exam review
play

Exam Review 1 logistical note post-exam stack smashing assignment - PowerPoint PPT Presentation

Aug 07, 2023 •217 likes •634 views

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring break (was one on schedule, but) likely harder than tricky will count for more 2 exam format around 20 question parts mostly multiple choice

  1. Exam Review 1

  2. logistical note post-exam stack smashing assignment due two weeks after spring break (was one on schedule, but…) likely harder than tricky — will count for more 2

  3. exam format around 20 question parts mostly multiple choice or multiple-multiple choice something similar to RE something similar to TRICKY something about antiantivirus strategies, VMs, etc. 3

  4. given information 4

  5. virtual machines illusion of dedicated machine possibly difgerent interface: system VM — interface looks like some physical machine system VM — OS runs inside VM process VM — what OS implements process VM — fjles instead of hard drives, threads instead of CPUs, etc. language VM — interface designed for particular programming language language VM — e.g. Java VM — knows about objects, methods, etc. 5

  6. virtual machine implementation techniques emulation: read instruction + giant if/else if/… binary translation compile machine code to new machine code “native” run natively on hardware in user mode hardware triggers “exceptions” on special interrupts exceptions give VM implementation control 6

  7. VM implementation strategies emulator (except for privileged operations) virtual ISA same as real ISA (even excluding privileged operations) virtual ISA could be difgerent from real ISA native instruction set interpret/translate native CPU host OS virtual machine/guest OS traditional VM emulator native instruction set (help from HW+OS) become callbacks privileged ops native CPU host OS VM monitor virtual machine/guest OS 7

  8. VM implementation strategies emulator (except for privileged operations) virtual ISA same as real ISA (even excluding privileged operations) virtual ISA could be difgerent from real ISA native instruction set interpret/translate native CPU host OS virtual machine/guest OS traditional VM emulator native instruction set (help from HW+OS) become callbacks privileged ops native CPU host OS VM monitor virtual machine/guest OS 7

  9. VM implementation strategies emulator (except for privileged operations) virtual ISA same as real ISA (even excluding privileged operations) virtual ISA could be difgerent from real ISA native instruction set interpret/translate native CPU host OS virtual machine/guest OS traditional VM emulator native instruction set (help from HW+OS) become callbacks privileged ops native CPU host OS VM monitor virtual machine/guest OS 7

  10. VM implementation strategies emulator (except for privileged operations) virtual ISA same as real ISA (even excluding privileged operations) virtual ISA could be difgerent from real ISA native instruction set interpret/translate native CPU host OS virtual machine/guest OS traditional VM emulator native instruction set (help from HW+OS) become callbacks privileged ops native CPU host OS VM monitor virtual machine/guest OS 7

  11. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  12. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  13. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  14. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  15. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  16. system call fmow mode run handler to user mode update memory map run handler (exception) system call mode kernel pretend user program pretend mode kernel mode user conceptual layering hardware virtual machine monitor ‘guest’ OS 8

  17. VMs and malware isolate malware from important stufg sample malware behavior inspect memory for patterns — counter for metamorphic look for suspicious behavior generally 9

  18. counter-VM techniques detect VM-only devices outrun patience of antivirus VM unsupported instructions/system calls … 10

  19. debugger support hardware support: breakpoint instruction — debugger edits machine code to add single-step fmag — execute one instruction, jump to OS (debugger) 11

  20. counter-debugger techniques debuggers — also for analysis of malware detect changes to machine code in memory directly look for debugger broken executables … 12

  21. AT&T syntax movq $42, 100(%rbx,%rcx,4) constants start with $ ; no $ is an address registers start with % operand length ( q = 8; l = 4; w = 2; b = 1) 13 destination last D(R1,R2,S) = memory at D + R1 + R2 × S

  22. weird x86 features segmentation: old way of dividing memory: %fs:0x28 get segment # from FS register lookup that entry in a table add 0x28 to base adddress in table access memory as usual rep prefjx repeat instruction until rcx is 0 …decrementing rcx each time string instructions memory-to-memory; designed to be used with rep/etc. prefjxes 14

  23. executable/object fjle parts 2 section table, debug information, etc. relocations : printf at 0x3333 (type: absolute); … symbol table : foobar at 0x2344 ; barbaz at 0x4432 ; … machine code + data for segments read/write 0x5000 0x5000 0x1423 read/exec type of fjle, entry point address, … 0x1200 0x3000 0x0123 1 permissions size memory loc. fjle ofgset seg# 15

  24. relocations? unknown addresses — “holes” in machine code/etc. linker lays out machine code computes all symbol table addresses uses symbol table addresses to fjll in machine code 16

  25. dynamic linking /* 0x200c12+RIP = _GLOBAL_OFFSET_TABLE_+0x18 */ /* instead of call puts */ 400400 <puts@plt> callq e8 ce fe ff ff 40052d: ... later in main: ... *0x200c12(%rip) executables not completely linked — library loaded at runtime jmpq ff 25 12 0c 20 00 400400: 0000000000400400 <puts@plt>: instead: stubs: could use same mechanism, but inefgecient 17

  26. malware evil software various kinds: viruses worms trojan (horse)s potentially unwanted programs/adware rootkits logic bombs 18

  27. worms malicious program that copies itself arranges to be run automatically (e.g. startup program) may spread to other media (USB keys, etc.) may spread over the network using vulnerabilities 19

  28. viruses malware that embeds itself in innocent programs/fjles spreads (primarily) by: hoping user shares infected fjles 20

  29. code placement options virus code virus part 3 virus part 2 virus part 1 code locs startup code (w/ cavities) executable original unused space executable compressed decompressor executable original original jmp to virus virus code executable original executable original executable original run original from tempfjle virus code executable 21

  30. entry point choices entry address perhaps a bit obvious overwrite machine code and restore edit call/jump/ret/etc. pattern-match for machine code in dynamic linking “stubs” in symbol tables call/ret at end of virus 22

  31. pattern matching regular expressions — (almost) one-pass fjxed strings with “wildcards” addresses/etc. that change between instances of malware insert nops/variations on instructions 23

  32. ) 2 k c a b ( fmex: state machines o (back 1) \n o f foo \n . foo fo f start {...} \n {...} . {...} 24 other

  33. fmex: state machines foo (back 1) \n o o foo \n . f fo {...} f . {...} \n {...} start 24 other ) 2 k c a b (

  34. behavior-based detection/blocking modifying executables? etc. must be malicious 25

  35. armored viruses, etc. evade analysis: “encrypt” code (break disassembly) detect/break debuggers detect/break VMs evade signatures: oligomorphic/polymorphic: varying “decrypter” metamorphic: varying “decrypter” and varying “encrypted” code evade active detection: tunnelling — skip anti-virus hooks stealth — ‘hook’ system calls to say “executable/etc. unchanged” retroviruses — break/uninstall/etc. anti-virus software 26

  36. case study: Evol via Lakhatia et al, “Are metamorphic viruses really invincible?”, Virus Bulletin, Jan 2005. “mutation engine” run as part of propagating the virus disassemble instr. lengths transform relocate code code 27

  37. hooking mechanisms hooking — getting a ‘hook’ to run on (OS) operations e.g. creating new fjles ideal mechanism: OS support less ideal mechanism: change library loading e.g. replace ‘open’, ‘fopen’, etc. in libraries less ideal mechanism: replace OS exception (system call) handlers very OS version dependent 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exam Review 2 Exam Overview Final Exam Friday,

Exam Review 2 Exam Overview Final Exam Friday,

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Exam Review 2 Exam Overview Final Exam Friday,

963 views • 64 slides
Exam 2 Review 2 Exam 2 Similar format as last

Exam 2 Review 2 Exam 2 Similar format as last

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Exam 2 Review 2 Exam 2 Similar format as last

441 views • 14 slides
Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including

Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including

Review Final exam Final exam will be 11-12 problems, drop any 2 Cumulative up to and including week 13 (emphasis on weeks 10-13: classes &amp; pointers) 2 hours exam time, so 12 min per problem (midterm 2 had 8-ish) Review: Overview

769 views • 39 slides
CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by

CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by

CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by 5:05 Dont worry about use strict General Exam Only shorthand functions are $ and qsa. tips We are not grading on

198 views • 15 slides
The final exam Other finals review Final Exam Review CSH Review November 17 th

The final exam Other finals review Final Exam Review CSH Review November 17 th

The final exam Other finals review Final Exam Review CSH Review November 17 th 7pm 10pm Gracies Recall Final: November 18 th 12:30pm 2:30pm 70-3690 Plan for today UML Everything we learned

244 views • 5 slides
Exam 2 Review CS461/ECE422 Fall 2009 Exam guidelines Same as for first exam A single page

Exam 2 Review CS461/ECE422 Fall 2009 Exam guidelines Same as for first exam A single page

Exam 2 Review CS461/ECE422 Fall 2009 Exam guidelines Same as for first exam A single page of supplementary notes is allowed 8.5x11. Both sides. Write as small as you like. Closed book No calculator or other widgets.

481 views • 22 slides
Prelim 2 Review Spring 2019 Exam Info 4/21/19 Prelim 2 Review 2 What is on the Exam?

Prelim 2 Review Spring 2019 Exam Info 4/21/19 Prelim 2 Review 2 What is on the Exam?

CS 1110 Prelim 2 Review Spring 2019 Exam Info 4/21/19 Prelim 2 Review 2 What is on the Exam? Questions from the following topics: Iteration and Lists, Dictionaries, Tuples Nested lists, nested loops Recursion Classes &amp;

765 views • 39 slides
Review for Exam I CIS 1.0 review for exam I, by Yuqing Tang Hardware and Software Hardware

Review for Exam I CIS 1.0 review for exam I, by Yuqing Tang Hardware and Software Hardware

Review for Exam I CIS 1.0 review for exam I, by Yuqing Tang Hardware and Software Hardware Physical components of computer E.g. CPU, RAM, keyboard, monitors, printers, speakers, etc. Software Programs (series of computer

449 views • 28 slides
Exam #1 Review Exam #1 Review By sseshadr Agenda Agenda Reminders Reminders Test

Exam #1 Review Exam #1 Review By sseshadr Agenda Agenda Reminders Reminders Test

Exam #1 Review Exam #1 Review By sseshadr Agenda Agenda Reminders Reminders Test tomorrow! One 8.5 x 11 sheet, two sides Pick up your datalabs in OH Cachelab comes out tomorrow Review Questions Q [Subset of] What to

340 views • 11 slides
Announcement Final exam Final Exam Review Tuesday, May 20 th 2:45 4:45pm Rm

Announcement Final exam Final Exam Review Tuesday, May 20 th 2:45 4:45pm Rm

Announcement Final exam Final Exam Review Tuesday, May 20 th 2:45 4:45pm Rm 70-1620 No makeup exams! Plan for today UML Everything we learned Use Case Diagram Shows scenerios of external interaction with

373 views • 5 slides
FINAL EXAM REVIEW PACKET ANSWERS All answers can be found on my website! Final Exam Review 1.

FINAL EXAM REVIEW PACKET ANSWERS All answers can be found on my website! Final Exam Review 1.

FINAL EXAM REVIEW PACKET ANSWERS All answers can be found on my website! Final Exam Review 1. Theme- the main idea of 6. Foreshadowing- hints and the story. clues as to what is to come in the story. 2. Allusion- reference to another book,

460 views • 13 slides
Cleanup, Review, and Q/A Bookkeeping Final exam, 12/20 10:30am-12:30pm, this room. Review

Cleanup, Review, and Q/A Bookkeeping Final exam, 12/20 10:30am-12:30pm, this room. Review

Cleanup, Review, and Q/A Bookkeeping Final exam, 12/20 10:30am-12:30pm, this room. Review Session: this Friday, 12/16, 6pm-8pm If you cant make that time, see posted slides. Policy on Student Exam Load: (paraphrased) No more

512 views • 20 slides
ICS 101 Final Exam Review Fall 2016 Final Exam information In lab: check final exam schedule

ICS 101 Final Exam Review Fall 2016 Final Exam information In lab: check final exam schedule

ICS 101 Final Exam Review Fall 2016 Final Exam information In lab: check final exam schedule 85 Questions Multiple choice and True/False Weeks 8-15 Week 08: Machine Learning Week 09: Excel logic, compound logic, and truth

975 views • 84 slides
FINAL EXAM REVIEW Will cover: All content from the course (Units 1-5) Most points

FINAL EXAM REVIEW Will cover: All content from the course (Units 1-5) Most points

FINAL EXAM REVIEW Will cover: All content from the course (Units 1-5) Most points concentrated on Units 3-5 (mixture models, HMMs, MCMC) Logistics Take-home exam, maximum 2 hour time limit Exam release late afternoon Fri 5/1

740 views • 21 slides
1 L Mar-4-05 SMM009, Exam Review Overview Working problems Summary of the course 2 L

1 L Mar-4-05 SMM009, Exam Review Overview Working problems Summary of the course 2 L

INSTITUTIONEN FR SYSTEMTEKNIK LULE TEKNISKA UNIVERSITET Exam Review David Carr Virtual Environments, Fundamentals Spring 2004 1 L Mar-4-05 SMM009, Exam Review Overview Working problems Summary of the course 2 L Mar-4-05

337 views • 17 slides
OBJECTIVES: THE NEURO EXAM IN THE 1) REVIEW THE NEURO

OBJECTIVES: THE NEURO EXAM IN THE 1) REVIEW THE NEURO

5/24/14 OBJECTIVES: THE NEURO EXAM IN THE 1) REVIEW THE NEURO EXAM IN AMSE PTS ALTERED PATIENT 2) DISCUSS NEURO EXAM &quot;SIX EASY

87 views • 7 slides
FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud

FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud

FermiCloud K. Chadwick, T. Hesselroth, F . Lowe, S. Timm, D. R. Yocum Grid And Cloud Computing Department Fermilab ISGC2011 Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Cloud

512 views • 26 slides
3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D

3D Laser Scanning Applications (Terrestrial LiDAR) Presented By: Jody Lounsbury, PLS What is 3D Laser Scanning? LIDAR = Light Detecting and Ranging Real-Time, Ground Based, 360 Degree Collection of Three Dimensional Data Using

572 views • 46 slides
3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG

3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG

3D Understanding Towards Object Manipulation Some Thoughts and Progress Hao Su 3D in CV/CG before DL Age Recent Hype of 3D DL Acquire Knowledge of 3D World by Learning Core Algorithms Invented Classification Volumetric CNN, OctNet,

1.42k views • 108 slides
Integrating Real-Time Stream Processing and Data-Parallel Analytics Using Digital Twins William

Integrating Real-Time Stream Processing and Data-Parallel Analytics Using Digital Twins William

Integrating Real-Time Stream Processing and Data-Parallel Analytics Using Digital Twins William Bain, Founder &amp; CEO ScaleOut Software, Inc. October 29, 2020 About the Speaker Dr. William Bain, Founder &amp; CEO of ScaleOut Software:

509 views • 36 slides
Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia

Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia

Motivation Static Code Analysis Implementation Conclusion References Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia Eckert { schneidc,pfoh,eckertc } @in.tum.de Chair for IT Security

632 views • 28 slides
Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University

Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University

MIN Faculty Department of Informatics Deep Reinforcement Learning for Street Following in Self-Driving Cars Shahd Safarani University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics Technical

332 views • 32 slides
Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn

Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn

Parameter estimation and forecasting Cristiano Porciani AIfA, Uni-Bonn Questions? C. Porciani Estimation &amp; forecasting 2 Cosmological parameters A branch of modern cosmological research focuses on

1.11k views • 65 slides
Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes p.1/43 Outline Identities of the golden ratio. Polyhedral Volumes p.2/43 Outline Identities of the golden ratio. Locating coordinates of

936 views • 60 slides

More recommend