lecture 12 rop review
play

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 - PowerPoint PPT Presentation

Aug 09, 2023 •126 likes •317 views

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab 4 (Attack) Starts Tomorrow New Partner! Take-Home Midterm available by 5pm Tomorrow Afternoon (75-minute exam due 5pm next Friday) Security:

  1. Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab 4 (Attack) Starts Tomorrow — New Partner! Take-Home Midterm available by 5pm Tomorrow Afternoon (75-minute exam due 5pm next Friday)

  2. Security: The Story So Far

  3. Observation Rest of stack frame for call_echo unix> ./bufdemo-nsp Type a string:0123456789012345678901234 Segmentation Fault Return Address 00 00 00 00 00 40 00 34 Return Address 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 [3] [2] [1] 30 33 32 31 30 bu buf[3] buf[2] 31 30 The program crashed because the code "returned" (jumped) to address 0x400034, which didn't contain valid machine code. And by typing in a carefully-chosen 32-character string, we can make echo() "return" (jump) to any address we want!

  4. Code Injection Attacks Input string includes bytes encoding machine code Overwrite return address A with address of that code! Stack before call to gets() Stack after call to gets() void P(){ P stack frame Q(); Return ... address A } A B Return address What happens when Q returns? int Q() { padding char buf[64]; gets(buf); Q stack frame exploit ... buf code return ...; B }

  5. 2. System-Level Protections can help • Non-executable code segments Stack after call to gets() • In previous x86, could mark region of memory as either “read-only” or “writeable”… could execute P stack frame anything readable • X86-64 added explicit “execute” permission B • Stack marked as non-executable data written pad by gets() exploit Q stack frame code B Any attempt to execute this code will fail

  6. Are We Still in Danger? If the stack is marked "don't execute" • we can't write machine code into the buffer and jump to it. • but we can still overwrite the return address • we can force a "return" (jump!) anywhere in the code that is running. Is that really so bad? Yes!

  7. Question 1 There are lots of instructions in Stack after call to gets() a typical program. Suppose that at address P stack frame 0x410000 there are two consecutive instructions 410000 inc %ebp return ret data written by gets() pad Suppose we overwrite Q stack frame the return address with Q stack frame buf 0x410000. B What happens when function Q returns?

  8. Question 2 There are lots of instructions in Stack after call to gets() a typical program. Suppose that at address P stack frame 0x410000 there are two 410000 consecutive instructions 410000 410000 incl %ebp return retq data written by gets() pad Suppose we overwrite Q stack frame the return address with Q stack frame buf three copies of 0x410000 B What happens when function Q returns?

  9. Return-Oriented Programming (ROP) Idea: • Find existing machine code instructions followed by retq (These are called gadgets ) • Put a sequence of gadgets addresses on the stack. (where the sequence of gadgets does our evil work) The computer returns ( jumps) from each gadget to the next! • It reads addresses from the stack, but executes code in the text segment. But most of our retq instructions immediately follow addq $..., %rsp. • Can attacker find enough gadgets to do evil? Yes!

  10. We don't need retq ; we need 0xc3 ! Unintended instructions — ecb crypt() Unintended instructions ecb_crypt() c7 45 45 d4 01 movl $0x00000001, - 00 44(%ebp) 00 00 00 add %dh, %bh f7 c7 07 test $0x00000007, 00 movl $0x0F000000, %edi 00 (%edi) 00 00 0f } 95 xchg %ebp, %eax setnzb -61(%ebp) } } inc%ebp 45 } ret c3 https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

  11. Have Fun with Lab 4!

  12. Review Topics • Bits • Mult/Div vs. Shifting • Implementing if, do, while loops using jumps & labels • And/Or/Not/Xor • IEEE float & double • Stack frames & %rsp • Arithmetic & logical shifts • Normal, special, and • Return address denormal fp numbers • Integers • Memory vs. registers • Arrays, Structs, Unions • Unsigned ints • Padding/alignment • 2's complement • Machine code vs. assembly • Max/min values • Buffer overflows • x86 assembly • Negating a signed int • Identifying • arithmetic • Security implications • Signed/unsigned compare • movq vs. leaq • Prevention techniques • comparisons • Zero- vs. sign-extension • condition codes • Casting • conditional jumps • Overflow • conditional moves

  18. 4,

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CNV Overview In this lecture we review the topics we have covered this CNV Semester Review

CNV Overview In this lecture we review the topics we have covered this CNV Semester Review

CNV Overview In this lecture we review the topics we have covered this CNV Semester Review semester, focusing on what I consider the most important points to review. Dr. James A. Bednar The lecture slides on each topic, coupled with the

193 views • 5 slides
Review for Final Also: Review homework Review Lecture 9 slides Example : Binary

Review for Final Also: Review homework Review Lecture 9 slides Example : Binary

Review for Final Also: Review homework Review Lecture 9 slides Example : Binary star system in Virgo cluster (16.5 Mpc away) would produce h ~ 10 -21 . Over a distance of L = 1 AU,

389 views • 35 slides
CS70: Jean Walrand: Lecture 36. Continuous Probability 3 1. Review: CDF , PDF 2. Review:

CS70: Jean Walrand: Lecture 36. Continuous Probability 3 1. Review: CDF , PDF 2. Review:

CS70: Jean Walrand: Lecture 36. Continuous Probability 3 1. Review: CDF , PDF 2. Review: Expectation 3. Review: Independence 4. Meeting at a Restaurant 5. Breaking a Stick 6. Maximum of Exponentials 7. Quantization Noise 8. Replacing Light

433 views • 15 slides
13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only depends on

13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only depends on

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Reproducing Kernel Hilbert Spaces Lecturer: Andreas Krause Scribe: Thomas Desautels Date: 2/22/20 13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only

233 views • 5 slides
Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

11/29/2012 Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins Lecture 2 Gel Electrophoresis Lecture 3 Mass Spectrometry Lecture 4 Programs for MS analysis Lecture 5 MIAPE (Minimum

900 views • 8 slides
Lecture 2 - HW1,numpy arrays, matplotlib, and git 2020.4.14 Review of Python Basics from Lecture

Lecture 2 - HW1,numpy arrays, matplotlib, and git 2020.4.14 Review of Python Basics from Lecture

Lecture 2 - HW1,numpy arrays, matplotlib, and git 2020.4.14 Review of Python Basics from Lecture 1 Topics from Lecture 1 Lists Strings, ints, floats Dicts Objects, attributes, methods (Tuples,) Functions {sets} Importing .py

1.07k views • 84 slides
Lecture 2 Review Path Intergrals over Complex Plane Let : ( *

Lecture 2 Review Path Intergrals over Complex Plane Let : ( *

Lecture 2 Review Path Intergrals over Complex Plane Let : ( * = ? ( ) Lecture 2 Review Question #1: Express XOR using only NAND and NOT gates A A B B Y Y A A B B rgans&theorem!&

775 views • 16 slides
Lecture 4 Review from last lecture Nearest neighbor classifier A lazy learning

Lecture 4 Review from last lecture Nearest neighbor classifier A lazy learning

Oct - 6 - 2008 Lecture 4 Review from last lecture Nearest neighbor classifier A lazy learning algorithm Decision boundary can be obtained by the Voronoi diagram of the training set Complex, sensitive to label noise

444 views • 15 slides
Lecture 3 Oct 3 2008 Review of last lecture A supervised learning example spam filter,

Lecture 3 Oct 3 2008 Review of last lecture A supervised learning example spam filter,

Lecture 3 Oct 3 2008 Review of last lecture A supervised learning example spam filter, and the design choices one need to make for this problem use bag-of-words to represent emails linear functions as our functional forms to

894 views • 23 slides
Midterm 2 Review. We have a lot of slides for your use. But will only cover some in this lecture.

Midterm 2 Review. We have a lot of slides for your use. But will only cover some in this lecture.

Midterm 2 Review. We have a lot of slides for your use. But will only cover some in this lecture. For probability, from Professor Ramchandran. Will only review distributions since that was quick. A bit more review of discrete math. Probability

932 views • 62 slides
lecture 22 review of exercises E 12 Q1, 3, 4, 6 E 16 Q2 a, c E 17 Q1 a, b, 5 E 18 Q

lecture 22 review of exercises E 12 Q1, 3, 4, 6 E 16 Q2 a, c E 17 Q1 a, b, 5 E 18 Q

lecture 22 review of exercises E 12 Q1, 3, 4, 6 E 16 Q2 a, c E 17 Q1 a, b, 5 E 18 Q 1, 3, 4 E 19 Q1, 2, 4 Lighting, Material Shading E 12 Q1 Suppose that a shiny ground plane y=0 is illuminated by sunlight. Let the

957 views • 47 slides
Previous Lecture: Review Linear Search Cell arrays Todays Lecture: File

Previous Lecture: Review Linear Search Cell arrays Todays Lecture: File

Previous Lecture: Review Linear Search Cell arrays Todays Lecture: File input/output Using built-in function sort Motivating packaging Announcements: Answer todays in -lecture quiz via Gradescope (due Sat,

606 views • 37 slides
Lecture 18: Review Lecture Ani Manichaikul amanicha@jhsph.edu 15 May 2007 Types of

Lecture 18: Review Lecture Ani Manichaikul amanicha@jhsph.edu 15 May 2007 Types of

Lecture 18: Review Lecture Ani Manichaikul amanicha@jhsph.edu 15 May 2007 Types of Biostatistics n 1) Descriptive Statistics n Exploratory Data Analysis n often not in literature n Summaries n "Table 1" in a paper n Goal: visualize

1.12k views • 87 slides
Review Lecture A Tiefenbruck MWF 9-9:50am Center 212 Lecture B Jones MWF 2-2:50pm Center

Review Lecture A Tiefenbruck MWF 9-9:50am Center 212 Lecture B Jones MWF 2-2:50pm Center

Review Lecture A Tiefenbruck MWF 9-9:50am Center 212 Lecture B Jones MWF 2-2:50pm Center 214 Lecture C Tiefenbruck MWF 11-11:50am Center 212 http://cseweb.ucsd.edu/classes/wi16/cse21-abc/ March 11, 2016 Topics Searching and Sorting

1.04k views • 56 slides
Lecture 20 Jan-Willem van de Meent Schedule Schedule Adjustments Wed 28 Nov: Review Lecture

Lecture 20 Jan-Willem van de Meent Schedule Schedule Adjustments Wed 28 Nov: Review Lecture

Unsupervised Machine Learning and Data Mining DS 5230 / DS 4420 - Fall 2018 Lecture 20 Jan-Willem van de Meent Schedule Schedule Adjustments Wed 28 Nov: Review Lecture Mon 3 Dec: Project Presentations Fri 7 Dec: Project Reports

920 views • 69 slides
Review: Perceptual issues in Graphics Review: lectures 22, 23 lecture 25 In many computer

Review: Perceptual issues in Graphics Review: lectures 22, 23 lecture 25 In many computer

Review: Perceptual issues in Graphics Review: lectures 22, 23 lecture 25 In many computer graphics techniques, we can get away with We have discussed several physical aspects of displays. approximations without people noticing. This allows

333 views • 5 slides
Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo Instituto de Autom atica e Inform atica Industrial Universitat Polit` ecnica de Val` encia, Spain { speiro, mmu noz, mmasmano, acrespo }

379 views • 18 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
the Top of the Pride Staircase! Pride Pride Pride 1 st Self Reliance Step Courage Reliable

the Top of the Pride Staircase! Pride Pride Pride 1 st Self Reliance Step Courage Reliable

he View Is Sweeter From the Top of the Pride Staircase! Pride Pride Pride 1 st Self Reliance Step Courage Reliable Pride Determination Pride Pride We As The Conner Cougars Are Proud Of Our Conner Family. Pride Is Pleasure Arising

445 views • 12 slides
Stair Caddy Carries items up to 50 lbs up and downstairs 2.009 Blue B Stair Caddy Design For

Stair Caddy Carries items up to 50 lbs up and downstairs 2.009 Blue B Stair Caddy Design For

Sketch Model Review Stair Caddy Carries items up to 50 lbs up and downstairs 2.009 Blue B Stair Caddy Design For the 36+ million senior citizens Existing Products AATA International SR 450 AATA International SR 1750 Comparison SR 450 SR

227 views • 10 slides
Staircase diagrams and the enumeration of smooth Schubert varieties Edward Richmond* and William

Staircase diagrams and the enumeration of smooth Schubert varieties Edward Richmond* and William

Staircase diagrams and the enumeration of smooth Schubert varieties Edward Richmond* and William Slofstra Oklahoma State University* University of Waterloo July 4, 2016 Richmond-Slofstra (OSU-Waterloo) Staircase diagrams July 4, 2016 1 / 16

320 views • 16 slides
The Asymptotic Distribution of Symbols on Staircase Tableaux Diagonals Amanda Lohss September

The Asymptotic Distribution of Symbols on Staircase Tableaux Diagonals Amanda Lohss September

Definitions Connections/Motivation Previous Result Results The Asymptotic Distribution of Symbols on Staircase Tableaux Diagonals Amanda Lohss September 15, 2016 Amanda Lohss Purdue 2016 Definitions Connections/Motivation Previous Result

806 views • 58 slides

More recommend