fba24c6574d7e7f1d886020d23602e3d.ppt
- Количество слайдов: 38
15 -213 “The course that gives CMU its Zip!” Machine-Level Programming V: Miscellaneous Topics Feb 10, 2004 Topics Linux Memory Layout n Understanding Pointers n Buffer Overflow n n class 09. ppt Floating Point Code
Red Hat FF v. 6. 2 ~1920 MB memory limit C 0 BF Linux Memory Layout Stack n Stack Heap n Upper 2 hex 80 digits of 7 F address 40 3 F 08 00 – 2– Runtime stack (8 MB limit) n Dynamically allocated storage When call malloc, calloc, new DLLs n Heap DLLs Heap Data Text n n Dynamically Linked Libraries Library routines (e. g. , printf, malloc) Linked into object code when loaded Data n n Statically allocated data E. g. , arrays & strings declared in code Text n n Executable machine instructions Read-only 15 -213, S’ 04
Linux Memory Allocation Initially BF Stack 80 7 F Some Heap Linked BF Stack 80 7 F More Heap BF Stack 80 7 F Heap 40 3 F 08 00 – 3– 40 3 F Data Text 08 00 DLLs Data Text 40 3 F DLLs Heap 08 00 Data Text 15 -213, S’ 04
Text & Stack Example (gdb) break main (gdb) run Breakpoint 1, 0 x 804856 f in main () (gdb) print $esp $3 = (void *) 0 xbffffc 78 Main n Address 0 x 804856 f should be read 0 x 0804856 f Stack n Address – 4– 0 xbffffc 78 Initially BF Stack 80 7 F 40 3 F 08 00 Data Text 15 -213, S’ 04
Dynamic Linking Example (gdb) print malloc $1 = {
Memory Allocation Example char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p 1, *p 2, *p 3, *p 4; int useless() { int { p 1 p 2 p 3 p 4 /* } – 6– return 0; } main() = malloc(1 Some print <<28); /* << 8); /* statements 256 256. . . MB B */ */ */ 15 -213, S’ 04
Example Addresses BF $esp p 3 p 1 Final malloc p 4 p 2 beyond big_array huge_array main() useless() Initial malloc &p 2? – 7– 0 xbffffc 78 0 x 500 b 5008 0 x 400 b 4008 0 x 40006240 0 x 1904 a 640 0 x 1904 a 538 0 x 1904 a 524 0 x 1804 a 520 0 x 0804 a 510 0 x 0804856 f 0 x 08048560 0 x 08048454 Stack 80 7 F Heap 40 3 F DLLs Heap 08 00 Data Text 0 x 1904 a 42 c 15 -213, S’ 04
C operators Operators () [] ->. ! ~ ++ -- + - * & (type) sizeof * / % + << >> < <= > >= == != & ^ | && || ? : = += -= *= /= %= &= ^= != <<= >>= , Associativity left to right to left to right left to right left to right to left right to left to right Note: Unary +, -, and * have higher precedence than binary forms – 8– 15 -213, S’ 04
C pointer declarations int *p p is a pointer to int *p[13] p is an array[13] of pointer to int *(p[13]) p is an array[13] of pointer to int **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints – 9– 15 -213, S’ 04
Avoiding Complex Declarations Use Typedef to build up the decl Instead of int (*(*x[3])())[5] : typedef int fiveints[5]; typedef fiveints* p 5 i; typedef p 5 i (*f_of_p 5 is)(); f_of_p 5 is x[3]; X is an array of 3 elements, each of which is a pointer to a function returning an array of 5 ints. – 10 – 15 -213, S’ 04
Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. n How did it happen? n July, 1999 Microsoft launches MSN Messenger (instant messaging system). n Messenger clients can access popular AOL Instant Messaging Service (AIM) servers n AIM client MSN server MSN client AIM server AIM client – 11 – 15 -213, S’ 04
Internet Worm and IM War (cont. ) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. n Microsoft and AOL begin the IM war: l AOL changes server to disallow Messenger clients l Microsoft makes changes to clients to defeat AOL changes. l At least 13 such skirmishes. n n How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! l many Unix functions do not check argument sizes. l allows target buffers to overflow. – 12 – 15 -213, S’ 04
String Library Code n Implementation of Unix function gets l No way to specify limit on number of characters to read /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getc(); } *p = ' '; return dest; } n – 13 – Similar problems with other Unix functions l strcpy: Copies string of arbitrary length l scanf, fscanf, sscanf, when given %s conversion specification 15 -213, S’ 04
Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } /* Way too small! */ int main() { printf("Type a string: "); echo(); return 0; } – 14 – 15 -213, S’ 04
Buffer Overflow Executions unix>. /bufdemo Type a string: 12345 Segmentation Fault unix>. /bufdemo Type a string: 12345678 Segmentation Fault – 15 -213, S’ 04
Buffer Overflow Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for echo – 16 – /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } echo: pushl %ebp movl %esp, %ebp subl $20, %esp pushl %ebx addl $-12, %esp leal -4(%ebp), %ebx pushl %ebx call gets. . . /* Way too small! */ # Save %ebp on stack # # # Allocate stack space Save %ebx Allocate stack space Compute buf as %ebp-4 Push buf on stack Call gets 15 -213, S’ 04
Buffer Overflow Stack Example Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for echo unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0 x 8048583 (gdb) run Breakpoint 1, 0 x 8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0 xbffff 8 f 8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0 x 804864 d Stack Frame for main Before call to gets 08 04 86 4 d Return Address bf ff f 8 0 xbffff 8 f 8 Saved %ebp xx xx [3][2][1][0] buf Stack Frame for echo 8048648: call 804857 c
Buffer Overflow Example #1 Before Call to gets Input = “ 123” Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for echo 08 04 86 4 d Return Address bf ff f 8 0 xbffff 8 d 8 Saved %ebp 00 33 32 31 [3][2][1][0] buf Stack Frame for echo No Problem – 18 – 15 -213, S’ 04
Buffer Overflow Stack Example #2 Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for echo 8048592: 8048593: 8048598: 804859 b: 804859 d: 804859 e: – 19 – 08 04 86 4 d Return Address bf ff %ebp Saved 00 35 0 xbffff 8 d 8 [3] [2] [1] [0] buf 34 33 32 31 Stack Frame for echo code: push call mov pop ret Input = “ 12345” Saved value of %ebp set to 0 xbfff 0035 Bad news when later attempt to restore %ebp %ebx 80483 e 4 <_init+0 x 50> # gets 0 xffffffe 8(%ebp), %ebx %ebp, %esp %ebp # %ebp gets set to invalid value 15 -213, S’ 04
Buffer Overflow Stack Example #3 Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for echo Input = “ 12345678” 08 04 86 00 Return Address 38 37 36 35 0 xbffff 8 d 8 Saved %ebp 34 33 32 31 [3][2][1][0] buf Stack Frame for echo %ebp and return address corrupted Invalid address No longer pointing to desired return point 8048648: call 804857 c
Malicious Use of Buffer Overflow Stack after call to gets() return address A void foo(){ bar(); . . . } void bar() { char buf[64]; gets(buf); . . . } foo stack frame data written by gets() B B pad exploit code bar stack frame Input string contains byte representation of executable code n Overwrite return address with address of buffer n When bar() executes ret, will jump to exploit code n – 21 – 15 -213, S’ 04
Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. Internet worm n n – 22 – Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: l finger droh@cs. cmu. edu Worm attacked fingerd server by sending phony argument: l finger “exploit-code padding new-returnaddress” l exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker. 15 -213, S’ 04
The Internet Worm 11/2 18: 24 first west coast computer infected 19: 04 ucb gateway infected 20: 00 mit attacked 20: 49 cs. utah. edu infected 21: 21 load avg reaches 5 on cs. utah. edu 21: 41 load avg reaches 7 22: 01 load avg reaches 16 22: 20 worm killed on cs. utah. edu 22: 41 cs. utah. edu reinfected, load avg 27 22: 49 cs. utah. edu shut down 23: 31 reinfected, load reaches 37 – 23 – 15 -213, S’ 04
Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. IM War AOL exploited existing buffer overflow bug in AIM clients n exploit code: returned 4 -byte signature (the bytes at some location in the AIM client) to server. n When Microsoft changed code to match signature, AOL changed signature location. n – 24 – 15 -213, S’ 04
Date: Wed, 11 Aug 1999 11: 30: 57 -0700 (PDT) From: Phil Bucking
Code Red Worm History June 18, 2001. Microsoft announces buffer overflow vulnerability in IIS Internet server n July 19, 2001. over 250, 000 machines infected by new virus in 9 hours n White house must change its IP address. Pentagon shut down public WWW servers for day n When We Set Up CS: APP Web Site n Received strings of form GET /default. ida? NNNNNNNNNNNNNNNNNNNN. . NNNNNNNNNNNNNNNNNNNNN%u 9090%u 6858 %ucbd 3%u 7801%u 9090%u 6858%ucbd 3% u 7801%u 9090%u 8190%u 00 c 3%u 0003%u 8 b 00%u 531 b%u 53 ff%u 0078%u 0000%u 00=a HTTP/1. 0" 400 325 "-" – 26 – 15 -213, S’ 04
Code Red Exploit Code Starts 100 threads running n Spread self l Generate random IP addresses & send attack string l Between 1 st & 19 th of month n n n Attack www. whitehouse. gov l Send 98, 304 packets; sleep for 4 -1/2 hours; repeat » Denial of service attack l Between 21 st & 27 th of month Deface server’s home page l After waiting 2 hours – 27 – 15 -213, S’ 04
Code Red Effects Later Version Even More Malicious n Code Red II As of April, 2002, over 18, 000 machines infected n Still spreading n Paved Way for NIMDA Variety of propagation methods n One was to exploit vulnerabilities left behind by Code Red II n ASIDE (security flaws start at home). rhosts used by Internet Worm n Attachments used by My. Doom (1 in 6 emails Monday morning!) n – 28 – 15 -213, S’ 04
Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } Use Library Routines that Limit String Lengths instead of gets n strncpy instead of strcpy n fgets n Don’t use scanf with %s conversion specification l Use fgets to read the string – 29 – 15 -213, S’ 04
IA 32 Floating Point History n n Instruction decoder and sequencer 8086: first computer to implement IEEE FP l separate 8087 FPU (floating point unit) 486: merged FPU and Integer Unit onto one chip Summary Hardware to add, multiply, and divide n Floating point data registers n Various control & status registers n Integer Unit FPU Floating Point Formats single precision (C float): 32 bits n double precision (C double): 64 bits n extended precision (C long double): 80 bits n – 30 – Memory 15 -213, S’ 04
FPU Data Register Stack FPU register format (extended precision) 79 78 s 0 64 63 exp frac FPU registers 8 registers n Logically forms shallow stack n Top called %st(0) n n When push too many, bottom values disappear %st(3) %st(2) %st(1) %st(0) “Top” stack grows down – 31 – 15 -213, S’ 04
FPU instructions Large number of fp instructions and formats ~50 basic instruction types n load, store, add, multiply n sin, cos, tan, arctan, and log! n Sample instructions: Instruction Effect Description fldz push 0. 0 Load zero flds Addr push M[Addr] Load single precision real fmuls Addr %st(0)*M[Addr] Multiply faddp %st(1) %st(0)+%st(1); pop Add and pop – 32 – 15 -213, S’ 04
Floating Point Code Example Compute Inner Product of Two Vectors n Single precision arithmetic n Common computation float ipf (float x[], float y[], int n) { int i; float result = 0. 0; for (i = 0; i < n; i++) { result += x[i]*y[i]; } return result; } – 33 – pushl %ebp movl %esp, %ebp pushl %ebx movl 8(%ebp), %ebx movl 12(%ebp), %ecx movl 16(%ebp), %edx fldz xorl %eax, %eax cmpl %edx, %eax jge. L 3. L 5: flds (%ebx, %eax, 4) fmuls (%ecx, %eax, 4) faddp incl %eax cmpl %edx, %eax jl. L 5. L 3: movl -4(%ebp), %ebx movl %ebp, %esp popl %ebp ret # setup # # # %ebx=&x %ecx=&y %edx=n push +0. 0 i=0 if i>=n done # # # push x[i] st(0)*=y[i] st(1)+=st(0); pop i++ if i
pushl %ebp movl %esp, %ebp pushl %ebx # setup Floating Point Code Example movl 8(%ebp), %ebx movl 12(%ebp), %ecx movl 16(%ebp), %edx fldz xorl %eax, %eax cmpl %edx, %eax jge. L 3 float ipf (float x[], . L 5: float y[], flds (%ebx, %eax, 4) int n) fmuls (%ecx, %eax, 4) { faddp int i; float result = 0. 0; incl %eax cmpl %edx, %eax for (i = 0; i < n; i++). L 5 jl {. L 3: result += x[i]*y[i]; movl -4(%ebp), %ebx } movl %ebp, %esp return result; popl %ebp } ret – 34 – # # # %ebx=&x %ecx=&y %edx=n push +0. 0 i=0 if i>=n done # # # push x[i] st(0)*=y[i] st(1)+=st(0) pop i++ if i
pushl %ebp movl %esp, %ebp pushl %ebx # setup Floating Point Code Example movl 8(%ebp), %ebx movl 12(%ebp), %ecx movl 16(%ebp), %edx fldz xorl %eax, %eax cmpl %edx, %eax jge. L 3 float ipf (float x[], . L 5: float y[], flds (%ebx, %eax, 4) int n) fmuls (%ecx, %eax, 4) { faddp int i; float result = 0. 0; incl %eax cmpl %edx, %eax for (i = 0; i < n; i++). L 5 jl {. L 3: result += x[i]*y[i]; movl -4(%ebp), %ebx } movl %ebp, %esp return result; popl %ebp } ret – 35 – # # # %ebx=&x %ecx=&y %edx=n push +0. 0 i=0 if i>=n done # # # push x[i] st(0)*=y[i] st(1)+=st(0) pop i++ if i
Inner Product Stack Trace Initialization 1. fldz 0. 0 %st(0) Iteration 0 Iteration 1 2. flds (%ebx, %eax, 4) 0. 0 x[0] %st(1) %st(0) 5. flds (%ebx, %eax, 4) x[0]*y[0] x[1] %st(1) %st(0) 3. fmuls (%ecx, %eax, 4) 6. fmuls (%ecx, %eax, 4) 0. 0 x[0]*y[0] x[1]*y[1] %st(1) %st(0) 4. faddp 0. 0+x[0]*y[0] %st(1) %st(0) 7. faddp %st(0) x[0]*y[0]+x[1]*y[1] – 36 – 15 -213, S’ 04
Final Observations Memory Layout n OS/machine dependent (including kernel version) n Basic partitioning: stack/data/text/heap/DLL found in most machines Type Declarations in C n Notation obscure, but very systematic Working with Strange Code n Important to analyze nonstandard cases l. E. g. , what happens when stack corrupted due to buffer overflow n Helps to step through with GDB IA 32 Floating Point n Strange – 37 – “shallow stack” architecture 15 -213, S’ 04
Final Recommendation Sign your mail. Google “pgp” – 38 – 15 -213, S’ 04