Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Review of the MIPS Instruction Set Architecture. RISC Instruction Set Basics All operations on data apply to data in registers and typically change the.
The University of Adelaide, School of Computer Science
Lecture 20: 11/12/2002CS170 Fall CS170 Computer Organization and Architecture I Ayman Abdel-Hamid Department of Computer Science Old Dominion University.
Lecture 9: MIPS Instruction Set
MIPS ISA-II: Procedure Calls & Program Assembly. (2) Module Outline Review ISA and understand instruction encodings Arithmetic and Logical Instructions.
1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.
ECE 232 L6.Assemb.1 Adapted from Patterson 97 ©UCBCopyright 1998 Morgan Kaufmann Publishers ECE 232 Hardware Organization and Design Lecture 6 MIPS Assembly.
10/6: Lecture Topics Procedure call Calling conventions The stack
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Procedure Calls Prof. Sirer CS 316 Cornell University.
MIPS Calling Convention Chapter 2.7 Appendix A.6.
Lecture 8 Sept 23 Completion of Ch 2 translating procedure into MIPS role of compilers, assemblers, linking, loading etc. pitfalls, conclusions Chapter.
10/9: Lecture Topics Starting a Program Exercise 3.2 from H+P Review of Assembly Language RISC vs. CISC.
Computer Architecture CSCE 350
MIPS Function Continued
1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Ch. 8 Functions.
Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)
The University of Adelaide, School of Computer Science
Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS ) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.
The University of Adelaide, School of Computer Science
CS3350B Computer Architecture Winter 2015 Lecture 4
Procedure call frame: Hold values passed to a procedure as arguments
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
CS 536 Spring Code generation I Lecture 20.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Lecture 7: MIPS Instruction Set Today’s topic –Procedure call/return –Large constants Reminders –Homework #2 posted, due 9/17/
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Memory/Storage Architecture Lab Computer Architecture MIPS Instruction Set Architecture ( Supporting Procedures )
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU
The Stack Pointer and the Frame Pointer (Lecture #19) ECE 445 – Computer Organization The slides included herein were taken from the materials accompanying.
MIPS function continued. Recursive functions So far, we have seen how to write – A simple function – A simple function that have to use the stack to save.
Lecture 18: 11/5/2002CS170 Fall CS170 Computer Organization and Architecture I Ayman Abdel-Hamid Department of Computer Science Old Dominion University.
Lecture 19: 11/7/2002CS170 Fall CS170 Computer Organization and Architecture I Ayman Abdel-Hamid Department of Computer Science Old Dominion University.
Procedure Basics Computer Organization I 1 October 2009 © McQuain, Feng & Ribbens Procedure Support From previous study of high-level languages,
Computer Organization CS224 Fall 2012 Lessons 9 and 10.
April 23, 2001Systems Architecture I1 Systems Architecture I (CS ) Lecture 9: Assemblers, Linkers, and Loaders * Jeremy R. Johnson Mon. April 23,
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, /22/2013 Lecture 12: Character Data Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Computer Architecture CSE 3322 Lecture 4 Assignment: 2.4.1, 2.4.4, 2.6.1, , Due 2/10/09
Chapter 2 — Instructions: Language of the Computer — 1 Conditional Operations Branch to a labeled instruction if a condition is true – Otherwise, continue.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
1 CS/COE0447 Computer Organization & Assembly Language Chapter 2 Part 3.
Function Calling. Mips Assembly Call and Return Steps for procedure calling –Save the return address –Jump to the procedure (function) –Execute the procedure.
DR. SIMING LIU SPRING 2016 COMPUTER SCIENCE AND ENGINEERING UNIVERSITY OF NEVADA, RENO Session 12 Procedure Calling.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Computer Organization CS345 David Monismith Based upon notes by Dr. Bill Siever and notes from the Patterson and Hennessy Text.
Computer Architecture & Operations I
Rocky K. C. Chang Version 0.1, 25 September 2017
Computer structure: Procedure Calls
Lecture 5: Procedure Calls
Computer Architecture & Operations I
Prof. Hsien-Hsin Sean Lee
Procedures (Functions)
Procedures (Functions)
Calling Conventions Hakim Weatherspoon CS 3410, Spring 2012
The University of Adelaide, School of Computer Science
Smashing the Stack for Fun and Profit
10/4: Lecture Topics Overflow and underflow Logical operations
Program and memory layout
Procedures and Calling Conventions
Computer Architecture
10/6: Lecture Topics C Brainteaser More on Procedure Call
Where is all the knowledge we lost with information? T. S. Eliot
Program and memory layout
Topic 2b ISA Support for High-Level Languages
Presentation transcript:

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University of Wisconsin – Eau Claire

Smashing the stack  Limitations of C permit security exploits  Library routines:  strcpy, strcat, sprintf, etc.  no automatic bounds checking.  Shortcomings:  allow writing past end of array.  Major source of security exploitssecurity exploits

The Original Exploit  The trade magazine "Phrack" published:  "Smashing the Stack for Fun and Profit" by Aleph One   Original exploit done on the Intel architecture

Overall Strategy  Write a small program that starts a shell window: use something like system("/bin/sh")  Translate the program into HEX, modifying individual bytes as needed (explained later)  Put the HEX code into a buffer, followed by the address of the start of that buffer, repeated many times  Will overwrite the return address (on the stack) of the servers buffer handler routine

Basic Steps  Get a copy of the OS to be attacked  Analyze the system stack layout for that OS  Put the "shell window" HEX code into a buffer  Send your buffer to a program on the target OS (maybe one that runs as "root") that takes a buffer as input, makes a copy of that buffer, and doesn't check its bounds

Typical MIPS Memory Layout

Stack Frame On a function call:  Preserve state of calling function  Allocate additional memory for calling function  Stack frame (activation record) created  Pushed onto execution stack

Stack Frame – cont’d Stack frame (activation record) contains:  Function arguments  Local variables  Return address ($ra)  Global pointer ($gp) Note: Not all local variables may be stacked: Optimizing compiler may put them in registers.

Typical Procedure Call Memory Layout Return address (if any) Arguments (if > 4 args; $4-$7 holds 1 st four) Saved Registers (preserved across calls) Local Variables Old SP New SP Global pointer (to static data segment for fast access using offset) Subsequent examples will exclude saved registers & argument details for brevity. Note:

Mechanics of Function Calls Simple C program where: main( )  foo( )  bar( ) main( )foo(x)bar(y) foo(8)foo_p = x +2bar_q = y bar(foo_p)

Mechanics of Function Calls – cont’d void bar(int y) { int bar_q;/* will be allocated on the stack */ bar_q = y; } void foo(int x) { int foo_p;/* will be allocated on the stack */ foo_p = x + 2; bar(foo_p); /* return address points to here */ } void main( ) { foo(8); /* return address points to here */ }

Memory Layout for foo( )

Overview of an Overflow void foo(char *buf) { char local_buf[10]; strcpy(local_buf,buf); } void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */ }

Overflowing foo( )’s Buffer local_buf$ra …… ‘a’…. ‘a’ (a) Stack before strcpy( ) in foo( ) (b) Stack after strcpy( ) in foo( )

Implementing Overflow in the MIPS ISA void foo(char *buf) { char local_buf[10]; int i = 0; while (buf[i] != 0) { local_buf[i] = buf[i]; i++; } bar(); /* code for bar() not shown */ /* bar( )’s RA in $31 reg.; foo( )’s RA on stack */ } void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */ }

32-bit MIPS stack during call to foo( ) addrStack contents new $sp  X-28allocated by compiler X-24allocated by compiler X-20local_buf[0] … local_buf[3] X-16local_buf[4] … local_buf[7] X-12local_buf[8], local_buf[9], null, null X-8Global pointer ($gp) from main() X-4Return address ($ra) back into main() old $sp  X…

32 bit MIPS translation using “gcc –S –O2”.L4: jalbar lw$ra,24($sp) lw$gp,20($sp) jr$ra addu$sp, $sp, 28.endfoo.LC0:# lots of a’s.byte0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61.byte0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61.byte0x61,0x61,0x61,0x61,0x00 main: subu$sp,$sp,16 sw$ra,12($sp) sw$gp,8($sp) la$a0,.LC0 jalfoo ….endmain foo: subu$sp,$sp,28 sw$ra,24($sp) sw$gp,20($sp) lbu$v0,0($a0) beq$v0,$zero,.L4 addi$a1,$zero,0 addu$a2,$sp,8 # addr local_buf[0].L5 lbu$v0,0($a0) addu$a0, $a0, 1 addu$v1,$a2,$a1 sb$v0,0($v1) # write onto stack lbu$v0,0($a0) bne$v0,$zero,.L5 addu$a1,$a1,1

Buffer Overflow With Code Exploit To cause the exploit, when foo is called:  Pass a buffer of length greater than foo( )’s local buffer  Ensure none of values copied into foo( )’s buffer prior to $ra contain value of 0 (terminates buffer copy prematurely)  Ensure bytes in buffer contain MIPS (exploit) code  Overwrite $ra with address that points back into buffer containing MIPS exploit code  Ensure buffer copy is terminated by a 0 value after $ra

Buffer Overflow With Code Exploit void foo(char *buf) { char local_buf[256]; strcpy(local_buf,buf); } void main() { char *large_buf =“\x01\x20\x48\x20” /* add $t1, $t1, $zero */ “\x01\x20\x48\x20” … “\x20\x84\xFF\xFF” /* addi $a0, $a0, -1 */ “\x12\x34\x56\x78” /* guess address of exploit */ “\x00”; foo(large_buf); /* location of return from foo() */ }

Example of an Exploit addrStack contents new $sp  X-28 allocated by the compiler X-24 allocated by the compiler X-20 N O P (actually: add $t1 $t1 $0) X-16 N O P X-12 N O P X-8 addi $a0, $a0, -1 (\x20\x84\xFF\xFF) X-4 (X – ?) /* the old $ra */ old $sp  X…

Detailed Paper Explaining the Exploit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.