loops Comp 21000: Introduction to Computer Organization & Systems March 2016 Systems book chapter 3* * Modified.
Introduction to Information Security
Buffer Overflow Attacks
Instruction Set Architecture
Introduction to Information Security
Static and dynamic analysis of binaries
ECE 3430 – Intro to Microcomputer Systems
Computer Architecture and Assembly Language
ISA's, Compilers, and Assembly
Recitation: Attack Lab
Advanced Topic: Alternative Architectures Chapter 9 Objectives
Understanding x86-64 Assembly for Reverse Engineering & Exploits
Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Low level Programming.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Instruction cycle Instruction: A command given to the microprocessor to perform an operation Program : A set of instructions given in a sequential.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Xeno Kovah && Corey Kallenberg LegbaCore, LLC
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Recitation: Attack Lab
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
Machine-Level Programming V: Control: loops Comp 21000: Introduction to Computer Organization & Systems Systems book chapter 3* * Modified slides from.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah –
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah –
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Machine-Level Programming: Introduction
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
Machine-Level Programming I: Basics Comp 21000: Introduction to Computer Organization & Systems Instructor: John Barr * Modified slides from the book.
Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.
Machine-Level Programming I: Basics Comp 21000: Introduction to Computer Organization & Systems Instructor: John Barr * Modified slides from the book.
CSC 497/583 Advanced Topics in Computer Security
Machine-Level Programming V: Control: loops Comp 21000: Introduction to Computer Organization & Systems Systems book chapter 3* * Modified slides from.
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Low level Programming.
Presentation transcript:

Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail

All materials is licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ Attribution condition: You must indicate that derivative work "Is derived from Xeno Kovah's ‘Intro x86-64’ class, available at http://OpenSecurityTraining.info/IntroX86-64.html" Attribution condition: You must indicate that derivative work "Is derived from Xeno Kovah's 'Intro x86-64’ class, available at http://OpenSecurityTraining.info/IntroX86-64.html”

Discussion: variable-length opcodes Any given sequence of bytes can be interpreted in different ways, depending on where the CPU starts executing it from This has many subtle implications, but it seems to get abused the most in the security domain Examples: inability to validate intended instructions, return-oriented-programming, code obfuscation and polymorphic/self-modifying code In comparison, RISC architectures typically have fixed instruction sizes, which must be on aligned boundaries, and thus makes disassembly much simpler

Variable-length opcode decoding example (gdb) x/10i $rip 0x4004ed <main>: push %rbp 0x4004ee <main+1>: mov %rsp,%rbp 0x4004f1 <main+4>: movl $0xdeadbeef,-0x4(%rbp) 0x4004f8 <main+11>: mov -0x4(%rbp),%eax 0x4004fb <main+14>: mov %eax,%eax 0x4004fd <main+16>: mov %eax,%eax 0x4004ff <main+18>: mov %eax,-0x4(%rbp) 0x400502 <main+21>: pop %rbp 0x400503 <main+22>: retq (gdb) x/10i $rip+9 0x4004f6 <main+9>: lods %ds:(%rsi),%eax 0x4004f7 <main+10>: fimul -0x3f7603bb(%rbx) (gdb) x/10i $rip+3 0x4004f0 <main+3>: in $0xc7,%eax 0x4004f2 <main+5>: rex.RB cld 0x4004f4 <main+7>: out %eax,(%dx) 0x4004f5 <main+8>: mov $0x458bdead,%esi 0x4004fa <main+13>: cld 0x4004fb <main+14>: mov %eax,%eax 0x4004fd <main+16>: mov %eax,%eax 0x4004ff <main+18>: mov %eax,-0x4(%rbp) 0x400502 <main+21>: pop %rbp 0x400503 <main+22>: retq (gdb) x/10i $rip+15 0x4004fc <main+15>: rorb $0x5d,-0x3ba7640(%rcx) x86 has been called “self-synchronizing” because it does eventually seem to get back to the correct asm. That’s not a useful property for execution, only for disassemblers trying to speculate on a correct disassembly.

Discussion: variable-length opcodes An interesting property of x86 is that even if you pick a wrong offset to start disassembling from, very frequently the disassembly will re-synchronize with the original, intended, instruction sequence In the preceding examples you can see that when disassembly is started at +3 bytes in, it re-synchs by +14 bytes. When started at +9, it re-synchs by +16, etc. This was noted also in “Obfuscation of Executable Code to Improve Resistance to Static Disassembly” by Linn & Debray http://www.cs.arizona.edu/solar/papers/CCS2003.pdf