Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Slides:



Advertisements
Similar presentations
15/18-213: Introduction to Computer Systems
Advertisements

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Procedure Calls Prof. Sirer CS 316 Cornell University.
Review: Software Security David Brumley Carnegie Mellon University.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4: Monday, Sept. 16, 2013 Marjorie Carlson Section A.
1 Carnegie Mellon Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4, Sept. 17, 2012.
Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Machine-Level Programming V: Buffer overflow Slides.
Compiler Construction Code Generation Activation Records
X86_64 programming Tutorial #1 CPSC 261. X86_64 An extension of the IA32 (often called x86 – originated in the Intel 8086 processor) instruction set to.
CSE 351 x86 Calling Conventions, Control Flow, & Lab 2 April 23, 2015.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Carnegie Mellon Instructor: San Skulrattanakulchai Machine-Level Programming.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Carnegie Mellon 1 Stacks and Buflab : Introduction to Computer Systems Recitation 4: Monday, Sept. 23, 2013 Marjorie Carlson Section A.
Section 5: Procedures & Stacks
Exploiting & Defense Day 1 Recap
Credits and Disclaimers
Recitation 5: Attack Lab
Buffer Overflows Many of the following slides are based on those from
CSCE 212 Computer Architecture
Instructor: Your TA(s)
Recitation: Bomb Lab _______________ 18 Sep 2017.
More GDB, Intro to x86 Calling Conventions, Control Flow, & Lab 2
Recitation: Attack Lab
Buffer Overflows Many of the following slides are based on those from
143A: Principles of Operating Systems Lecture 4: Calling conventions
The Stack & Procedures CSE 351 Spring 2017
Machine-Level Programming III: Procedures
Recitation: Attack Lab
Switch & Procedures & The Stack I CSE 351 Winter 2017
Buffer Overflows Many of the following slides are based on those from
Machine-Level Programming III: Procedures /18-213/14-513/15-513: Introduction to Computer Systems 7th Lecture, September 18, 2018.
Procedures & The Stack I CSE 351 Autumn 2016
Carnegie Mellon Machine-Level Programming III: Procedures : Introduction to Computer Systems October 22, 2015 Instructor: Rabi Mahapatra Authors:
Recitation: Attack Lab
The Stack & Procedures CSE 351 Winter 2018
The Stack & Procedures CSE 410 Winter 2017
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Roadmap C: Java: Assembly language: OS: Machine code: Computer system:
Ithaca College Machine-Level Programming VII: Procedures Comp 21000: Introduction to Computer Systems & Assembly Lang Spring 2017.
Reverse Engineering for CTFs
Ithaca College Machine-Level Programming VII: Procedures Comp 21000: Introduction to Computer Systems & Assembly Lang Spring 2017.
Get To Know Your Compiler
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Buffer Overflows Many of the following slides are based on those from
Ithaca College Machine-Level Programming VII: Procedures Comp 21000: Introduction to Computer Systems & Assembly Lang Spring 2017.
Credits and Disclaimers
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Visual Studio x64 C Compiler function entrance code
Computer Architecture and System Programming Laboratory
Instructor: Your TA(s)
Return-to-libc Attacks
Presentation transcript:

15-213 Recitation: Attack Lab Jenna MacCarley Recitation 5: 28 Sep 2015

Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Agenda Stack review Attack lab overview Phases 1-3: Buffer overflow attacks Phases 4-5: ROP attacks

x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 Return value: %rax Callee-saved: %rbx, %r12, %r13, %r14, %rbp, %rsp Caller-saved: %rdi, %rsi, %rdx, %rcx, %r8, %r9, %rax, %r10, %r11 Stack pointer: %rsp Instruction pointer: %rip

x86-64: The Stack Grows downward towards lower memory addresses %rsp points to top of stack push %reg: subtract 8 from %rsp, put val in %reg at (%rsp) pop %reg: put val at (%rsp) in %reg, add 8 to %rsp %rsp Top Bottom 0x7fffffffffff

x86-64: Stack Frames Every function call has its own stack frame. Think of a frame as a workspace for each call. Local variables Callee & Caller-saved registers Optional arguments for a function call

x86-64: Function Call Setup Caller: Allocates stack frame large enough for saved registers, optional arguments Save any caller-saved registers in frame Save any optional arguments (in reverse order) in frame call foo: push %rip to stack, jump to label foo Callee: Push any callee-saved registers, decrease %rsp to make room for new frame

x86-64: Function Call Return Callee: Increase %rsp, pop any callee-saved registers (in reverse order), execute ret: pop %rip

Attack Lab Overview: Phases 1-3 Exploit x86-64 by overwriting the stack Overflow a buffer, overwrite return address Execute injected code Key Advice Brush up on your x86-64 conventions! Use objdump –d to determine relevant offsets Use GDB to determine stack addresses

Buffer Overflows Exploit strcpy vulnerability to overwrite important info on stack When this function returns, where will it begin executing? Recall ret:pop %rip What if we want to inject new code to execute? 0xAABBCCDD 0xFFFFFFFF Old Return address buf

Demonstration: Generating Byte Codes Use gcc and objdump to generate byte codes for assembly instruction sequences

Attack Lab Overview: Phases 4-5 Utilize return-oriented programming to execute arbitrary code Useful when stack is non-executable or randomized Find gadgets, string together to form injected code Key Advice Use mixture of pop & mov instructions + constants to perform specific task

ROP Example void foo(char *input){ char buf[32]; ... strcpy (buf, input); return; } Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into %rbx and move it into %rax Gadgets: address1: mov %rbx, %rax; ret address2: pop %rbx; ret Inspired by content created by Professor David Brumley

ROP Example: Solution Gadgets: Address 1: mov %rbx, %rax; ret Next address in ROP chain…. Address 1 0xBBBBBBBB Address 2 0xFFFFFFFF 0xFFFFFFFF (filler…..) Gadgets: Address 1: mov %rbx, %rax; ret Address 2: pop %rbx; ret Old Return address void foo(char *input){ char buf[32]; ... strcpy (buf, input); return; } buf

ROP Demonstration: Looking for Gadgets How to identify useful gadgets in your code

Tools objdump –d View byte code and assembly instructions, determine stack offsets ./hex2raw Pass raw ASCII strings to targets gdb Step through execution, determine stack addresses gcc –c Generate object file from assembly language file

More Tips Draw stack diagrams Be careful of byte ordering (little endian)

Also...

Questions?