Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to x86 Assembly or “How does someone hack my laptop?”

Similar presentations


Presentation on theme: "Introduction to x86 Assembly or “How does someone hack my laptop?”"— Presentation transcript:

1 Introduction to x86 Assembly or “How does someone hack my laptop?”
Ýmir Vigfússon S.P.E.C.T.R.E.

2 Plan for today Review the memory abstraction and dynamic memory Talk about the stack principle Discuss the essence of buffer overflows

3 Memory

4 Memory Memory manager Address

5 Memory Address

6 I: Storing data in memory
mov , 9000 9000 movl %eax, 1301

7 II: Retrieving data from memory
Register Value %eax ??? %ecx 1301 Register Value %eax 9000 %ecx 1301 mov , movl 1301, %eax or movl (%ecx), %eax

8 III: Pointers to memory
mov ( ), movl (1301), %eax

9 Note: Copying pointers does not copy contents
int *a, *b; a = ; b = ; b = a; *b = *a;

10 But how does one create a „key“ ?
In the course so far, we have used local and static variables. Local variables are allocated memory on the stack The stack is a portion of global memory governed by a special principle As mentioned before, the stack on Intel x86 grows down char *global; int func(void) { char *buf = “I ♥ STYRIKERFI”; int n; n = strlen(buf); printf ("Buf[%d]: %s\n", n, buf); return (n); } Local variables

11 Local variables: the stack principle
%esp Int i void bla(void) { char A[16]; function(); } void function(void) { char B[12]; int i; ... Buffer B Return address Buffer A STACK I assign memory addresses sequentially

12 Is the stack principle enough?
Not really sufficient for modern memory use You may want to create variables for parent functions to use You may want to have very large data in memory You may want to control when some memory is and isn‘t available Most languages also provide dynamic memory allocation Think “new“ and “delete“ in C++. Exception: Functional programming languages

13 Dynamic memory allocation
int *a, *b, *c; char *c, *d; a = (int *)malloc(sizeof(int)); b = (int *)malloc(sizeof(int)); c = a; free (a); d = (char *)malloc(5); To where does c point under the end? What happens if d gets written now? Now I assign new data to any series of „empty“ lockers that can fit the data

14 Locker analogy overview
Computing world (C / assembly) Address space (consecutive memory) Data in memory Memory address / pointer Memory management strategy Array or struct Stack pointer Copying a pointer (e.g. ptr = ptr2;) Freeing memory (via free() or delete()) Releasing pointer (e.g. ptr = NULL;) Writing to an uninitialized variable Stale reference to a freed object Memory leakage Locker world Rows of lockers Contents of a locker Key to the locker (on a keyring) Locker manager Series of consecutive lockers Next available locker in a sequence Copying a key (not the locker contents) Telling the manager the locker is available Returning the key Accidentally using someone else‘s locker because you kept the old key Forgetting to return the keys for a locker Forgetting to telling the manager that the locker was indeed free

15 Today Switch statements IA 32 Procedures Stack Structure
Carnegie Mellon Today Switch statements IA 32 Procedures Stack Structure Calling Conventions Illustrations of Recursion & Pointers

16 IA32 Stack Stack “Bottom”
Carnegie Mellon IA32 Stack Stack Pointer: %esp Stack Grows Down Increasing Addresses Stack “Top” Stack “Bottom” Region of memory managed with stack discipline Grows toward lower addresses Register %esp contains lowest stack address address of “top” element

17 IA32 Stack: Push Stack “Bottom” pushl Src Stack Pointer: %esp
Carnegie Mellon IA32 Stack: Push Stack “Bottom” pushl Src Fetch operand at Src Decrement %esp by 4 Write operand at address given by %esp Increasing Addresses Stack Grows Down Stack Pointer: %esp Stack “Top” -4

18 IA32 Stack: Pop Stack “Bottom” Stack Pointer: %esp Stack “Top”
Carnegie Mellon IA32 Stack: Pop Stack “Bottom” Increasing Addresses Stack Grows Down +4 Stack Pointer: %esp Stack “Top”

19 Procedure Control Flow
Carnegie Mellon Procedure Control Flow Use stack to support procedure call and return Procedure call: call label Push return address on stack Jump to label Return address: Address of the next instruction right after call Example from disassembly 804854e: e8 3d call b90 <main> : pushl %eax Return address = 0x Procedure return: ret Pop address from stack Jump to address

20 Procedure Call Example
Carnegie Mellon Procedure Call Example 804854e: e8 3d call b90 <main> : pushl %eax call 8048b90 0x110 0x110 0x10c 0x10c 0x108 123 0x108 123 0x104 0x %esp 0x108 %esp 0x104 %eip 0x804854e %eip 0x8048b90 %eip: program counter

21 Procedure Return Example
Carnegie Mellon Procedure Return Example : c ret ret 0x110 0x110 0x10c 0x10c 0x108 123 0x108 123 0x104 0x 0x %esp 0x104 %esp 0x108 %eip 0x %eip 0x %eip: program counter

22 Stack-Based Languages
Carnegie Mellon Stack-Based Languages Languages that support recursion e.g., C, Pascal, Java Code must be “Reentrant” Multiple simultaneous instantiations of single procedure Need some place to store state of each instantiation Arguments Local variables Return pointer Stack discipline State for given procedure needed for limited time From when called to when return Callee returns before caller does Stack allocated in Frames state for single procedure instantiation

23 Call Chain Example Example Call Chain yoo(…) { • who(); } yoo who(…) {
Carnegie Mellon Call Chain Example Example Call Chain yoo(…) { who(); } yoo who(…) { • • • amI(); } who amI(…) { amI(); } amI amI amI amI Procedure amI() is recursive

24 Stack Frames Contents Management Stack “Top” Previous Frame
Carnegie Mellon Stack Frames Previous Frame Frame for proc Contents Local variables Return information Temporary space Management Space allocated when enter procedure “Set-up” code Deallocated when return “Finish” code Frame Pointer: %ebp Stack Pointer: %esp Stack “Top”

25 Example Stack yoo yoo(…) yoo { %ebp • yoo who(); who %esp } amI amI
Carnegie Mellon Example Stack yoo yoo(…) { who(); } yoo %ebp %esp yoo who amI amI amI amI

26 Example Stack yoo who yoo(…) { • who(); } yoo who(…) { • • • amI(); }
Carnegie Mellon Example Stack yoo who yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo who %ebp %esp amI amI amI amI

27 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI amI %ebp %esp amI amI

28 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI(…) { amI(); } amI amI amI %ebp %esp amI

29 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI(…) { amI(); } amI amI amI(…) { amI(); } amI amI %ebp %esp

30 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI(…) { amI(); } amI amI amI %ebp %esp amI

31 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI amI %ebp %esp amI amI

32 Example Stack yoo who yoo(…) { • who(); } yoo who(…) { • • • amI(); }
Carnegie Mellon Example Stack yoo who yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo who %ebp %esp amI amI amI amI

33 Example Stack yoo who amI yoo(…) { • who(); } yoo who(…) { • • •
Carnegie Mellon Example Stack yoo who amI yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo amI(…) { amI(); } who amI amI %ebp %esp amI amI

34 Example Stack yoo who yoo(…) { • who(); } yoo who(…) { • • • amI(); }
Carnegie Mellon Example Stack yoo who yoo(…) { who(); } yoo who(…) { • • • amI(); } yoo who %ebp %esp amI amI amI amI

35 Example Stack yoo yoo %ebp yoo(…) yoo { • who %esp who(); } amI amI
Carnegie Mellon Example Stack yoo yoo %ebp %esp yoo(…) { who(); } yoo who amI amI amI amI

36 IA32/Linux Stack Frame Current Stack Frame (“Top” to Bottom)
Carnegie Mellon IA32/Linux Stack Frame Current Stack Frame (“Top” to Bottom) “Argument build:” Parameters for function about to call Local variables If can’t keep in registers Saved register context Old frame pointer Caller Stack Frame Return address Pushed by call instruction Arguments for this call Caller Frame Arguments Frame pointer %ebp Return Addr Old %ebp Saved Registers + Local Variables Argument Build Stack pointer %esp

37 Calling swap from call_swap
Carnegie Mellon Revisiting swap Calling swap from call_swap int course1 = 15213; int course2 = 18243; void call_swap() { swap(&course1, &course2); } call_swap: • • • subl $8, %esp movl $course2, 4(%esp) movl $course1, (%esp) call swap Resulting Stack void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0; } %esp &course2 subl &course1 %esp call Rtn adr %esp

38 Revisiting swap swap: pushl %ebp movl %esp, %ebp pushl %ebx Set
Carnegie Mellon Revisiting swap swap: pushl %ebp movl %esp, %ebp pushl %ebx movl 8(%ebp), %edx movl 12(%ebp), %ecx movl (%edx), %ebx movl (%ecx), %eax movl %eax, (%edx) movl %ebx, (%ecx) popl %ebx popl %ebp ret Set Up void swap(int *xp, int *yp) { int t0 = *xp; int t1 = *yp; *xp = t1; *yp = t0; } Body Finish

39 swap Setup #1 Entering Stack Resulting Stack • %ebp • %ebp &course2 yp
Carnegie Mellon swap Setup #1 Entering Stack Resulting Stack %ebp %ebp &course2 yp &course1 xp Rtn adr %esp Rtn adr Old %ebp %esp swap: pushl %ebp movl %esp,%ebp pushl %ebx

40 swap Setup #2 Entering Stack Resulting Stack • %ebp • &course2 yp
Carnegie Mellon swap Setup #2 Entering Stack Resulting Stack %ebp &course2 yp &course1 xp Rtn adr %esp Rtn adr %ebp Old %ebp %esp swap: pushl %ebp movl %esp,%ebp pushl %ebx

41 swap Setup #3 Entering Stack Resulting Stack • %ebp • &course2 yp
Carnegie Mellon swap Setup #3 Entering Stack Resulting Stack %ebp &course2 yp &course1 xp Rtn adr %esp Rtn adr Old %ebp %ebp Old %ebx %esp swap: pushl %ebp movl %esp,%ebp pushl %ebx

42 Offset relative to %ebp
Carnegie Mellon swap Body Entering Stack Resulting Stack %ebp Offset relative to %ebp &course2 12 yp &course1 8 xp Rtn adr %esp 4 Rtn adr Old %ebp %ebp Old %ebx %esp movl 8(%ebp),%edx # get xp movl 12(%ebp),%ecx # get yp . . .

43 swap Finish Observation Stack Before Finish Resulting Stack
Carnegie Mellon swap Finish Stack Before Finish Resulting Stack yp xp Rtn adr Old %ebp %ebp %esp Old %ebx %ebp popl %ebx popl %ebp yp xp Rtn adr %esp Observation Saved and restored register %ebx Not so for %eax, %ecx, %edx

44 Disassembled swap Calling Code 08048384 <swap>:
Carnegie Mellon Disassembled swap <swap>: : push %ebp : 89 e mov %esp,%ebp : push %ebx : 8b mov 0x8(%ebp),%edx 804838b: 8b 4d 0c mov 0xc(%ebp),%ecx 804838e: 8b 1a mov (%edx),%ebx : 8b mov (%ecx),%eax : mov %eax,(%edx) : mov %ebx,(%ecx) : 5b pop %ebx : 5d pop %ebp : c ret Calling Code 80483b4: movl $0x ,0x4(%esp) # Copy &course2 80483bc: movl $0x ,(%esp) # Copy &course1 80483c3: call <swap> # Call swap 80483c8: leave # Prepare to return 80483c9: ret # Return

45 IA32/Linux+Windows Register Usage
Carnegie Mellon IA32/Linux+Windows Register Usage %eax, %edx, %ecx Caller saves prior to call if values are used later %eax also used to return integer value %ebx, %esi, %edi Callee saves if wants to use them %esp, %ebp special form of callee save Restored to original values upon exit from procedure %eax Caller-Save Temporaries %edx %ecx %ebx Callee-Save Temporaries %esi %edi %esp Special %ebp

46 So far IA 32 Procedures Stack Structure Calling Conventions
Carnegie Mellon So far IA 32 Procedures Stack Structure Calling Conventions Illustrations of Recursion & Pointers

47 Creating and Initializing Local Variable
Carnegie Mellon Creating and Initializing Local Variable Variable localx must be stored on stack Because: Need to create pointer to it Compute pointer as -4(%ebp) int add3(int x) { int localx = x; incrk(&localx, 3); return localx; } 8 x 4 Rtn adr Old %ebp %ebp First part of add3 -4 localx = x add3: pushl %ebp movl %esp, %ebp subl $24, %esp # Alloc. 24 bytes movl 8(%ebp), %eax movl %eax, -4(%ebp) # Set localx to x -8 Unused -12 -16 -20 -24 %esp

48 Creating Pointer as Argument
Carnegie Mellon Creating Pointer as Argument Use leal instruction to compute address of localx int add3(int x) { int localx = x; incrk(&localx, 3); return localx; } 8 x 4 Rtn adr Old %ebp %ebp Middle part of add3 -4 localx movl $3, 4(%esp) # 2nd arg = 3 leal -4(%ebp), %eax # &localx movl %eax, (%esp) # 1st arg = &localx call incrk -8 Unused -12 -16 -20 3 %esp+4 -24 %esp

49 Retrieving local variable
Carnegie Mellon Retrieving local variable Retrieve localx from stack as return value int add3(int x) { int localx = x; incrk(&localx, 3); return localx; } 8 x 4 Rtn adr Old %ebp %ebp Final part of add3 -4 localx movl -4(%ebp), %eax # Return val= localx leave ret -8 Unused -12 -16 -20 -24 %esp

50 IA32/Linux+Windows Register Usage
Carnegie Mellon IA32/Linux+Windows Register Usage %eax, %edx, %ecx Caller saves prior to call if values are used later %eax also used to return integer value %ebx, %esi, %edi Callee saves if wants to use them %esp, %ebp special form of callee save Restored to original values upon exit from procedure %eax Caller-Save Temporaries %edx %ecx %ebx Callee-Save Temporaries %esi %edi %esp Special %ebp

51 Internet Worm and IM War
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?

52 Internet Worm and IM War
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM client MSN server MSN client AIM server AIM client

53 Internet Worm and IM War (cont.)
August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! many library functions do not check argument sizes. allows target buffers to overflow.

54 Buffer overflows Strings in C terminate at the first NUL-byte
Copying strings requires bounds checking! AAAABBBBCCCCDDDD0ntimony arsenic aluminum celenium0.. Antimony arsenic aluminum celenium0.. AAAABBBBCCCCDDDD0 Antimony arsenic aluminum celenium0 Buffer A void function(void) { char A[16]; char B[64]; int i; strcpy (B, “Antimony arsenic aluminum celenium“); strcpy (A, “AAAABBBBCCCCDDDD“); printf (“String B: %s\n“, B); } Buffer B Int i

55 Buffer overflows C stores all variables on stack, but also other important stuff! E.g. the address of where it was last executing (called the return address) Int i void bla(void) { char A[16]; function(); } void function(void) { char B[64]; int i; ... Buffer B Return address Buffer A STACK

56 Could return to anywhere!
Buffer overflows What happens if we write too much to B? Buffer A Buffer B Int i STACK Return address void function(void) { char B[64]; int i; strcpy (B, somebuffer); } somebuffer Could return to anywhere!

57 Buffer overflows Where would we want to return?
Could return to OUR input buffer Treated as machine code! Can execute anything Buffer A Buffer B Int i STACK Return address void bla(void) { char A[16]; function(); } void function(void) { char B[64]; int i; ... somebuffer

58 Buffer overflows What do we want to execute?
Could eject CDROM or delete all files Could launch a shell (say „/bin/bash“) Could open a new port and launch a shell there Could connect back to our host Need to careful about the input Such as NUL bytes Known as shellcode

59 String Library Code Implementation of Unix function gets()
No way to specify limit on number of characters to read Similar problems with other library functions strcpy, strcat: Copy strings of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest;

60 Vulnerable Buffer Code
/* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } void call_echo() { echo(); } unix>./bufdemo Type a string: unix>./bufdemo Type a string: Segmentation Fault unix>./bufdemo Type a string: ABC Segmentation Fault

61 Buffer Overflow Disassembly
echo: 80485c5: push %ebp 80485c6: 89 e mov %esp,%ebp 80485c8: push %ebx 80485c9: 83 ec sub $0x14,%esp 80485cc: 8d 5d f lea 0xfffffff8(%ebp),%ebx 80485cf: 89 1c mov %ebx,(%esp) 80485d2: e8 9e ff ff ff call <gets> 80485d7: 89 1c mov %ebx,(%esp) 80485da: e8 05 fe ff ff call e4 80485df: 83 c add $0x14,%esp 80485e2: 5b pop %ebx 80485e3: 5d pop %ebp 80485e4: c ret call_echo: 80485eb: e8 d5 ff ff ff call c5 <echo> 80485f0: c leave 80485f1: c ret

62 Buffer Overflow Stack Before call to gets Stack Frame for main
/* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Return Address Saved %ebp %ebp Saved %ebx Stack Frame for echo [3] [2] [1] [0] buf echo: pushl %ebp # Save %ebp on stack movl %esp, %ebp pushl %ebx # Save %ebx subl $20, %esp # Allocate stack space leal -8(%ebp),%ebx # Compute buf as %ebp-8 movl %ebx, (%esp) # Push buf on stack call gets # Call gets . . .

63 Buffer Overflow Stack Example
unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x80485c9 (gdb) run Breakpoint 1, 0x80485c9 in echo () (gdb) print /x $ebp $1 = 0xffffd678 (gdb) print /x *(unsigned *)$ebp $2 = 0xffffd688 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x80485f0 Before call to gets Before call to gets 0xffffd688 Stack Frame for main Stack Frame for main Return Address 08 04 85 f0 Saved %ebp ff ff d6 88 0xffffd678 Stack Frame for echo Saved %ebx Stack Frame for echo Saved %ebx [3] [2] [1] [0] buf xx xx xx xx buf 80485eb: e8 d5 ff ff ff call c5 <echo> 80485f0: c leave

64 Buffer Overflow Example #1
Before call to gets Input 0xffffd688 0xffffd688 Stack Frame for main Stack Frame for main 08 04 85 f0 08 04 85 f0 ff ff d6 88 0xffffd678 ff ff d6 88 0xffffd678 Saved %ebx Stack Frame for echo 00 Stack Frame for echo 37 36 35 xx xx xx xx buf 34 33 32 31 buf Overflow buf, and corrupt %ebx, but no problem

65 Buffer Overflow Example #2
Before call to gets Input 0xffffd688 0xffffd688 Stack Frame for main Stack Frame for main 08 04 85 f0 08 04 85 f0 ff ff d6 88 0xffffd678 ff ff d6 00 0xffffd678 Saved %ebx Stack Frame for echo Stack Frame for echo 38 37 36 35 xx xx xx xx buf 34 33 32 31 buf Base pointer corrupted . . . 80485eb: e8 d5 ff ff ff call c5 <echo> 80485f0: c leave # Set %ebp to corrupted value 80485f1: c ret

66 Buffer Overflow Example #3
Before call to gets Input 0xffffd688 0xffffd688 Stack Frame for main Stack Frame for main 08 04 85 f0 08 04 85 00 ff ff d6 88 0xffffd678 43 42 41 39 0xffffd678 Stack Frame for echo Saved %ebx 38 Stack Frame for echo 37 36 35 xx xx xx xx buf 34 33 32 31 buf Return address corrupted 80485eb: e8 d5 ff ff ff call c5 <echo> 80485f0: c leave # Desired return point

67 Malicious Use of Buffer Overflow
Stack after call to gets() void foo(){ bar(); ... } foo stack frame return address A B pad int bar() { char buf[64]; gets(buf); ... return ...; } data written by gets() exploit code bar stack frame B Input string contains byte representation of executable code Overwrite return address A with address of buffer B When bar() executes ret, will jump to exploit code

68 Buflab (7%) You will be writing rudimentary exploit code The goal:
Yeah! How cool is that? The goal: Take a carefully crafted service Overflow its buffers Make it do different / new things The assignment proceeds in stages, scores for each Competitive scoreboard: Deadline: 28/1 23:59. Individual assignment.


Download ppt "Introduction to x86 Assembly or “How does someone hack my laptop?”"

Similar presentations


Ads by Google