Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Userspace Process Memory Layout

Published byRafe Wilcox Modified over 6 years ago

Similar presentations

Presentation on theme: "Linux Userspace Process Memory Layout"— Presentation transcript:

1 Linux Userspace Process Memory Layout

2 Defeat Exploit Mitigations
Content Intel Architecture Buffer Overflow Memory Layout C Arrays BoF Exploit Assembler Remote Exploit Shellcode Exploit Mitigations Function Calls Defeat Exploit Mitigations Debugging

3 Userspace Memory Layout
In x32

4 Stack Heap Code x32 Memory Layout 0xc0000000 0xbfffffff 0x0804800

5 Stack Heap Code ELF File x32 Memory Layout char array[16]; malloc(16)
0xc 0xbfffffff Stack char array[16]; malloc(16) Heap Code mapping ELF File 0x 0x

6 Stack Heap Code ELF File ESP EIP x32 Memory Layout char array[16];
0xc 0xbfffffff Stack char array[16]; ESP malloc(16) Heap EIP Code mapping ELF File 0x 0x

7 x32 Memory Layout Memory regions: Stack Heap
There’s one contiguous memory region containing the stack for the process LIFO – Last in, First Out Contains function local variables Also contains: Saved Instruction Pointer (SIP) Current function adds data to the top (bottom) of the stack Heap There’s one contiguous memory region containing the heap Memory allocator returns specific pieces of the memory region For malloc() Also contains: heap management data

8 x32 Memory Layout Memory regions: Code Compiled program code

9 How do programs on disk look like
ELF Format How do programs on disk look like

10 ELF Format Programs are stored in ELF files
ELF: Executable and Linkable Format Previously: “a.out” (Linux 1.2) Like COFF, PE (EXE), COM, … ELF types: ET_EXEC: Executable File ET_REL: Relocatable File ET_DYN: Shared Object File ELF “views”: Sections Segments $ readelf –l <binary>

11 Segments Sections ELF Format Program Header Table Section Header Table
ELF Header Program Header Table Segments Sections Section Header Table

12 ELF Format Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align PHDR 0x x x x000001c0 0x c0 R E 8 INTERP 0x x x x c 0x c R 1 LOAD 0x x x x00000b24 0x b24 R E LOAD 0x00000b28 0x b28 0x b28 0x x RW DYNAMIC 0x00000b40 0x b40 0x b40 0x000001e0 0x e0 RW 8 NOTE 0x c 0x c 0x c 0x x R 4 GNU_EH_FRAME 0x000009ac 0x ac 0x ac GNU_STACK 0x x x x x RW 10

13 ELF Format $ readelf –l challenge0 Section to Segment mapping: Segment Sections interp 02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 .eh_frame_hdr 07

14 Sections: ELF Format .text: Executable instructions
.bss: Unitialized data (usually the heap) .data: initialized data .rodata: Read-Only data .got: Global Offset Table .plt: Procedure Linkage Table .init/.fini: Initialization instructions (“glibc”)

15 ELF Format 02 .init .plt .text .fini .rodata
Program Headers: Type Offset PhysAddr FileSiz Flags Align (02) LOAD x x 0x b R E (03) LOAD x b x b28 0x RW (07) GNU_STACK 0x x 0x RW init .plt .text .fini .rodata got .got.plt .data .bss 07

16 ELF Loader

17 03 Data Segment rw- 02 Executable Segment r-x ELF Format .plt .text
ELF Header Program Header Table .plt 02 Executable Segment r-x .text .init .got 03 Data Segment rw- .data .bss 07 Stack rw- Section Header Table

18 Code Heap Stack ELF Format FILE Process .plt .text .init .got .data
ELF Header Program Header Table Code .plt .text .init .got Heap .data .bss Stack Section Header Table

19 Stack Heap Code RSP RIP x64 Memory Layout 0x7fffffffe000 0x600000

20 Lets do an example some static and dynamic binary analysis

21 ELF Format char *globalVar = "Global"; void main(void) { char stackVar[16]; char *heapVar = (char *) malloc(4); printf("Global var: %p\n", globalVar); printf("Heap var: %p\n", heapVar); printf("Stack var: %p\n", stackVar); }

22 ELF Format Global var: 0x Heap var: 0x Stack var: 0x7fffffffe990 (2) LOAD 0x R E (3) LOAD 0x b28 RW (7) GNU_STACK 0x RW 10

23 ELF Format See it at runtime # cat /proc/self/maps
c000 r-xp : /bin/cat 0060b c000 r--p 0000b000 08: /bin/cat 0060c d000 rw-p 0000c000 08: /bin/cat 7ffffffde000-7ffffffff000 rw-p :00 0 [stack]

24 ELF Format Show Code section, and disassemble: $ objdump -d ./challenge1 ./challenge1: file format elf64-x86-64 Disassembly of section .init: <_init>: … f <handleData>: 40077f: 55 push %rbp : e5 mov %rsp,%rbp : ec 30 sub $0x30,%rsp : d d8 mov %rdi,-0x28(%rbp) 40078b: d0 mov %rsi,-0x30(%rbp)

25 ELF Format The process of creating a process from an ELF file is called: “Linking and Loading” Sections: Are for compiler (gcc), to link several object files together (.o) Segments: Are for the loader, to create the process Consists of one ore more sections

26 ELF Format Recap: Program Code is stored in ELF Files
ELF Files contain segments Segments are copied 1:1 in the memory

27 Challenges Challenges: https://exploit.courses
Challenge 0: Introduction to memory layout – basic Challenge 1: Introduction to memory layout - advanced

Download ppt "Linux Userspace Process Memory Layout"

Similar presentations

Hand-Held Devices and Embedded Systems Course Student: Tomás Sánchez López Student ID: 20042116.

Hand-Held Devices and Embedded Systems Course Student: Tomás Sánchez López Student ID:
Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.
Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.

Run-time Environment for a Program different logical parts of a program during execution stack – automatically allocated variables (local variables, subdivided.
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
The art of exploitation

The art of exploitation
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.

Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.
Binary Loader What is done by binary loader? ● Read executable from the filesystem ● Parse the binary header ● Copy all segments into addresses specified.

Binary Loader What is done by binary loader? ● Read executable from the filesystem ● Parse the binary header ● Copy all segments into addresses specified.
Compilation 0368-3133 (Semester A, 2013/14) Lecture 13: Assembler, Linker & Loader Noam Rinetzky Slides credit: Eli Bendersky, Mooly Sagiv & Sanjeev Setia.

Compilation (Semester A, 2013/14) Lecture 13: Assembler, Linker & Loader Noam Rinetzky Slides credit: Eli Bendersky, Mooly Sagiv & Sanjeev Setia.
CS 4284 Systems Capstone Godmar Back Linking and Loading.

CS 4284 Systems Capstone Godmar Back Linking and Loading.
Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.

Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”

1 uClinux course Day 3 of 5 The uclinux toolchain, elf format and ripping a “hello world”
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Similar presentations

Ads by Google