Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Published byMervyn Washington Modified over 8 years ago

Similar presentations

Presentation on theme: "Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!"— Presentation transcript:

0 15-213 Recitation: Attack Lab
Jenna MacCarley Recitation 5: 28 Sep 2015

1 Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

2 Agenda Stack review Attack lab overview
Phases 1-3: Buffer overflow attacks Phases 4-5: ROP attacks

3 x86-64: Register Conventions
Arguments passed in registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 Return value: %rax Callee-saved: %rbx, %r12, %r13, %r14, %rbp, %rsp Caller-saved: %rdi, %rsi, %rdx, %rcx, %r8, %r9, %rax, %r10, %r11 Stack pointer: %rsp Instruction pointer: %rip

4 x86-64: The Stack Grows downward towards lower memory addresses
%rsp points to top of stack push %reg: subtract 8 from %rsp, put val in %reg at (%rsp) pop %reg: put val at (%rsp) in %reg, add 8 to %rsp %rsp Top Bottom 0x7fffffffffff

5 x86-64: Stack Frames Every function call has its own stack frame.
Think of a frame as a workspace for each call. Local variables Callee & Caller-saved registers Optional arguments for a function call

6 x86-64: Function Call Setup
Caller: Allocates stack frame large enough for saved registers, optional arguments Save any caller-saved registers in frame Save any optional arguments (in reverse order) in frame call foo: push %rip to stack, jump to label foo Callee: Push any callee-saved registers, decrease %rsp to make room for new frame

7 x86-64: Function Call Return
Callee: Increase %rsp, pop any callee-saved registers (in reverse order), execute ret: pop %rip

8 Attack Lab Overview: Phases 1-3
Exploit x86-64 by overwriting the stack Overflow a buffer, overwrite return address Execute injected code Key Advice Brush up on your x86-64 conventions! Use objdump –d to determine relevant offsets Use GDB to determine stack addresses

9 Buffer Overflows Exploit strcpy vulnerability to overwrite important info on stack When this function returns, where will it begin executing? Recall ret:pop %rip What if we want to inject new code to execute? 0xAABBCCDD 0xFFFFFFFF Old Return address buf

10 Demonstration: Generating Byte Codes
Use gcc and objdump to generate byte codes for assembly instruction sequences

11 Attack Lab Overview: Phases 4-5
Utilize return-oriented programming to execute arbitrary code Useful when stack is non-executable or randomized Find gadgets, string together to form injected code Key Advice Use mixture of pop & mov instructions + constants to perform specific task

12 ROP Example void foo(char *input){
char buf[32]; ... strcpy (buf, input); return; } Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into %rbx and move it into %rax Gadgets: address1: mov %rbx, %rax; ret address2: pop %rbx; ret Inspired by content created by Professor David Brumley

13 ROP Example: Solution Gadgets: Address 1: mov %rbx, %rax; ret
Next address in ROP chain…. Address 1 0xBBBBBBBB Address 2 0xFFFFFFFF 0xFFFFFFFF (filler…..) Gadgets: Address 1: mov %rbx, %rax; ret Address 2: pop %rbx; ret Old Return address void foo(char *input){ char buf[32]; ... strcpy (buf, input); return; } buf

14 ROP Demonstration: Looking for Gadgets
How to identify useful gadgets in your code

15 Tools objdump –d View byte code and assembly instructions, determine stack offsets ./hex2raw Pass raw ASCII strings to targets gdb Step through execution, determine stack addresses gcc –c Generate object file from assembly language file

16 More Tips Draw stack diagrams
Be careful of byte ordering (little endian)

17 Also...

18 Questions?

Download ppt "Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!"

Similar presentations

15/18-213: Introduction to Computer Systems

15/18-213: Introduction to Computer Systems
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Procedure Calls Prof. Sirer CS 316 Cornell University.

Procedure Calls Prof. Sirer CS 316 Cornell University.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 Recitation, Jan. 14 th.

Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.

University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.

Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.

Machine-Level Programming III: Procedures Topics IA32 stack discipline Register-saving conventions Creating pointers to local variables CS 105 “Tour of.

Similar presentations

Ads by Google