15 213 recitation bomb lab
play

15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton DSouza - PowerPoint PPT Presentation

Feb 29, 2024 •581 likes •804 views

Carnegie Mellon 15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton DSouza Carnegie Mellon Agenda Bomb Lab Overview Assembly Refresher Introduction to GDB Unix Refresher Bomb Lab Demo Carnegie Mellon Downloading

  1. Carnegie Mellon 15-213 Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza

  2. Carnegie Mellon Agenda ■ Bomb Lab Overview ■ Assembly Refresher ■ Introduction to GDB ■ Unix Refresher ■ Bomb Lab Demo

  3. Carnegie Mellon Downloading Your Bomb ■ Please read the writeup. Please read the writeup . Please Read The Writeup. ■ Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases. ■ Bombs have six phases which get progressively harder more fun to use. ■ Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.

  4. Carnegie Mellon Exploding Your Bomb ■ Blowing up your bomb notifies Autolab. ■ Dr. Evil takes 0.5 of your points each time. ■ Inputting the right string moves you to the next phase. ■ Jumping between phases detonates the bomb

  5. Carnegie Mellon Examining Your Bomb ■ You get: ■ An executable ■ A readme ■ A heavily redacted source file ■ Source file just makes fun of you. ■ Outsmart Dr. Evil by examining the executable

  6. Carnegie Mellon x64 Assembly: Registers %rax %r8 %eax %r8d Return Arg 5 %rbx %r9 %ebx %r9d Arg 6 %rcx %r10 %ecx %r10d Arg 4 %rdx %r11 %edx %r11d Arg 3 %rsi %r12 %esi %r12d Arg 2 %rdi %r13 %edi %r13d Arg 1 %rsp %r14 %esp %r14d Stack ptr %rbp %r15 %ebp %r15d

  7. Carnegie Mellon x64 Assembly: Operands Type Syntax Example Notes $-42 Don’t mix up Start with $ Constants decimal and hex $0x15213b %esi Start with % Can store values Registers or addresses %rax (%rbx) Parentheses Parentheses Memory 0x1c(%rax) around a register dereference. Locations 0x4(%rcx, %rdi, 0x1) or an addressing Look up mode addressing modes!

  8. Carnegie Mellon x64 Assembly: Arithmetic Operations Instruction Effect mov %rbx, %rdx rdx = rbx add (%rdx), %r8 r8 += value at rdx mul $3, %r8 r8 *= 3 sub $1, %r8 r8-- lea (%rdx,%rbx,2), %rdx rdx = rdx + rbx*2 ■ Doesn’t dereference

  9. Carnegie Mellon x64 Assembly: Comparisons ■ Comparison, cmp , compares two values ■ Result determines next conditional jump instruction ■ cmp b,a computes a-b , test b,a computes a&b ■ Pay attention to operand order If %r10 > %r9 , cmpl %r9, %r10 then jump to jg 8675309 8675309

  10. Carnegie Mellon x64 Assembly: Jumps Instruction Effect Instruction Effect jmp ja Always jump Jump if above (unsigned >) je/jz jae Jump if eq / zero Jump if above / equal jne/jnz jb Jump if !eq / !zero Jump if below (unsigned <) jg jbe Jump if greater Jump if below / equal jge js Jump if greater / eq Jump if sign bit is 1 (neg) jl jns Jump if less Jump if sign bit is 0 (pos) jle Jump if less / eq

  11. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 If , jump to addr jge deadbeef 0xdeadbeef cmp %rax, %rdi If , jump to addr jae 15213b 0x15213b test %r8, %r8 jnz (%rsi) If , jump to .

  12. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 If %r12 >= 0x15213 , jge deadbeef jump to 0xdeadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi)

  13. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi If the unsigned value of jae 15213b %rdi is at or above the unsigned value of %rax , test %r8, %r8 jump to 0x15213b . jnz (%rsi)

  14. Carnegie Mellon x64 Assembly: A Quick Drill cmp $0x15213, %r12 jge deadbeef cmp %rax, %rdi jae 15213b test %r8, %r8 jnz (%rsi) If %r8 & %r8 is not zero, jump to the address stored in %rsi .

  15. Carnegie Mellon Diffusing Your Bomb ■ objdump -t bomb examines the symbol table ■ objdump -d bomb disassembles all bomb code ■ strings bomb prints all printable strings ■ gdb bomb will open up the G NU D e b ugger ■ Examine while stepping through your program registers ▪ the stack ▪ contents of program memory ▪ instruction stream ▪

  16. Carnegie Mellon Using gdb ■ break <location> ■ Stop execution at function name or address ■ Reset breakpoints when restarting gdb ■ run <args> ■ Run program with args <args> ■ Convenient for specifying text file with answers ■ disas <fun> , but not dis ■ stepi / nexti ■ Steps / does not step through function calls

  17. Carnegie Mellon Using gdb ■ info registers ■ Print hex values in every register ■ print ( /x or /d ) $eax - Yes, use $ ■ Print hex or decimal contents of %eax ■ x $register, x 0xaddress ■ Prints what’s in the register / at the given address ■ By default, prints one word (4 bytes) ■ Specify format: /s, /[num][size][format] ▪ x/8a 0x15213 ▪ x/4wd 0xdeadbeef

  18. Carnegie Mellon sscanf ■ Bomb uses sscanf for reading strings ■ Figure out what phase expects for input ■ Check out man sscanf for formatting string details

  19. Carnegie Mellon If you get stuck ■ Please read the writeup. Please read the writeup . Please Read The Writeup. ■ CS:APP Chapter 3 ■ View lecture notes and course FAQ at http://cs.cmu.edu/~213 ■ Office hours Sun - Thu 6:00-9:00PM in WeH 5207 ■ man gdb, man sscanf, man objdump

  20. Carnegie Mellon Unix Refresher – This Saturday - 9/19/2015 You should know cd, ls, scp, ssh, tar, and chmod by now. Use man <command> for help. <Control-C> exits your current program.

  21. Carnegie Mellon Bomb Lab Demo...

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

882 views • 19 slides
BOMB PROMOTIONS BOMB PROMOTIONS IS A NYC-BASED MARKETING TEAM SPECIALIZING IN PROMOTIONS FOR

BOMB PROMOTIONS BOMB PROMOTIONS IS A NYC-BASED MARKETING TEAM SPECIALIZING IN PROMOTIONS FOR

BOMB PROMOTIONS BOMB PROMOTIONS IS A NYC-BASED MARKETING TEAM SPECIALIZING IN PROMOTIONS FOR CORPORATIONS, LOCAL BUSINESSES &amp; THE ENTERTAINMENT INDUSTRY. Bomb Promotions has been handling the distribution &amp; circulation of posters,

535 views • 27 slides
SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of

SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of

SCARC BOMB THREAT TRAINING BOMB THREATS American schools and companies receive thousands of bomb threat calls every year. Very few of these are warnings of real bombs. A large percentage of these calls prove to be hoaxes; however, all bomb

589 views • 17 slides
4190.308 Computer Architecture, Fall 2014 Bomb Lab: Defusing a Binary Bomb Assigned: Mon., Oct

4190.308 Computer Architecture, Fall 2014 Bomb Lab: Defusing a Binary Bomb Assigned: Mon., Oct

4190.308 Computer Architecture, Fall 2014 Bomb Lab: Defusing a Binary Bomb Assigned: Mon., Oct 20, Due: Mon., Nov 03, 17:00 1 Introduction Someone has planted a slew of binary bombs on our universitys machines. A binary bomb is a

183 views • 4 slides
Temporary Living Lab (eCollaboration between Slovenian, Hungarian and Austrian police bomb

Temporary Living Lab (eCollaboration between Slovenian, Hungarian and Austrian police bomb

Temporary Living Lab (eCollaboration between Slovenian, Hungarian and Austrian police bomb disposal units ) Organization: Bomb disposal unit Slovenia Klemen POGAAR User: Matev GLADEK Technologist: Partner: Bomb disposal unit Hungary

37 views • 3 slides
CSE 351 Section 4 Program Stack &amp; Procedure Calls Bomb Lab! How is it going?

CSE 351 Section 4 Program Stack &amp; Procedure Calls Bomb Lab! How is it going?

CSE 351 Section 4 Program Stack &amp; Procedure Calls Bomb Lab! How is it going? Bomb-defusing tips If you have trouble figuring out what a phase is doing, try working backwards Write out everything that happens, and you might be

313 views • 12 slides
GSI Colloquium Bastian Lher October 2017 What does it take to fjnd a dirty bomb? Bastian

GSI Colloquium Bastian Lher October 2017 What does it take to fjnd a dirty bomb? Bastian

GSI Colloquium Bastian Lher October 2017 What does it take to fjnd a dirty bomb? Bastian Lher GSI Kolloquium October 2017 What does it take to fjnd a dirty bomb? Find 10.300.000 results Finding means discovering Bomb An explosive

1.84k views • 145 slides
Th The e At Atom omic ic Bo Bomb mb Manhattan Project Beginning in 1939, the United States

Th The e At Atom omic ic Bo Bomb mb Manhattan Project Beginning in 1939, the United States

Th The e At Atom omic ic Bo Bomb mb Manhattan Project Beginning in 1939, the United States had been working on a top-secret new weapon that would use atomic energy to create an explosive many times more powerful than any other bomb.

250 views • 21 slides
Photo(C)John Rodsted www.stopclustermunitions.org Cluster bombs The cluster bomb problem A

Photo(C)John Rodsted www.stopclustermunitions.org Cluster bombs The cluster bomb problem A

Photo(C)John Rodsted www.stopclustermunitions.org Cluster bombs The cluster bomb problem A cluster bomb releases dozens to hundreds of submunitions shattering over vast amounts of land It is an indiscriminate weapon; it cant

393 views • 13 slides
Revisiting the Elitzur-Vaidman bomb paradox Colin Benjamin, NISER, Bhubaneswar. Feb. 18. 2015

Revisiting the Elitzur-Vaidman bomb paradox Colin Benjamin, NISER, Bhubaneswar. Feb. 18. 2015

Revisiting the Elitzur-Vaidman bomb paradox Colin Benjamin, NISER, Bhubaneswar. Feb. 18. 2015 Outline Mach-Zehnder interferometer Elitzur-Vaidman Bomb paradox Elitzur-Vaidman bomb paradox for electrons Elitzur-Vaidman

660 views • 26 slides
The 2% Time Bomb Why Most Restaurants Fail Speakers Dixie McCurly Stephen Gross The 2% Time

The 2% Time Bomb Why Most Restaurants Fail Speakers Dixie McCurly Stephen Gross The 2% Time

The 2% Time Bomb Why Most Restaurants Fail Speakers Dixie McCurly Stephen Gross The 2% Time Bomb Why Most Restaurants Fail Agenda - Introductions - - What is The 2% Time Bomb? - - How do you prevent it? - - Q&amp;A - What is The 2% Time

603 views • 38 slides
Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

9/26/2016 Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming using server Covers material done in Recitation Part 2 Friday 8am to 4pm in CS110 lab Question/Answer Similar format to

317 views • 11 slides
Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is the best way to wait for two predicates to be true? Which of the following are (virtually) shared by threads within a single process? (A) Heap (B)

242 views • 13 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701

Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701

Recitation First recitation tomorrow 56:30 here Linear algebra Geoff Gordon10-701 Machine LearningFall 2013 1 Probability P(a) = P(u) = P(~a) = Geoff Gordon10-701 Machine LearningFall 2013 2 Conventions Geoff

912 views • 33 slides
Recitation 2 (Scope + arrays + pointers +

Recitation 2 (Scope + arrays + pointers +

Recitation 2 (Scope + arrays + pointers + pass-by-reference) Question 1: Write a global function that takes an integer array and its size and

388 views • 9 slides
5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident Microprocessors Applications OS Hypervisor Motherboard/ Slave Chips Adam Waksman CPU Simha Sethumadhavan Complexity increases risk of

340 views • 4 slides
Covid-19 recovery and renewal planning CONTENTS Strategy on a page Impact, context and

Covid-19 recovery and renewal planning CONTENTS Strategy on a page Impact, context and

Covid-19 recovery and renewal planning CONTENTS Strategy on a page Impact, context and approach Recovery Return to OH &amp; LAPs Renewal Recommendations Slough Borough Councils COVID -19 Strategy Purpose: To lead

500 views • 16 slides
Controlled Thermonuclear Fusion Roscoe White Plasma Physics Laboratory, Princeton University The

Controlled Thermonuclear Fusion Roscoe White Plasma Physics Laboratory, Princeton University The

Controlled Thermonuclear Fusion Roscoe White Plasma Physics Laboratory, Princeton University The promise of cheap clean energy Consistently twenty years off, for the last 60 years Research began at Princeton with project Matterhorn in 1951 In

282 views • 9 slides
Diversity in DNS Performance Measures Richard Liston, Sridhar Srinivasan and Ellen Zegura

Diversity in DNS Performance Measures Richard Liston, Sridhar Srinivasan and Ellen Zegura

Diversity in DNS Performance Measures Richard Liston, Sridhar Srinivasan and Ellen Zegura liston,sridhar,ewz@cc.gatech.edu Georgia Institute of Technology Diversity in DNSPerformance Measures p.1/22 Roadmap Background: DNS Problem:

831 views • 38 slides
Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission

Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Page Replacement Procedure On a page fault Step 1: allocate a free page frame If theres a free frame, use it If theres no

451 views • 16 slides
The Timestamp of Timed Automata Amnon Rosenmann Graz University of Technology

The Timestamp of Timed Automata Amnon Rosenmann Graz University of Technology

The Timestamp of Timed Automata Amnon Rosenmann Graz University of Technology rosenmann@math.tugraz.at Amnon Rosenmann (TU Graz) The Timestamp of Timed Automata 1 / 30 Introduction Timed automata (TA) are finite automata extended with clocks

1.02k views • 30 slides
RFC 3161 bis Time-stamp Protocol draft-ietf-pkix-rfc3161-01.txt Denis Pinkas. Bull SAS. Lead

RFC 3161 bis Time-stamp Protocol draft-ietf-pkix-rfc3161-01.txt Denis Pinkas. Bull SAS. Lead

RFC 3161 bis Time-stamp Protocol draft-ietf-pkix-rfc3161-01.txt Denis Pinkas. Bull SAS. Lead editor of RFC 3161 San Francisco - March 23, 2009 Status A draft has been issued in February 2009. Major differences from RFC 3161 [RFC3161] are

735 views • 6 slides
Scaling Up HBase Duen Horng (Polo) Chau Associate Professor, College of Computing

Scaling Up HBase Duen Horng (Polo) Chau Associate Professor, College of Computing

poloclub.github.io/#cse6242 CSE6242/CX4242: Data &amp; Visual Analytics Scaling Up HBase Duen Horng (Polo) Chau Associate Professor, College of Computing Associate Director, MS Analytics Georgia Tech Mahdi Roozbahani

800 views • 27 slides

More recommend