Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
FromLastTime
• ACL-basedpermissions(UNIXstyle)– Read,Write,eXecutecanberestrictedonusersandgroups
– Processes(usually)runwiththepermissionsoftheinvokinguser
passwd
RUID:ace
/etc/shadow
write
EUID:root
input
Processesarethefrontlineofsystemsecurity
• ControlaprocessandyougettheprivilegesofitsUID
• Sohowdoyoucontrolaprocess?– Sendspeciallyformedinputtoprocess
passwd
RUID:ace
/etc/shadow
write
EUID:root
input
PrivilegeEscalation
article published last Thursday!
LectureRoadmap
• Today– Enoughx86tounderstand(some)processvulnerabilities• MemoryLayout
• Somex86instructionsemantics
• Toolsforinspectingassembly
• NextTime– Howsuchattacksoccur
Whydoweneedtolookatassembly?
Weunderstandcodeinthisform
Vulnerabilitiesexploitedinthisform
int foo(){ int a = 0; return a + 7; }
pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret
Compiler
“WYSINWYX:WhatyouseeisnotwhatyoueXecute”[BalakrishnanandRepsTOPLAS2010]
X86:TheDeFactoStandard
• Extremelypopularfordesktopcomputers
• Alternatives– ARM:popularonmobile
–MIPS:verysimple
– Itanium:aheadofitstime
x86:PopularbutCrazy
• CISC(complexinstructionsetcomputing)– Over100distinctopcodesintheset
• Registerpoor– Only8registersof32-bits,only6aregeneral-purpose
• Variable-lengthinstructions• Builtofmanybackwards-compatiblerevisions–Manysecurityproblemspreventable…inhindsight
ALittleHistory
Intelintroduces
8086(16bit)
1978 1982
80186and80286
1985
80386(32-bit)
1989
i486(32-bit)
Intel attempts to trademark
the number 486, gets denied
1993
Pentium
“five”Science-y?
1995
PentiumPro
2003
AMDmakes
x86-64(64bit)
…
This is not a joke.It’s the real reason
Let’sDiveinToX86!
X86
Registers
ESI
EDI
ESP
EBP
DX
CX
BX
AX
EDX
ECX
EBX
EAX AL
BL
CL
DL
AH
BH
CH
DH
(stackpointer)
(basepointer)
32bits
Processmemorylayout
.text
– Machinecodeofexecutable.data
– Globalinitializedvariables.bss
– BelowStackSectionglobaluninitializedvars
.text .data .bss heap stackFree
memory Env
heap– Dynamicvariables
stack– Localvariables– Functioncalldata
Env
– Environmentvariables– Programarguments
Highmemoryaddresses
Lowmemoryaddresses
Growsupward Growsdownward
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
stack
HeapandStackDesign
heap stackFree
memory
Highmemoryaddresses
Lowmemoryaddresses
Growsupward
Growsdownward
• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime
• Stack– Localvariables,functionbookkeeping
• Heap– Dynamicmemory
heap
HeapandStackuse:Example
Freememory
Highmemoryaddresses
Lowmemoryaddresses
main():callfoo()callbar()foo():f_glob=malloc(0x100)callbar()bar()b_loc=7;
mainfoobar70x100bytes
bar7
Reminder:Theseareconventions
• Dictatedbycompiler
• Onlyinstructionsupportbyprocessor– Almostnostructuralnotionofmemorysafety• Useofuninitializedmemory
• Useoffreedmemory
• Memoryleaks
• Sohowaretheyactuallyimplemented?
InstructionSyntax
subl$16,%ebx
movl(%eax),%ebx
Examples: • Instructionendswithdatalength
• opcode,src,dst
• Constantsprecededby$
• Registersprecededby%
• Indirectionuses()
RegisterInstructions:sub
• Subtractfromaregistervalue
%eax7
registers
mem
ory
subl%eax,%ebx
%ebx9 2
FrameInstructions:push
• Putavalueonthestack– Pullfromregister
– Valuegoesto%esp– Subtractfrom%esp
• Example:
pushl%eax
%eax7
registers
mem
ory
Framepushl%eax
%espN%ebpM
%eax7
registers
mem
ory
Frame
%espN-4%ebpM
7
FrameInstructions:pop
• Takeavaluefromthestack– Pullfromstackpointer
– Valuegoesfrom%esp
– Addto%esp
%eax9
registers
mem
ory
Framepopl%eax
%espK%ebpM
%eax7
registers
mem
ory
Frame
%espK+4%ebpM
7
7
Controlflowinstructions:jmp• %eippointstothecurrentlyexecutinginstruction(inthetextsection)
• Hasunconditionalandconditionalforms
• Usesrelativeaddressing
%eipK
registers
mem
ory
Framejmp-20
%espN%ebpM
%eipK-20
registers
mem
ory
Frame
%espN%ebpM
Controlflowinstructions:call
• Savesthecurrentinstructionpointertothestack
• Jumpstotheargumentvalue
%eipK
registers
mem
ory
FrameA:callFOO
%espN%ebpM
%eipFOO
registers
mem
ory
FrameFOO:(1stoffoo)
%espN-4%ebpM
A+2
Controlflowinstructions:ret
• Popsthestackintotheinstructionpointer
%eipK
registers
mem
ory
FrameK:ret
%ebpM %espN
A
%eipA
FrameA:(callerinstr)
%ebpM %espN+4re
gisters
mem
ory
Stackinstructions:leave
• Equivalentto movl%ebp,%esp popl%ebp
registers
mem
ory
Stackleave
%ebpM %espN
A
%ebpA %espM
registers
mem
ory
Stack
Implementingafunctioncall
Stackdata
main:…subl$8,%espmovl$2,4(%esp)movl$l,(%esp)callfooaddl$8,%esp…
(main) (foo)
foo:pushl%ebpmovl%esp,%ebpsubl$16,%espmovl$3,-4(%ebp)movl8(%ebp),%eaxaddl$9,%eaxleaveret
eipeipeipeip
eip
maineip+2
mainebp
esp
ebp
esp
21
esp esp%eax 110
eipeipeipeipeipeipeip
3
esp
ebp
eip
FunctionCalls:Highlevelpoints
• Localsareorganizedintostackframes– Calleesexistatloweraddressthanthecaller
• Oncall:– Save%eipsoyoucanrestorecontrol– Save%ebpsoyoucanrestoredata
• Implementationdetailsarelargelybyconvention– Somewhatcodifiedbyhardware
Datatypes/Endianness
• x86isalittle-endianarchitecture
%eax 0xdeadbeef
pushl%eax
esp
0xde0xad0xbe0xef
esp
4bytes 1 1 1 1
Arrays
bar:pushl%ebpmovl%esp,%ebpsubl$5,%espmovl8(%ebp),%eaxmovl%eax,4(%esp)leal-5(%ebp),%eaxmovl%eax,(%esp)callstrcpyleaveret
(bar)callereip+2
callerebp
voidbar(char*in){charname[5];strcpy(name,in);}
&in
.text .data
HEAP
esp
ebp
‘D’0x44
‘r’0x72
‘e’0x65
‘w’0x77
‘\0’0x00
AssemblyCodeTools
• Let’slookatsomeprogramsforobservingthesephenomena
Tools:GCC
gcc–O0–Sprogram.c–oprogram.S–m32
gcc–O0–gprogram.c–oprogram–m32
Tools:GDB
gdbprogram(gdb)run(gdb)decompilefoo(gdb)quit
Tools:objdump
objdump–Dwrtprogram
Tools:od
od–xprogram
MemorySafety:WhyandWhyNot
• Thefreedomfromtheseshenanigans
• X86haslittleinbuiltnotionofmemorysafety– Compileroranalysiscan
Summary
• Basicsofx86– Processlayout– ISAdetails– Mostoftheinstructionsthatyou’llneed
• Introducedtheconceptofabufferoverflow
• Sometoolstoplayaroundwithx86assembly
• Nexttime:exploitingthesevulnerabilities