cs642: computer securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · bh ch dh (stack...
TRANSCRIPT
![Page 2: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/2.jpg)
FromLastTime
• ACL-basedpermissions(UNIXstyle)– Read,Write,eXecutecanberestrictedonusersandgroups
– Processes(usually)runwiththepermissionsoftheinvokinguser
passwd
RUID:ace
/etc/shadow
write
EUID:root
input
![Page 3: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/3.jpg)
Processesarethefrontlineofsystemsecurity
• ControlaprocessandyougettheprivilegesofitsUID
• Sohowdoyoucontrolaprocess?– Sendspeciallyformedinputtoprocess
passwd
RUID:ace
/etc/shadow
write
EUID:root
input
![Page 4: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/4.jpg)
PrivilegeEscalation
article published last Thursday!
![Page 5: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/5.jpg)
LectureRoadmap
• Today– Enoughx86tounderstand(some)processvulnerabilities• MemoryLayout
• Somex86instructionsemantics
• Toolsforinspectingassembly
• NextTime– Howsuchattacksoccur
![Page 6: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/6.jpg)
Whydoweneedtolookatassembly?
Weunderstandcodeinthisform
Vulnerabilitiesexploitedinthisform
int foo(){ int a = 0; return a + 7; }
pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret
Compiler
“WYSINWYX:WhatyouseeisnotwhatyoueXecute”[BalakrishnanandRepsTOPLAS2010]
![Page 7: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/7.jpg)
X86:TheDeFactoStandard
• Extremelypopularfordesktopcomputers
• Alternatives– ARM:popularonmobile
–MIPS:verysimple
– Itanium:aheadofitstime
![Page 8: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/8.jpg)
x86:PopularbutCrazy
• CISC(complexinstructionsetcomputing)– Over100distinctopcodesintheset
• Registerpoor– Only8registersof32-bits,only6aregeneral-purpose
• Variable-lengthinstructions• Builtofmanybackwards-compatiblerevisions–Manysecurityproblemspreventable…inhindsight
![Page 9: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/9.jpg)
ALittleHistory
Intelintroduces
8086(16bit)
1978 1982
80186and80286
1985
80386(32-bit)
1989
i486(32-bit)
Intel attempts to trademark
the number 486, gets denied
1993
Pentium
“five”Science-y?
1995
PentiumPro
2003
AMDmakes
x86-64(64bit)
…
This is not a joke.It’s the real reason
![Page 10: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/10.jpg)
Let’sDiveinToX86!
X86
![Page 11: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/11.jpg)
Registers
ESI
EDI
ESP
EBP
DX
CX
BX
AX
EDX
ECX
EBX
EAX AL
BL
CL
DL
AH
BH
CH
DH
(stackpointer)
(basepointer)
32bits
![Page 12: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/12.jpg)
Processmemorylayout
.text
– Machinecodeofexecutable.data
– Globalinitializedvariables.bss
– BelowStackSectionglobaluninitializedvars
.text .data .bss heap stackFree
memory Env
heap– Dynamicvariables
stack– Localvariables– Functioncalldata
Env
– Environmentvariables– Programarguments
Highmemoryaddresses
Lowmemoryaddresses
Growsupward Growsdownward
![Page 13: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/13.jpg)
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
![Page 14: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/14.jpg)
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
stack
![Page 15: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/15.jpg)
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
heap
![Page 16: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/16.jpg)
HeapandStackuse:Example
Freememory
Highmemoryaddresses
Lowmemoryaddresses
main():callfoo()callbar()foo():f_glob=malloc(0x100)callbar()bar()b_loc=7;
mainfoobar70x100bytes
bar7
![Page 17: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/17.jpg)
Reminder:Theseareconventions
• Dictatedbycompiler
• Onlyinstructionsupportbyprocessor– Almostnostructuralnotionofmemorysafety• Useofuninitializedmemory
• Useoffreedmemory
• Memoryleaks
• Sohowaretheyactuallyimplemented?
![Page 18: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/18.jpg)
InstructionSyntax
subl$16,%ebx
movl(%eax),%ebx
Examples: • Instructionendswithdatalength
• opcode,src,dst
• Constantsprecededby$
• Registersprecededby%
• Indirectionuses()
![Page 19: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/19.jpg)
RegisterInstructions:sub
• Subtractfromaregistervalue
%eax7
registers
mem
ory
subl%eax,%ebx
%ebx9 2
![Page 20: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/20.jpg)
FrameInstructions:push
• Putavalueonthestack– Pullfromregister
– Valuegoesto%esp– Subtractfrom%esp
• Example:
pushl%eax
%eax7
registers
mem
ory
Framepushl%eax
%espN%ebpM
%eax7
registers
mem
ory
Frame
%espN-4%ebpM
7
![Page 21: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/21.jpg)
FrameInstructions:pop
• Takeavaluefromthestack– Pullfromstackpointer
– Valuegoesfrom%esp
– Addto%esp
%eax9
registers
mem
ory
Framepopl%eax
%espK%ebpM
%eax7
registers
mem
ory
Frame
%espK+4%ebpM
7
7
![Page 22: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/22.jpg)
Controlflowinstructions:jmp• %eippointstothecurrentlyexecutinginstruction(inthetextsection)
• Hasunconditionalandconditionalforms
• Usesrelativeaddressing
%eipK
registers
mem
ory
Framejmp-20
%espN%ebpM
%eipK-20
registers
mem
ory
Frame
%espN%ebpM
![Page 23: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/23.jpg)
Controlflowinstructions:call
• Savesthecurrentinstructionpointertothestack
• Jumpstotheargumentvalue
%eipK
registers
mem
ory
FrameA:callFOO
%espN%ebpM
%eipFOO
registers
mem
ory
FrameFOO:(1stoffoo)
%espN-4%ebpM
A+2
![Page 24: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/24.jpg)
Controlflowinstructions:ret
• Popsthestackintotheinstructionpointer
%eipK
registers
mem
ory
FrameK:ret
%ebpM %espN
A
%eipA
FrameA:(callerinstr)
%ebpM %espN+4re
gisters
mem
ory
![Page 25: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/25.jpg)
Stackinstructions:leave
• Equivalentto movl%ebp,%esp popl%ebp
registers
mem
ory
Stackleave
%ebpM %espN
A
%ebpA %espM
registers
mem
ory
Stack
![Page 26: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/26.jpg)
Implementingafunctioncall
Stackdata
main:…subl$8,%espmovl$2,4(%esp)movl$l,(%esp)callfooaddl$8,%esp…
(main) (foo)
foo:pushl%ebpmovl%esp,%ebpsubl$16,%espmovl$3,-4(%ebp)movl8(%ebp),%eaxaddl$9,%eaxleaveret
eipeipeipeip
eip
maineip+2
mainebp
esp
ebp
esp
21
esp esp%eax 110
eipeipeipeipeipeipeip
3
esp
ebp
eip
![Page 27: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/27.jpg)
FunctionCalls:Highlevelpoints
• Localsareorganizedintostackframes– Calleesexistatloweraddressthanthecaller
• Oncall:– Save%eipsoyoucanrestorecontrol– Save%ebpsoyoucanrestoredata
• Implementationdetailsarelargelybyconvention– Somewhatcodifiedbyhardware
![Page 28: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/28.jpg)
Datatypes/Endianness
• x86isalittle-endianarchitecture
%eax 0xdeadbeef
pushl%eax
esp
0xde0xad0xbe0xef
esp
4bytes 1 1 1 1
![Page 29: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/29.jpg)
Arrays
bar:pushl%ebpmovl%esp,%ebpsubl$5,%espmovl8(%ebp),%eaxmovl%eax,4(%esp)leal-5(%ebp),%eaxmovl%eax,(%esp)callstrcpyleaveret
(bar)callereip+2
callerebp
voidbar(char*in){charname[5];strcpy(name,in);}
&in
.text .data
HEAP
esp
ebp
‘D’0x44
‘r’0x72
‘e’0x65
‘w’0x77
‘\0’0x00
![Page 30: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/30.jpg)
AssemblyCodeTools
• Let’slookatsomeprogramsforobservingthesephenomena
![Page 31: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/31.jpg)
Tools:GCC
gcc–O0–Sprogram.c–oprogram.S–m32
gcc–O0–gprogram.c–oprogram–m32
![Page 32: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/32.jpg)
Tools:GDB
gdbprogram(gdb)run(gdb)decompilefoo(gdb)quit
![Page 33: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/33.jpg)
Tools:objdump
objdump–Dwrtprogram
![Page 34: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/34.jpg)
Tools:od
od–xprogram
![Page 35: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/35.jpg)
MemorySafety:WhyandWhyNot
• Thefreedomfromtheseshenanigans
• X86haslittleinbuiltnotionofmemorysafety– Compileroranalysiscan
![Page 36: CS642: Computer Securitypages.cs.wisc.edu/~ace/media/lectures/x86-review.pdf · BH CH DH (stack pointer) (base pointer) 32 bits. Process memory layout.text – Machine code of executable](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16c9f269fe5d28383b507e/html5/thumbnails/36.jpg)
Summary
• Basicsofx86– Processlayout– ISAdetails– Mostoftheinstructionsthatyou’llneed
• Introducedtheconceptofabufferoverflow
• Sometoolstoplayaroundwithx86assembly
• Nexttime:exploitingthesevulnerabilities