Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

Published byAlison McDonald Modified over 9 years ago

Similar presentations

Presentation on theme: "Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function."— Presentation transcript:

1

2 Part I The Basic Idea

3 software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function ‘getURL’ to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute – normally this is the next address (instruction 100 is followed by instruction 101, etc) – not so with function call 200 201 202 203 204 100 101 102 103 IE getURL 104 call getURL return result

4 software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function ‘getURL’ to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute – normally this is the next address (instruction 100 is followed by instruction 101, etc) – not so with function call return result call getURL 200 201 202 203 204 100 101 102 103 104 PC IE getURL

5 1020 1021 1022 1023 1024 software so how does our CPU know where to return? – it keeps administration – on a ‘stack’ 200 201 202 203 204 100 101 102 103 104 stack PC call getURL return result 103 PC IE getURL stack pointer (SP)  Points to last added entry on the stack

6 real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); }

7 real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } call read 200 201 202 203 100 101 102 103 IE getURL 104 call getURL return result

8 real functions  variables call read 200 201 202 203 100 101 102 103 IE getURL 104 call getURL return result getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } stack 103 1022 1023 1024 1019 1021 1020 old FP 1018 1017 1016 1015 1014 1013 1012 1011 1010 frame pointer (FP)  Points to start of this function’s stack frame

9 real functions  variables call read 200 201 202 203 100 101 102 103 IE getURL 104 call getURL return result getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } stack 103 1022 1023 1024 1019 1021 1020 old FP 1018 1017 1016 1015 1014 1013 1012 1011 1010

10 real functions  variables old FP call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 buf 1017 1016 1015 1014 1013 1012 1011 1010 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1009 1008 1007 getURL 300 301 302 303return read

11 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 64 (buf) fd old FP 1009 1008 1007 buf getURL stack 300 301 302 303return read

12 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 1009 1008 1007 64 (buf) fd buf getURL 202 300 301 302 303return read

13 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd getURL 300 301 302 303return read frame pointer (FP)

14 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd on “return from read” getURL 300 301 302 303return read

15 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd getURL 300 301 302 303return read POP

16 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd getURL 300 301 302 303return read

17 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd getURL 300 301 302 303return read RET

18 real functions  variables call read 200 201 202 203 100 101 102 103 IE 104 call getURL return result stack 103 1022 1023 1024 1019 1021 1020 1018 1017 1016 1015 getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } 1014 1013 1012 1011 1010 old FP 202 1023 1009 1008 1007 64 (buf) fd getURL 300 301 302 303return read

19 Where is the vulnerability?

20 Exploit 103 1022 1023 1024 1019 1021 1020 1018 buf 1017 1016 1015 1014 1013 1012 1011 1010 getURL () { char buf[10]; read(keyboard, buf, 64); get_webpage (buf); } IE () { getURL (); } 1013

21 You may also overwrite other things For instance: – Other variables that are also on the stack – Other addresses – Etc.

22 Memory Corruption Final words Part I We have sketched only the most common memory corruption attack – many variations, e.g.: heap   stack more complex overflows off-by-one But there are others also – integer overflows – format string attacks – double free – etc. Not now, perhaps later… *different kinds

Download ppt "Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 2: Data types and addressing modes dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 2: Data types and addressing modes dr.ir. A.C. Verschueren.
Topic 10 Java Memory Management. 1-2 Memory Allocation in Java When a program is being executed, separate areas of memory are allocated for each class.

Topic 10 Java Memory Management. 1-2 Memory Allocation in Java When a program is being executed, separate areas of memory are allocated for each class.
Procedure call frame: Hold values passed to a procedure as arguments

Procedure call frame: Hold values passed to a procedure as arguments
Interrupts Chapter 8 – pp 209-214 Chapter 10 – pp 258-264 Appendix A – pp 537 & 543-545.

Interrupts Chapter 8 – pp Chapter 10 – pp Appendix A – pp 537 &
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google