Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Slides:

Advertisements

Similar presentations

Procedure Calls Prof. Sirer CS 316 Cornell University.

Advertisements

Computer Architecture CSCE 350

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

The University of Adelaide, School of Computer Science

CSE 5317/4305 L7: Run-Time Storage Organization1 Run-Time Storage Organization Leonidas Fegaras.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.

Informationsteknologi Saturday, September 29, 2007 Computer Architecture I - Class 41 Today’s class More assembly language programming.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

Machine-Level Programming III: Procedures Apr. 17, 2006 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables CS213.

1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

Intro to Computer Architecture

Run time vs. Compile time

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Stacks and HeapsCS-502 Fall A Short Digression Stacks and Heaps CS-502, Operating Systems Fall 2007 (Slides include materials from Operating System.

September 22, 2014 Pengju (Jimmy) Jin Section E

Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.

Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Runtime Environments What is in the memory? Runtime Environment2 Outline Memory organization during program execution Static runtime environments.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.

The Stack Pointer and the Frame Pointer (Lecture #19) ECE 445 – Computer Organization The slides included herein were taken from the materials accompanying.

Understand stack Buffer overflow attack and defense Controls against program threats.

Runtime Environments Compiler Construction Chapter 7.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Fabián E. Bustamante, Spring 2007 Machine-Level Programming III - Procedures Today IA32 stack discipline Register saving conventions Creating pointers.

Lesson 13 CDT301 – Compiler Theory, Spring 2011 Teacher: Linus Källberg.

The x86 Architecture Lecture 15 Fri, Mar 4, 2005.

Runtime Stack Computer Organization I 1 November 2009 © McQuain, Feng & Ribbens MIPS Memory Organization In addition to memory for static.

Smashing the Stack Overview The Stack Region Buffer Overflow

MAL 3 - Procedures Lecture 13. MAL procedure call The use of procedures facilitates modular programming. Four steps to transfer to and return from a procedure:

Subroutines, parameters and the stack Bryan Duggan.

Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Module R3 Process Scheduling. Module R3 involves the creation of a simple “Round Robin” dispatcher. The successful completion of this module will require.

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Microprocessors The ia32 User Instruction Set Jan 31st, 2002.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Functions in Assembly CS 210 Tutorial 7 Functions in Assembly Studwww.cs.auckland.ac.nz/ ~mngu012/public.html/210/7/

CSC 8505 Compiler Construction Runtime Environments.

Machine-level Programming III: Procedures Topics –IA32 stack discipline –Register saving conventions –Creating pointers to local variables.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

RUNTIME ENVIRONMENT AND VARIABLE BINDINGS How to manage local variables.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

1 Assembly Language: Function Calls Jennifer Rexford.

Reading Condition Codes (Cont.)

Storage Classes There are three places in memory where data may be placed: In Data section declared with .data in assembly language in C - Static) On the.

Computer Science 210 Computer Organization

C function call conventions and the stack

Introduction to Compilers Tim Teitelbaum

Procedures (Functions)

Machine-Level Programming 4 Procedures

Calling Conventions Hakim Weatherspoon CS 3410, Spring 2012

Machine-Level Programming III: Procedures Sept 18, 2001

Program and memory layout

Procedures and Calling Conventions

Runtime Environments What is in the memory?.

Where is all the knowledge we lost with information? T. S. Eliot

Program and memory layout

“Way easier than when we were students”

Presentation transcript:

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One

Process Memory Organization Text –Fixed by program –Includes code and read-only data Since read-only, attempts to write to this typically cause seg fault. Data –Static variables (both initialized and uninitialized) Stack –Usual LIFO data structure –Used because well suited for procedure calls –Used for dynamic allocation of local variables, passing of parameters, returning values from functions Fall 2008CS 334: Computer Security2

Process Memory Regions Fall 2008CS 334: Computer Security3

Stack Region Stack is a contiguous block of memory containing data –Size dynamically adjusted by OS kernel at runtime Stack pointer (SP) register: points to top of stack –Bottom of stack at fixed address Stack Frame –Parameters to a function –Local variables of function –Data necessary to recover previous stack frame Including value of instruction pointer (IP) at time of function call –PUSHed onto stack on function call, POPped on return Fall 2008CS 334: Computer Security4

Stack Region Assumptions –Stack grows down (toward lower addresses) –SP points to last address on stack (as opposed to pointing to next free available address) Frame Pointer (FP) a.k.a. local base pointer (LP) –Points to fixed location within frame –Local variables and parameters referenced via FP because their distance from FP do not change with PUSHes and POPs Actual parameters PUSHed before new frame creation, so have positive offsets, local variables after, so negative offsets –On Intel CPUs, the EBP (32-bit BP) register is used Fall 2008CS 334: Computer Security5

On Procedure Call… Procedure prolog (start of call) –Save previous FP (to be restored at proc. exit) –Copy SP into FP to create new FP –Advance SP to reserve space for local variables Procedure epilogue (end of procedure) –Stack is cleaned up and restored to previous state Often special instructions to handle these –Intel: ENTER and LEAVE –Motorola: LINK and UNLINK Fall 2008CS 334: Computer Security6

Example Fall 2008CS 334: Computer Security7

Fall 2008CS 334: Computer Security8 500 esp 545 ebp

Fall 2008CS 334: Computer Security esp 545 ebp pushl $3 c

Fall 2008CS 334: Computer Security esp 545 ebp pushl $3 bc pushl $2

Fall 2008CS 334: Computer Security esp 545 ebp pushl $3 bc pushl $2 pushl $1 a

Fall 2008CS 334: Computer Security esp 545 ebp pushl $3 bc pushl $2 pushl $1 a call function ret

Fall 2008CS 334: Computer Security esp 545 ebp pushl $3 bc pushl $2 pushl $1 a call function ret pushl %ebp sfp:545

Fall 2008CS 334: Computer Security esp 482 ebp pushl $3 bc pushl $2 pushl $1 a call function ret pushl %ebp sfp:545 movl %esp,%ebp

Fall 2008CS 334: Computer Security esp 482 ebp pushl $3 bc pushl $2 pushl $1 a call function ret pushl %ebp sfp:545 movl %esp,%ebp subl $20,%esp buffer2 buffer1

Another Example Fall 2008CS 334: Computer Security16

Fall 2008CS 334: Computer Security esp 482 ebp Note that code copies a string without using a bounds check (programmer used strcpy() instead of strncpy()). Thus the call to function() causes the buffer to be overwritten, in this case with 0x , the ASCII code for ‘A’ *strretsfp:545buffer

Fall 2008CS 334: Computer Security esp 482 ebpLet’s assume now that buffer is a bit bigger than 20 bytes. Say, e.g., 256 bytes. *strretsfp:545buffer Let’s Get Creative… buffer    256 bytes

Fall 2008CS 334: Computer Security esp 482 ebpLet’s assume now that buffer is a bit bigger than 20 bytes. Say, e.g., 256 bytes. If we know assembly code, we can feed code in as a string, and overwrite the return address to point to this. *strretmy code Let’s Get Creative… my code   

Fall 2008CS 334: Computer Security esp 482 ebpWe don’t even have to know the exact address of the start of the buffer. *strretmy codeno op my code Let’s Get Creative… my codeno op   