15 213 recitation attack lab
play

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie - PowerPoint PPT Presentation

Mar 01, 2023 •677 likes •882 views

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

  1. Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015

  2. Carnegie Mellon Reminder ■ Bomb lab is due tomorrow! ■ Attack lab is released tomorrow!!

  3. Carnegie Mellon Agenda ■ Stack review ■ Attack lab overview ■ Phases 1-3: Buffer overflow attacks ■ Phases 4-5: ROP attacks

  4. Carnegie Mellon x86-64: Register Conventions ■ Arguments passed in registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 ■ Return value: %rax ■ Callee-saved: %rbx, %r12, %r13, %r14, %rbp, %rsp ■ Caller-saved: %rdi, %rsi, %rdx, %rcx, %r8, %r9, %rax, %r10, %r11 ■ Stack pointer: %rsp ■ Instruction pointer: %rip

  5. Carnegie Mellon x86-64: The Stack ■ Grows downward towards lower memory addresses ■ %rsp points to top of stack Bottom 0x7fffffffffff ■ push %reg : subtract 8 from %rsp , put val in %reg at (%rsp) ■ pop %reg : put val at (%rsp) in %reg , add 8 to %rsp %rsp Top

  6. Carnegie Mellon x86-64: Stack Frames ■ Every function call has its own stack frame . ■ Think of a frame as a workspace for each call. ■ Local variables ■ Callee & Caller-saved registers ■ Optional arguments for a function call

  7. Carnegie Mellon x86-64: Function Call Setup Caller: ■ Allocates stack frame large enough for saved registers, optional arguments ■ Save any caller-saved registers in frame ■ Save any optional arguments (in reverse order ) in frame ■ call foo : push %rip to stack, jump to label foo Callee: ■ Push any callee-saved registers, decrease %rsp to make room for new frame

  8. Carnegie Mellon x86-64: Function Call Return Callee: ■ Increase %rsp, pop any callee-saved registers (in reverse order ), execute ret: pop %rip

  9. Carnegie Mellon Attack Lab Overview: Phases 1-3 Overview ■ Exploit x86-64 by overwriting the stack ■ Overflow a buffer, overwrite return address ■ Execute injected code Key Advice ■ Brush up on your x86-64 conventions! ■ Use objdump –d to determine relevant offsets ■ Use GDB to determine stack addresses

  10. Carnegie Mellon Buffer Overflows ■ Exploit strcpy vulnerability to overwrite important info on stack 0xAABBCCDD ■ When this function 0xFFFFFFFF Old Return 0xFFFFFFFF returns, where will it address 0xFFFFFFFF 0xFFFFFFFF begin executing? 0xFFFFFFFF ■ Recall 0xFFFFFFFF 0xFFFFFFFF ret:pop %rip 0xFFFFFFFF 0xFFFFFFFF ■ What if we want to inject 0xFFFFFFFF buf 0xFFFFFFFF new code to execute?

  11. Carnegie Mellon Demonstration: Generating Byte Codes ■ Use gcc and objdump to generate byte codes for assembly instruction sequences

  12. Carnegie Mellon Attack Lab Overview: Phases 4-5 Overview ■ Utilize return-oriented programming to execute arbitrary code ■ Useful when stack is non-executable or randomized ■ Find gadgets, string together to form injected code Key Advice ■ Use mixture of pop & mov instructions + constants to perform specific task

  13. Carnegie Mellon ROP Example void foo(char *input){ ■ Draw a stack diagram char buf[32]; and ROP exploit to pop ... a value 0xBBBBBBBB strcpy (buf, input); into %rbx and move it return; into %rax } Gadgets: address 1 : mov %rbx, %rax; ret address 2 : pop %rbx; ret Inspired by content created by Professor David Brumley

  14. Carnegie Mellon ROP Example: Solution Next address in ROP chain…. Gadgets: Address 1 Address 1: mov %rbx, %rax; ret 0xBBBBBBBB Address 2: pop %rbx; ret Address 2 0xFFFFFFFF Old Return 0xFFFFFFFF address void foo(char *input){ 0xFFFFFFFF 0xFFFFFFFF char buf[32]; 0xFFFFFFFF ... 0xFFFFFFFF strcpy (buf, input); 0xFFFFFFFF 0xFFFFFFFF return; 0xFFFFFFFF } 0xFFFFFFFF (filler…..) buf

  15. Carnegie Mellon ROP Demonstration: Looking for Gadgets ■ How to identify useful gadgets in your code

  16. Carnegie Mellon Tools ■ objdump –d ■ View byte code and assembly instructions, determine stack offsets ■ ./hex2raw ■ Pass raw ASCII strings to targets ■ gdb ■ Step through execution, determine stack addresses ■ gcc –c ■ Generate object file from assembly language file

  17. Carnegie Mellon More Tips ■ Draw stack diagrams ■ Be careful of byte ordering (little endian)

  18. Carnegie Mellon Also...

  19. Carnegie Mellon Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

9/26/2016 Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming using server Covers material done in Recitation Part 2 Friday 8am to 4pm in CS110 lab Question/Answer Similar format to

317 views • 11 slides
Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is the best way to wait for two predicates to be true? Which of the following are (virtually) shared by threads within a single process? (A) Heap (B)

242 views • 13 slides
Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701

Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701

Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701 Machine LearningFall 2013 1 Probability P(a) = P(u) = P(~a) = Geoff Gordon10-701 Machine LearningFall 2013 2 Conventions Geoff

912 views • 33 slides
Recitation 2 (Scope + arrays + pointers +

Recitation 2 (Scope + arrays + pointers +

Recitation 2 (Scope + arrays + pointers + pass-by-reference) Question 1: Write a global function that takes an integer array and its size and

388 views • 9 slides
Inheritance Recitation - 02/22/2008 CS 180 Department of Computer Science, Purdue University

Inheritance Recitation - 02/22/2008 CS 180 Department of Computer Science, Purdue University

Inheritance Recitation - 02/22/2008 CS 180 Department of Computer Science, Purdue University Announcements Project 3 grades are out. Collect at the end of the recitation. Project 5 has been posted. 2-week project.

641 views • 39 slides
[CS112] Data Structure Recitation (Section 4, 15) Changkyu Song cs1080@cs.rutgers.edu Office

[CS112] Data Structure Recitation (Section 4, 15) Changkyu Song cs1080@cs.rutgers.edu Office

[CS112] Data Structure Recitation (Section 4, 15) Changkyu Song cs1080@cs.rutgers.edu Office Hours: Tue 10:30~12:30 p.m. @ Hill 206 [CS112] Recitation #1 Weighted Adjacency Link List 1 W:0.2 W:0.7 2 3 3 1 2 2 3 T T 1 T T 1

452 views • 33 slides
Earth Movement and Earth Movement and Solar Calendar Solar Calendar Recitation 2 Recitation 2

Earth Movement and Earth Movement and Solar Calendar Solar Calendar Recitation 2 Recitation 2

Earth Movement and Earth Movement and Solar Calendar Solar Calendar Recitation 2 Recitation 2 Elliptical Orbits Elliptical Orbits The planets move along elliptical orbits around the sun. This results in both a variation in the distance

500 views • 14 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Recitation 7 Caching By yzhuang Announcements Pick up your exam from ECE course hub

Recitation 7 Caching By yzhuang Announcements Pick up your exam from ECE course hub

Recitation 7 Caching By yzhuang Announcements Pick up your exam from ECE course hub Average is 43/60 Final Grade computation? See syllabus http://www.cs.cmu.edu/~213/misc/syllabu s.pdf If you download cachelab before noon of

374 views • 15 slides
Parallel Programming Parallel Programming 0024 0024 Recitation Week 7 Recitation Week 7

Parallel Programming Parallel Programming 0024 0024 Recitation Week 7 Recitation Week 7

Parallel Programming Parallel Programming 0024 0024 Recitation Week 7 Recitation Week 7 Spring Semester 2010 Spring Semester 2010 R 7 :: 1 0024 Spring 2010 Todays program Assignment 6 Assignment 6 Review of semaphores

592 views • 35 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Recitation 3 (Recursion + time complexity) Question 1 : A

Recitation 3 (Recursion + time complexity) Question 1 : A

Recitation 3 (Recursion + time complexity) Question 1 : A palindrome is a sequence of characters or numbers that looks the same forwards and

413 views • 6 slides
Math 610 Section 700 - Recitation week 3 week 4 week 6 week 8 TA: Peng Wei Office: Blocker

Math 610 Section 700 - Recitation week 3 week 4 week 6 week 8 TA: Peng Wei Office: Blocker

Math 610 Section 700 - Recitation week 1 week 2 Math 610 Section 700 - Recitation week 3 week 4 week 6 week 8 TA: Peng Wei Office: Blocker 502E weip@math.tamu.edu March 6, 2019 Math 610 Week 1 - Getting started with Matlab Section

828 views • 38 slides
1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few

1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 13: a few more %cs would be needed to skip format string part 1 OVER questions? 2 last time memory management problems two objects end up at same

965 views • 63 slides
CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL : call the function ! RET : return from the instruction Stack Frame for a function call includes ! Function arguments ! Return address ! Local

576 views • 15 slides
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming

CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming

613 views • 35 slides
Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the

Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the

Return-to-libc Attacks Outline Non-executable Stack countermeasure How to defeat the countermeasure Tasks involved in the attack Function Prologue and Epilogue Launching attack Non-executable Stack Running shellcode in C

516 views • 27 slides
Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

1.82k views • 180 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides

More recommend