CS642:ComputerSecurity

X86ReviewProcessLayout,ISA,etc.

DrewDavidsondavidson@cs.wisc.edu

FromLastTime

• ACL-basedpermissions(UNIXstyle)– Read,Write,eXecutecanberestrictedonusersandgroups

– Processes(usually)runwiththepermissionsoftheinvokinguser

passwd

RUID:ace

/etc/shadow

write

EUID:root

input

Processesarethefrontlineofsystemsecurity

• ControlaprocessandyougettheprivilegesofitsUID

• Sohowdoyoucontrolaprocess?– Sendspeciallyformedinputtoprocess

passwd

RUID:ace

/etc/shadow

write

EUID:root

input

PrivilegeEscalation

article published last Thursday!

LectureRoadmap

• Today– Enoughx86tounderstand(some)processvulnerabilities• MemoryLayout

• Somex86instructionsemantics

• Toolsforinspectingassembly

• NextTime– Howsuchattacksoccur

Whydoweneedtolookatassembly?

Weunderstandcodeinthisform

Vulnerabilitiesexploitedinthisform

int foo(){ int a = 0; return a + 7; }

pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -4(%ebp) movl -4(%ebp), %eax addl $7, %eax leave ret

Compiler

“WYSINWYX:WhatyouseeisnotwhatyoueXecute”[BalakrishnanandRepsTOPLAS2010]

X86:TheDeFactoStandard

• Extremelypopularfordesktopcomputers

• Alternatives– ARM:popularonmobile

–MIPS:verysimple

– Itanium:aheadofitstime

x86:PopularbutCrazy

• CISC(complexinstructionsetcomputing)– Over100distinctopcodesintheset

• Registerpoor– Only8registersof32-bits,only6aregeneral-purpose

• Variable-lengthinstructions• Builtofmanybackwards-compatiblerevisions–Manysecurityproblemspreventable…inhindsight

ALittleHistory

Intelintroduces

8086(16bit)

1978 1982

80186and80286

1985

80386(32-bit)

1989

i486(32-bit)

Intel attempts to trademark

the number 486, gets denied

1993

Pentium

“five”Science-y?

1995

PentiumPro

2003

AMDmakes

x86-64(64bit)

…

This is not a joke.It’s the real reason

Let’sDiveinToX86!

X86

Registers

ESI

EDI

ESP

EBP

DX

CX

BX

AX

EDX

ECX

EBX

EAX AL

BL

CL

DL

AH

BH

CH

DH

(stackpointer)

(basepointer)

32bits

Processmemorylayout

.text

– Machinecodeofexecutable.data

– Globalinitializedvariables.bss

– BelowStackSectionglobaluninitializedvars

.text .data .bss heap stackFree

memory Env

heap– Dynamicvariables

stack– Localvariables– Functioncalldata

Env

– Environmentvariables– Programarguments

Highmemoryaddresses

Lowmemoryaddresses

Growsupward Growsdownward

HeapandStackDesign

heap stackFree

memory

Highmemoryaddresses

Lowmemoryaddresses

Growsupward

Growsdownward

• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime

• Stack– Localvariables,functionbookkeeping

• Heap– Dynamicmemory

HeapandStackDesign

heap stackFree

memory

Highmemoryaddresses

Lowmemoryaddresses

Growsupward

Growsdownward

• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime

• Stack– Localvariables,functionbookkeeping

• Heap– Dynamicmemory

stack

HeapandStackDesign

heap stackFree

memory

Highmemoryaddresses

Lowmemoryaddresses

Growsupward

Growsdownward

• Allowformoreefficientuseoffinitefreememory– Growinginoppositedirectionsallowsextraflexibilityatruntime

• Stack– Localvariables,functionbookkeeping

• Heap– Dynamicmemory

heap

HeapandStackuse:Example

Freememory

Highmemoryaddresses

Lowmemoryaddresses

main():callfoo()callbar()foo():f_glob=malloc(0x100)callbar()bar()b_loc=7;

mainfoobar70x100bytes

bar7

Reminder:Theseareconventions

• Dictatedbycompiler

• Onlyinstructionsupportbyprocessor– Almostnostructuralnotionofmemorysafety• Useofuninitializedmemory

• Useoffreedmemory

• Memoryleaks

• Sohowaretheyactuallyimplemented?

InstructionSyntax

subl$16,%ebx

movl(%eax),%ebx

Examples: • Instructionendswithdatalength

• opcode,src,dst

• Constantsprecededby$

• Registersprecededby%

• Indirectionuses()

RegisterInstructions:sub

• Subtractfromaregistervalue

%eax7

registers

mem

ory

subl%eax,%ebx

%ebx9 2

FrameInstructions:push

• Putavalueonthestack– Pullfromregister

– Valuegoesto%esp– Subtractfrom%esp

• Example:

pushl%eax

%eax7

registers

mem

ory

Framepushl%eax

%espN%ebpM

%eax7

registers

mem

ory

Frame

%espN-4%ebpM

7

FrameInstructions:pop

• Takeavaluefromthestack– Pullfromstackpointer

– Valuegoesfrom%esp

– Addto%esp

%eax9

registers

mem

ory

Framepopl%eax

%espK%ebpM

%eax7

registers

mem

ory

Frame

%espK+4%ebpM

7

7

Controlflowinstructions:jmp• %eippointstothecurrentlyexecutinginstruction(inthetextsection)

• Hasunconditionalandconditionalforms

• Usesrelativeaddressing

%eipK

registers

mem

ory

Framejmp-20

%espN%ebpM

%eipK-20

registers

mem

ory

Frame

%espN%ebpM

Controlflowinstructions:call

• Savesthecurrentinstructionpointertothestack

• Jumpstotheargumentvalue

%eipK

registers

mem

ory

FrameA:callFOO

%espN%ebpM

%eipFOO

registers

mem

ory

FrameFOO:(1stoffoo)

%espN-4%ebpM

A+2

Controlflowinstructions:ret

• Popsthestackintotheinstructionpointer

%eipK

registers

mem

ory

FrameK:ret

%ebpM %espN

A

%eipA

FrameA:(callerinstr)

%ebpM %espN+4re

gisters

mem

ory

Stackinstructions:leave

• Equivalentto movl%ebp,%esp popl%ebp

registers

mem

ory

Stackleave

%ebpM %espN

A

%ebpA %espM

registers

mem

ory

Stack

Implementingafunctioncall

Stackdata

main:…subl$8,%espmovl$2,4(%esp)movl$l,(%esp)callfooaddl$8,%esp…

(main) (foo)

foo:pushl%ebpmovl%esp,%ebpsubl$16,%espmovl$3,-4(%ebp)movl8(%ebp),%eaxaddl$9,%eaxleaveret

eipeipeipeip

eip

maineip+2

mainebp

esp

ebp

esp

21

esp esp%eax 110

eipeipeipeipeipeipeip

3

esp

ebp

eip

FunctionCalls:Highlevelpoints

• Localsareorganizedintostackframes– Calleesexistatloweraddressthanthecaller

• Oncall:– Save%eipsoyoucanrestorecontrol– Save%ebpsoyoucanrestoredata

• Implementationdetailsarelargelybyconvention– Somewhatcodifiedbyhardware

Datatypes/Endianness

• x86isalittle-endianarchitecture

%eax 0xdeadbeef

pushl%eax

esp

0xde0xad0xbe0xef

esp

4bytes 1 1 1 1

Arrays

bar:pushl%ebpmovl%esp,%ebpsubl$5,%espmovl8(%ebp),%eaxmovl%eax,4(%esp)leal-5(%ebp),%eaxmovl%eax,(%esp)callstrcpyleaveret

(bar)callereip+2

callerebp

voidbar(char*in){charname[5];strcpy(name,in);}

&in

.text .data

HEAP

esp

ebp

‘D’0x44

‘r’0x72

‘e’0x65

‘w’0x77

‘\0’0x00

AssemblyCodeTools

• Let’slookatsomeprogramsforobservingthesephenomena

Tools:GCC

gcc–O0–Sprogram.c–oprogram.S–m32

gcc–O0–gprogram.c–oprogram–m32

Tools:GDB

gdbprogram(gdb)run(gdb)decompilefoo(gdb)quit

Tools:objdump

objdump–Dwrtprogram

Tools:od

od–xprogram

MemorySafety:WhyandWhyNot

• Thefreedomfromtheseshenanigans

• X86haslittleinbuiltnotionofmemorysafety– Compileroranalysiscan

Summary

• Basicsofx86– Processlayout– ISAdetails– Mostoftheinstructionsthatyou’llneed

• Introducedtheconceptofabufferoverflow

• Sometoolstoplayaroundwithx86assembly

• Nexttime:exploitingthesevulnerabilities