Instrumentation - initial results Sung Kim, Jeff Perkins MIT.

Slides:



Advertisements
Similar presentations
CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.
Advertisements

Senem Kumova Metin Spring2009 STACKS AND QUEUES Chapter 10 in A Book on C.
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Structures in C.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
PC hardware and x86 3/3/08 Frans Kaashoek MIT
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
Chapter 6 Programming in Machine Language The LC-3 Simulator
Semantics of Calls and Returns
UBC104 Embedded Systems Functions & Pointers.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Defining and Using Procedures Creating Procedures.
TCSS 372A Computer Architecture. Getting Started Get acquainted (take pictures) Review Web Page (
CS2422 Assembly Language & System Programming November 7, 2006.
Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.
Exploitation Of Windows Buffer Overflows. What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Procedures – Generating the Code Lecture 21 Mon, Apr 4, 2005.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
ELF binary # readelf -a foo.out ELF Header:
CNIT 127: Exploit Development Ch 1: Before you begin.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Compiler Construction Code Generation Activation Records
Higher Computing Science 2016 Prelim Revision. Topics to revise Computational Constructs parameter passing (value and reference, formal and actual) sub-programs/routines,
1 Linking. 2 Outline Symbol Resolution Relocation Suggested reading: 7.6~7.7.
CS429 Computer Architecture Topics Simple C program Basic structure, functions, separate files Compilation Phases, options Assembler GNU style, byte ordering,
Recitation 3 Outline Recursive procedure Complex data structures –Arrays –Structs –Unions Function pointer Reminders Lab 2: Wed. 11:59PM Lab 3: start early.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 unstrip: Restoring Function Information to Stripped Binaries Using Dyninst Emily.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Introduction to Computer Systems Topics: Assembly Stack discipline Structs/alignment Caching CS 213 S ’12 rec8.pdf “The Class That Gives CMU Its.
Recitation 3: Procedures and the Stack
Assembly language.
Static and dynamic analysis of binaries
C function call conventions and the stack
Computer Architecture and Assembly Language
Exploiting & Defense Day 2 Recap
Aaron Miller David Cohen Spring 2011
Recitation 2 – 2/4/01 Outline Machine Model
Computer Architecture and Assembly Language
Discussion Section – 11/3/2012
Machine-Level Programming 4 Procedures
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Procedures – Overview Lecture 19 Mon, Mar 28, 2005.
Assembly Language Programming II: C Compiler Calling Sequences
Memory Allocation CS 217.
Machine-Level Programming: Introduction
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Getting Started Download the tarball for this session. It will include the following files: driver 64-bit executable driver.c C driver source bomb.h declaration.
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

Instrumentation - initial results Sung Kim, Jeff Perkins MIT

Front-endFront-end Running Program Front-end: Observe/record status of some interesting data in software Daikon Invariant Detector Instrumented code Daikon Input file

Windows front-end Based on DynamoRIO, a tool developed by determina ® Debug information Records function enter and exit points Records parameter values at function enter/exit points Currently it only supports Primitive data types String (char *)

Windows front-end DynamoRIO CALL RET Windows binary Windows Program database Symbol Table Debug Interface Access SDK Symbol Mapping & Value Fetching Logic Daikon Input file Instrumentation Instrumented Windows binary Symbol Data file

Simple Program (buffer.c*) void decode (char *request_data, char *user_id, char *password, char *hostid) { […] return; } main () { […] decode (data, "jhp“, "stata“,"\200\036\124\056"); […] } * From “Exploiting Software: How to Break Code” by Greg Hoglund, Gary McGrawGreg HoglundGary McGraw

Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret

Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret Add instrument code

Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret push %esp call print [...] push %eax call print [...]

Daikon Input File (dtrace)..decode (char *, char *, char *, char *):::ENTER request_data "id=jhp0&pw=stata0" 1 user_id "" 1 password "" 1 hostid "€T." 1

Challenges - CALL address mismatch main: push x push y […] call (foo) […] jmp ad 0x mov eax,x add eax,y ret 0x400a0ad (real foo)

Challenges - CALL address mismatch main: push x push y […] call (foo) […] jmp ad 0x mov eax,x add eax,y ret 0x400a0ad (real foo) Check instr address after a CALL to find function

Challenges – CALL/RET pair mismatch 00INDIRECT 0x7c816fce to 0x7c90e stack: 0x7c816fd4 0xfffffffe 01 INDIRECT 0x7c90e64c to 0x7c915a65 01 stack: 0x7c90e64e 0x7c816fd4 01 0x7c90e64e to 0x7c816fd4 [...] 27 0x7c9132f3 to 0x7c90e3e1 27 stack: 0x000007e4 0x0012fe7c 28 INDIRECT 0x7c90e3eb to 0x stack: 0x7c90e3ed 0x7c9132f8 28 0x7c90e3ed to 0x7c9132f8 28 return value: 0x x7c91330f to 0x7c81cd91 27 return value: 0x INDIRECT 0x7c81cd94 to 0x7c90e88e 27 stack: 0x7c81cd96 0xffffffff 28 INDIRECT 0x7c90e stack: 0x7c90e89a 0x7c81cd96

Challenges – CALL/RET pair mismatch 00INDIRECT 0x7c816fce to 0x7c90e stack: 0x7c816fd4 0xfffffffe 01 INDIRECT 0x7c90e64c to 0x7c915a65 01 stack: 0x7c90e64e 0x7c816fd4 01 0x7c90e64e to 0x7c816fd4 [...] 27 0x7c9132f3 to 0x7c90e3e1 27 stack: 0x000007e4 0x0012fe7c 28 INDIRECT 0x7c90e3eb to 0x stack: 0x7c90e3ed 0x7c9132f8 28 0x7c90e3ed to 0x7c9132f8 28 return value: 0x x7c91330f to 0x7c81cd91 27 return value: 0x INDIRECT 0x7c81cd94 to 0x7c90e88e 27 stack: 0x7c81cd96 0xffffffff 28 INDIRECT 0x7c90e stack: 0x7c90e89a 0x7c81cd96

Challenges – CALL/RET pair mismatch CALL/RET address Table CALLRET Store the next instr address Check the return address

Challenges – Validity of pointers main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

Challenges – Validity of pointers main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

Challenges – Validity of pointers Problems: 1.At the foo enter point ptr is not initialized 2.Not clear if ptr is string (series of chars) or a single char pointer main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

Challenges – Validity of pointers Problems: 1.At the foo enter point ptr is not initialized 2.Not clear if ptr is string (series of chars) or a single char pointer main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; } Partial solutions: 1. 1.Check if a given address is valid 2. 2.If the pointer (char *) is NULL terminated in the MAX_STR_LEN range

Future Work Need to Support –global variables –arrays and pointers char *, char **, int [] –complex and typedef data types struct typedef char * string –C++ method calls and classes

Instrumentation - initial results Sung Kim, Jeff Perkins MIT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.