lecture 05 control flow iii

Lecture 05 Control Flow III Stephen Checkoway CS 343 Fall 2020 - PowerPoint PPT Presentation

Jan 13, 2024 •194 likes •828 views

Lecture 05 Control Flow III Stephen Checkoway CS 343 Fall 2020 Based on Michael Baileys ECE 422 example.c void foo(int a, int b) { char buf1[16]; } int main() { foo(3,6); } example.s (x86) main: pushl %ebp movl %esp, %ebp

  1. Lecture 05 – Control Flow III Stephen Checkoway CS 343 – Fall 2020 Based on Michael Bailey’s ECE 422

  2. example.c void foo(int a, int b) { char buf1[16]; } int main() { foo(3,6); }

  3. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  4. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  5. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  6. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo 6 leave prev FP ret

  7. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) 3 call foo 6 leave prev FP ret

  8. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp return movl $6, 4(%esp) movl $3, (%esp) 3 call foo 6 leave prev FP ret

  9. example.s (x86) foo: pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave ret 3 6 prev FP

  10. example.s (x86) foo: pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave ret 3 6 prev FP

  11. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave ret 3 6 prev FP

  12. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave ret 3 6 mov %ebp, %esp prev FP pop %ebp

  13. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave ret 3 6 mov %ebp, %esp prev FP pop %ebp

  14. example.s (x86) foo: … pushl %ebp movl %esp, %ebp subl $16, %esp return leave ret 3 6 mov %ebp, %esp prev FP pop %ebp

  15. example.s (x86) foo: … pushl %ebp movl %esp, %ebp subl $16, %esp return leave ret 3 6 mov %ebp, %esp prev FP pop %ebp

  16. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) 3 call foo 6 leave prev FP mov %ebp, %esp ret pop %ebp

  17. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP mov %ebp, %esp ret pop %ebp

  18. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave mov %ebp, %esp ret pop %ebp

  19. How does the function know where to return when it executes the ret instruction? A. It returns to the value in eax B. It returns to the value in eip C. It pops the return address off the top of the stack and returns there D. It uses eax as a pointer and loads the return address from the memory location pointed to by eax E. It uses eip as a pointer and loads the return address from the memory location pointed to by eip

  20. What happens if the return address on the stack becomes corrupted and points to the wrong place? A. The program crashes B. The program raises an exception C. The program returns to the correct place regardless of the stack D. The program returns to the wrong location E. It depends on the corrupted value

  21. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

  22. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

  23. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  24. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  25. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  26. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); main FP } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  27. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); main FP } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  28. Buffer overflow example void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 } 0x41414141 int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  29. Buffer overflow example void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  30. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  31. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ? foo(buf); prev FP }

  32. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ? foo(buf); prev FP }

  33. Buffer overflow example eip = 0x41414141 AAAAAA… 0x41414141 ??? 0x41414141 0x41414141 AAAAAAA… ? prev FP

  34. Buffer overflow FTW • Success! Program crashed! • Can we do better? • Yes • How?

  35. Exploiting buffer overflows void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((long*)buf)[5] = (long)buf; foo(buf); }

  36. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 } buf int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  37. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  38. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  39. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  40. What’s the Use? • If you control the source? • If you run the program? • If you control the inputs?

  41. … More realistic vulnerability argv argc 1 #include <stdio.h> return address 2 saved ebp 3 int main(int argc, char *argv[]) { name 4 char name[32]; 5 printf("Enter your name: "); 6 gets(name); 7 printf("Hello %s!\n", name); 8 return 0; 9 } steve $ ./vuln Enter your name: Steve Hello Steve! steve $ perl -e 'print "A" x 40' | ./vuln &name esp → Enter your name: Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! Segmentation fault (core dumped)

  42. Shellcode • So you found a vuln (gratz)… • How to exploit?

  43. 1 .LC0: Getting a shell 2 .string "/ bin / sh " 3 get_shell : 4 subl $44, % esp 5 movl $.LC0, 24(% esp ) 1 #include <unistd.h> 6 movl $0, 28(% esp ) 2 3 void get_shell() { 7 movl $0, 20(% esp ) 8 leal 20(% esp ), % eax 4 char *argv[2]; 9 movl % eax , 8(% esp ) 5 char *envp[1]; 10 leal 24(% esp ), % eax 6 argv[0] = "/bin/sh"; 11 movl % eax , 4(% esp ) 7 argv[1] = NULL; 8 envp[0] = NULL; 12 movl $.LC0, (% esp ) 13 call execve 9 execve(argv[0], argv, envp); 14 addl $44, % esp 10 } 15 ret 11 16 main : 12 int main() { 13 get_shell(); 17 pushl % ebp 18 movl % esp , % ebp 14 } 19 andl $-16, % esp 20 call get_shell steve $ ./get_shell 21 leave $ 22 ret

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt;

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt;

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt; inst 1 inst 2 Time inst 3 inst n &lt;shutdown&gt; Sean Barker 2 Operating System User-level Applications Operating System Hardware

453 views • 16 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.18k views • 92 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

745 views • 41 slides
Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if statements use expressions that are conceptually either true or false . These expressions are called relational expressions or Boolean expressions

570 views • 28 slides
I III IV I III IV I III IV BUILDING TRUST Radical Candor Chart HIGH I III IV

I III IV I III IV I III IV BUILDING TRUST Radical Candor Chart HIGH I III IV

I III IV I III IV I III IV BUILDING TRUST Radical Candor Chart HIGH I III IV LOW HIGH LOW Would You Rather: Ruinous Hear hard truth that would lead to Empathy growth/progress Or Hear what would make you feel good? IV

543 views • 23 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 28 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

455 views • 23 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 51 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

345 views • 17 slides
R i f R i f Reinforcement Learning III Reinforcement Learning III t L t L i i III III Dec

R i f R i f Reinforcement Learning III Reinforcement Learning III t L t L i i III III Dec

R i f R i f Reinforcement Learning III Reinforcement Learning III t L t L i i III III Dec 03 2008 1 Large State Spaces h When a problem has a large state space we can not longer represent the U or Q functions as explicit tables explicit

436 views • 18 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

729 views • 24 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

580 views • 8 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Memory Management Marco Serafini COMPSCI 532 Lecture 12 Announcements Project 2 published

Memory Management Marco Serafini COMPSCI 532 Lecture 12 Announcements Project 2 published

Memory Management Marco Serafini COMPSCI 532 Lecture 12 Announcements Project 2 published Info on website GitHub repo on Piazza Deadline: November 7 Next class: hands-on session Threads, processes, sockets,

663 views • 42 slides
CS5460: Operating Systems Lecture 13: Memory Management (Chapter 8) CS 5460: Operating Systems

CS5460: Operating Systems Lecture 13: Memory Management (Chapter 8) CS 5460: Operating Systems

CS5460: Operating Systems Lecture 13: Memory Management (Chapter 8) CS 5460: Operating Systems Where are we? Basic OS structure, HW/SW interface, interrupts, scheduling Concurrency Memory management Storage

305 views • 17 slides
IP Fast Reroute using notvia addresses

IP Fast Reroute using notvia addresses

IP Fast Reroute using notvia addresses &lt;draft-bryant-shand-IPFRR-notvia-addresses-00.txt&gt; Stewart Bryant (stbryant@cisco.com) Mike Shand (mshand@cisco.com) Notvia Properties Repairs ALL non-partitioning failures.

296 views • 26 slides
Programmed I/O: isolated vs. memory-mapped When we discussed physical addresses of memory, we

Programmed I/O: isolated vs. memory-mapped When we discussed physical addresses of memory, we

COMP 273 20 - memory mapped I/O, polling, DMA Mar. 23, 2016 This lecture we will look at several methods for sending data between an I/O device and either main memory or the CPU. (Recall that we are considering the hard disk to be an I/O

171 views • 6 slides
1 Questions? q Is the Internets architecture fundamentally broken that we need to clean

1 Questions? q Is the Internets architecture fundamentally broken that we need to clean

Resolving the Transport Tussle Recursive InterNetwork Architecture @ Computer Science Boston U. http://csr.bu.edu/rina 1 What this is (NOT) about q NOT much about specific protocols, algorithms, interfaces, implementation q

524 views • 15 slides
Computer Security Sec4on Week 2: Buffer Overflows TA:

Computer Security Sec4on Week 2: Buffer Overflows TA:

CSE 484 / CSE M 584 Computer Security Sec4on Week 2: Buffer Overflows TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner, Adrian

502 views • 14 slides
Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates new process Sets up address space/segments Read executable file, load instructions, init global data 0x7ffff770000 Shared library

844 views • 16 slides
POLYHEDRAL CLINCHING AUCTIONS BEYOND HARD BUDGET CONSTRAINTS Gagan Goel Vahab Mirrokni Renato

POLYHEDRAL CLINCHING AUCTIONS BEYOND HARD BUDGET CONSTRAINTS Gagan Goel Vahab Mirrokni Renato

POLYHEDRAL CLINCHING AUCTIONS BEYOND HARD BUDGET CONSTRAINTS Gagan Goel Vahab Mirrokni Renato Paes Leme Google Research NYC Item values are an useful abstraction but often intangible. Typically, buyers care about the items

551 views • 33 slides

More recommend