Embed Size (px)
Citation preview
Introduction to Information
Security :מרצים
Dr. Eran Tromer: [email protected]. Avishai Wool: [email protected]
:מתרגליםItamar Gilad ([email protected])Nir Krakowski ([email protected])
Course guidlines• The course exercises aren’t easy!
o You will have to learn and do a lot.o Google is your friend, but so are we!
• Best 75% of exercises will be used to calculate the average exercise grade.
• Exercises are to be submitted the week after the recitation
• Ask questions!!• Download exercises from website
https://course.cs.tau.ac.il/infosec13/exercises• Fill out the course questionnaire!
Instructors• We’ll be instructing the course together• Reception hour:
o Schedule an appointment by email
• General note: Please keep in mind that the lectures and recitations will often not match. This is by design, not a mistake.
Recitation #1• Subjects:
oCourse IT FrameworkoX86 Assembly oReverse Engineeringo IDAoOther tools
IT Framework• VirtualBox VM file, with Ubuntu 12.04.2 LTS
o Username: ‘student’o Password: ‘do or do not there is no try’o Change the password with the command: passwd
• Wine: IDA, Hexworkshop• Python• vi, gedit, ghex, hexedit• To get more tools:
o sudo apt-get install [toolname]o sudo pip install [pythonmodulename]o Google for more tools
• All exercises will be provided to work within the VM Framework.
• Most exercises will not work on a standard machine.
VM Demo
X86 assembly• Command elements:
o Instruction – a whole commando Opcode – what you want to doo Operand – what do you want to operate on (source) or
with (dest)• Opcode types:
o Data opcode examples: MOV, XOR, ADD, SUB, INC, SHL, SHR, TEST, CMP
o Unconditional control flow (branching) opcode examples: JMP, CALL, RET
o Flag based conditional control flow examples: JZ, JNE, JNZ, JBE, JG.
o Stack operations: POP, PUSH, PUSHA, POPA
X86 assembly• Operand types:
oRegistersoConstantsoMemory addresseso Pointerso Flags
• Commands or Instructions are variable length:o 1 to 8 bytes long.
Command structure• Command structure (no operand):
oOpcodeo Example: NOPo Example: RET
• Command structure (single operand):oOpcode operando Example: INT 0x3o Example: JMP [memory address]o Example: POP [register]
Command structure• Command structure (dual operand):
oOpcode dest-operand source-operando Example: MOV EAX, 0o Example: SAR EBX, 2o Example: MOV ECX, [EBX]
• Cheat Sheet: https://www.ssucet.org/mod/resource/view.php?id=886
• Google: x86 assembly cheat sheet
Reverse Engineering• What does the following code do:
o LEA EDX, [address to “Hello, world!”]oMOV ECX, 12MYLOOP:o PUSH EDXoCALL printfoADD ESP, 4o LOOP MYLOOP
Reverse Engineering• What is assembly reverse engineering:
o Compiling is like a one-way function.o Information is lost, and we might loose access to:
• Variable and function names• Comments
o What do we still have:• Import and export name (relations between modules)• Structure of parameters to functions.• Starting point• Hard-coded strings• Constants
• Our objectives:o Find the most interesting piece of code in the least amount of
timeo Understand what it does and howo Find weaknesses and figure out how to exploit them
RE Process• Use leads:
o Strings, UIo Dynamic debugging, breakpoints.o Library and system functions
• Interpret the assembled code by using intelligent guesses:o Context-basedo Code is written by people using regular
code conventionso Code is written in an upper level language
IDA• The Interactive Dis-Assembler (IDA) is the most popular
reverse engineering toolo Version 5.0 is free-ware and that is what we’ll use.
• IDA does several things automatically:o Disassemble x86 binary code into human readable formato Identifies ELF headers (executable file formats)o Signature based recognition for library functions and compiler trickso Creates code graph by basic blockso Code and data xrefs (references to memory addresses, functions)
• Provides a good environment for research:o Adding comments (‘;’)o Renaming labels: code blocks, variables, function names, structures. (‘n’)o Change interpretation of binary data (code->data, data->code, data type
change, etc.)
• https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf
IDA Options
IDA Demo• [Helllo World]
IDA Demo• [stricmp]
This week’s exercise• VM setup• First reverse engineering task• It isn’t hard – but please start early and contact
us if you have any trouble with the setup
