Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
lecture 03 control flow

Lecture 03 Control Flow Stephen Checkoway University of Illinois - PowerPoint PPT Presentation

Jan 20, 2024 •301 likes •838 views

Lecture 03 Control Flow Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Adapted from Michael Baileys ECE 422 Outline Computer CPU Instructions The Stack (x86) What is a stack How it is

  1. Lecture 03 – Control Flow Stephen Checkoway University of Illinois at Chicago CS 487 – Fall 2017 Adapted from Michael Bailey’s ECE 422

  2. Outline • Computer – CPU – Instructions • The Stack (x86) – What is a stack – How it is used by programs – Technical details • Attacks • Buffer overflows • Adapted from Aleph One’s “Smashing the Stack for Fun and Profit”

  3. “Insecurity”? Level-2 Problem: “Weakness” Factors that predispose systems to vulnerability Level-1 Problem: “Vulnerability” “Attack” Specific errors that could be exploited in an assault. exploit, vulnerabilities Level-0 Problem: “Exploit” are ingredients Actual malicious attempt to cause harm.

  4. Why Study Attacks? • Identify vulnerabilities so they can be fixed. • Create incentives for vendors to be careful. • Learn about new classes of threats. – Determine what we need to defend against. – Help designers build stronger systems. – Help users more accurately evaluate risk.

  5. static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; }

  6. example.c void foo(int a, int b) { char buf1[10]; } void main() { foo(3,6); }

  7. C stack frames } main SP Local variables FP

  8. C stack frames SP } main function args Local variables FP

  9. C stack frames SP return address } main function args Local variables FP

  10. C stack frames } foo SP main’s FP return address } main function args Local variables FP

  11. C stack frames } foo SP FP main’s FP return address } main function args Local variables

  12. C stack frames } foo SP Local variables FP main’s FP return address } main function args Local variables

  13. C stack frames (x86 specific) Grows toward lower address Low address 0x00 Starts ~end of VA space Two related registers %ESP - Stack Pointer %EBP - Frame Pointer High address 0xff

  14. example.c void foo(int a, int b) { char buf1[16]; } int main() { foo(3,6); }

  15. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  16. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  17. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP ret

  18. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo 6 leave prev FP ret

  19. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) 3 call foo 6 leave prev FP ret

  20. example.s (x86) main: pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) return movl $3, (%esp) 3 call foo 6 leave prev FP ret

  21. example.s (x86) foo: pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave 3 ret 6 prev FP

  22. example.s (x86) foo: pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave 3 ret 6 prev FP

  23. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave 3 ret 6 prev FP

  24. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave 3 ret 6 mov %ebp, %esp prev FP pop %ebp

  25. example.s (x86) foo: … pushl %ebp movl %esp, %ebp main FP subl $16, %esp return leave 3 ret 6 mov %ebp, %esp prev FP pop %ebp

  26. example.s (x86) foo: … pushl %ebp movl %esp, %ebp subl $16, %esp return leave 3 ret 6 mov %ebp, %esp prev FP pop %ebp

  27. example.s (x86) foo: … pushl %ebp movl %esp, %ebp subl $16, %esp return leave 3 ret 6 mov %ebp, %esp prev FP pop %ebp

  28. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) 3 call foo 6 leave prev FP mov %ebp, %esp ret pop %ebp

  29. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave prev FP mov %ebp, %esp ret pop %ebp

  30. example.s (x86) main: … pushl %ebp movl %esp, %ebp subl $8, %esp movl $6, 4(%esp) movl $3, (%esp) call foo leave mov %ebp, %esp ret pop %ebp

  31. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

  32. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; foo(buf); }

  33. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  34. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  35. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  36. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); main FP } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  37. Buffer overflow example void foo(char *str) { char buffer[16]; strcpy(buffer, str); main FP } return int main() { foo_arg1 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  38. Buffer overflow example void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 } 0x41414141 int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  39. Buffer overflow example void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  40. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); prev FP }

  41. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); ? prev FP }

  42. Buffer overflow example void foo(char *str) { AAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp 0x41414141 ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; foo(buf); ? prev FP }

  43. Buffer overflow example %eip = 0x41414141 AAAAAA… 0x41414141 ??? 0x41414141 0x41414141 AAAAAAA… ? prev FP

  44. Buffer overflow FTW • Success! Program crashed! • Can we do better? – Yes • How?

  45. Exploiting buffer overflows void foo(char *str) { char buffer[16]; strcpy(buffer, str); } int main() { char buf[256]; memset(buf, ‘A’, 255); buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; foo(buf); }

  46. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 } buf int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  47. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  48. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

  49. Exploiting buffer overflows void foo(char *str) { AAAAAAA… char buffer[16]; strcpy(buffer, str); 0x41414141 mov %ebp, %esp } pop %ebp buf ret int main() { 0x41414141 char buf[256]; memset(buf, ‘A’, 255); AAAAAAA… buf[255] = ‘\x00’; ((int*)buf)[5] = (int)buf; prev FP foo(buf); }

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

518 views • 5 slides
Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow <startup>

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow <startup>

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow <startup> inst 1 inst 2 Time inst 3 inst n <shutdown> Sean Barker 2 Operating System User-level Applications Operating System Hardware

455 views • 16 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

544 views • 34 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

311 views • 12 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

564 views • 37 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.19k views • 92 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

337 views • 19 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

748 views • 41 slides
Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if statements use expressions that are conceptually either true or false . These expressions are called relational expressions or Boolean expressions

576 views • 28 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.05k views • 54 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

357 views • 12 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

430 views • 8 slides
Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University --

Control Flow Integrity for COTS Binaries Mingwei Zhang and R. Sekar Stony Brook University -- Summarized by Navid Emamdoost University of Minnesota Outline Background Control Flow attacks Control Flow Integrity Control Flow

796 views • 33 slides
Flow Control and ARQ Flow Control ARQ Example Protocols ITS323: Introduction to Data

Flow Control and ARQ Flow Control ARQ Example Protocols ITS323: Introduction to Data

ITS323/CSS331 Flow Control & ARQ Protocols Flow Control and ARQ Flow Control ARQ Example Protocols ITS323: Introduction to Data Communications CSS331: Fundamentals of Data Communications Sirindhorn International Institute of Technology

839 views • 34 slides
Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

CIS330, Week 9 Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow Exceptions Process context switches Creating and destroying processes CIS330 Week 9 Control Flow Computers do Only One Thing

1.09k views • 85 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

380 views • 22 slides
OF INTERNATIONAL INTERVENTION IN FORMER YUGOSLAVIA: PRECARIAT OR PROJECTARIAT? Dr

OF INTERNATIONAL INTERVENTION IN FORMER YUGOSLAVIA: PRECARIAT OR PROJECTARIAT? Dr

THE LOCAL WORKFORCE OF INTERNATIONAL INTERVENTION IN FORMER YUGOSLAVIA: PRECARIAT OR PROJECTARIAT? Dr Catherine Baker (University of Hull) Precariat and projectariat Precariat From Guy Standings The

236 views • 10 slides
Texas Targeting Strategies January 25, 2016 1 Texas State-level Targeting Strategies 2

Texas Targeting Strategies January 25, 2016 1 Texas State-level Targeting Strategies 2

Texas Targeting Strategies January 25, 2016 1 Texas State-level Targeting Strategies 2 Introducing Texas Speakers: James A. Cooley Chris Delcher, PhD Healthcare Quality Analytics, External Quality Review Research and Coordination Support

723 views • 27 slides
Announcements A2 goes out Thursday, due in 2 weeks Late submissions on Canvas Segmentation

Announcements A2 goes out Thursday, due in 2 weeks Late submissions on Canvas Segmentation

9/21/2015 Announcements A2 goes out Thursday, due in 2 weeks Late submissions on Canvas Segmentation & Grouping Final exam dates now posted by registrar. Ours is Dec 9, 2-5 pm. Check in on pace Tues Sept 22 Review

495 views • 16 slides
Ripensare al trattamento dei bassi rischi della Trombocitemia e Policitemia Vera T. Barbui

Ripensare al trattamento dei bassi rischi della Trombocitemia e Policitemia Vera T. Barbui

Ripensare al trattamento dei bassi rischi della Trombocitemia e Policitemia Vera T. Barbui Foundation for Clinical Research (FROM) Hospital Papa Giovanni XXIII Bergamo, Italy FORUM in Ematologia: Novit biologiche e terapeutiche Bari 6

552 views • 25 slides
Acquiring language: A story about research Micha Elsner, Department of Linguistics Back in the

Acquiring language: A story about research Micha Elsner, Department of Linguistics Back in the

Acquiring language: A story about research Micha Elsner, Department of Linguistics Back in the early 80s... Baby Micha born (Jerusalem, Israel) Immediately starts acquiring language What was I really learning? Before the 80s

783 views • 51 slides
@ P. Ascher 1 , G. Ban 2 , B. Blank 3 , K. Blaum 1 , J.- F. Cam 4 , P. Delahaye 4 ,

@ P. Ascher 1 , G. Ban 2 , B. Blank 3 , K. Blaum 1 , J.- F. Cam 4 , P. Delahaye 4 ,

@ P. Ascher 1 , G. Ban 2 , B. Blank 3 , K. Blaum 1 , J.- F. Cam 4 , P. Delahaye 4 , F. Delalee 3 , P. Dupr 5 , S. El Abbeir 3 , M. Gerbaux 3 , S. Grevy 3 , G. Grinyer 4 , H. Gurin 3 , E. Linard 2 ,

392 views • 20 slides
Research Centre for Physics Wigner/MPP Collaboration Meeting Budapest, 2016.04.08 G.P. Djotyan

Research Centre for Physics Wigner/MPP Collaboration Meeting Budapest, 2016.04.08 G.P. Djotyan

Rubidium laser plasma source at Wigner Research Centre for Physics Wigner/MPP Collaboration Meeting Budapest, 2016.04.08 G.P. Djotyan Motivation and Outline 1. Generation of laser plasma and real-time diagnostics methods developed in our

420 views • 16 slides
Latent Class Analysis (LCA) in Stata Kristin MacDonald Director of Statistical Services

Latent Class Analysis (LCA) in Stata Kristin MacDonald Director of Statistical Services

Latent Class Analysis Latent Class Analysis (LCA) in Stata Kristin MacDonald Director of Statistical Services StataCorp LLC 2018 London Stata Conference K. L. MacDonald (StataCorp) 6-7 September 2018 1 / 52 Latent Class Analysis What is

1k views • 58 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.