the k project
play

The K Project Jump to userland Userland Conclusion LSE Team - PowerPoint PPT Presentation

The K Project LSE Team Binary loading TSS The K Project Jump to userland Userland Conclusion LSE Team EPITA May 06, 2019 LSE Team (EPITA) The K Project May 06, 2019 1 / 17 Executable and Linkable Format The K Project LSE Team


  1. The K Project LSE Team Binary loading TSS The K Project Jump to userland Userland Conclusion LSE Team EPITA May 06, 2019 LSE Team (EPITA) The K Project May 06, 2019 1 / 17

  2. Executable and Linkable Format The K Project LSE Team Binary loading TSS Jump to userland Conclusion LSE Team (EPITA) The K Project May 06, 2019 2 / 17

  3. Sections The K Project LSE Team Binary loading .text : program code TSS .rodata : readonly data (ex: Constant strings) Jump to userland .data : global data Conclusion .bss : unitialized data .symtab : symbols table .init : executable code for the initialization of the program .fini : executable code for the program termination LSE Team (EPITA) The K Project May 06, 2019 3 / 17

  4. Segments and Sections The K Project LSE Team Binary loading TSS Jump to userland Conclusion LSE Team (EPITA) The K Project May 06, 2019 4 / 17

  5. Binary Loader The K Project LSE Team Binary loading TSS Jump to userland Conclusion LSE Team (EPITA) The K Project May 06, 2019 5 / 17

  6. Getting Elf program headers The K Project LSE Team Binary loading TSS Jump to userland Program headers can be found directly from Elf header Conclusion with these fields: e phoff : offset to program header structure array e phentsize : program header structure size in array e phnum : number of program header structures in array LSE Team (EPITA) The K Project May 06, 2019 6 / 17

  7. Elf program headers information The K Project LSE Team Binary loading Program header structure then contains the following TSS informations: Jump to userland p type : program header type Conclusion p flags : memory flags associated with program header p vaddr : expected virtual memory address of program header p off : program header offset in Elf p memsz : in memory size of program header p filesz : in file size of program header. It can differ from p memsz , then the remaining part must be filled with 0 LSE Team (EPITA) The K Project May 06, 2019 7 / 17

  8. Memory layout The K Project LSE Team 0xFFFFFFFFFF Binary loading brk TSS User Head Jump to User Data Segment userland rw- User Stack Conclusion User Data phdr .p_memsz + phdr .p_vaddr User Code Segment User Code r-x memory reserved address Kernel Code/Data 0x00000000 LSE Team (EPITA) The K Project May 06, 2019 8 / 17

  9. Events in userland The K Project LSE Team Stack Usage with No Privilege-Level Change Interrupted Procedure’s Binary loading and Handler’s Stack TSS ESP Before Transfer to Handler Jump to EFLAGS CS userland EIP Error Code ESP After Conclusion Transfer to Handler Stack Usage with Privilege-Level Change Interrupted Procedure’s Handler’s Stack Stack ESP Before Transfer to Handler SS ESP EFLAGS CS EIP ESP After Error Code Transfer to Handler LSE Team (EPITA) The K Project May 06, 2019 9 / 17

  10. TSS The K Project LSE Team 31 15 0 Reserved I/O Map Base Address T 100 LDT Segment Selector Binary loading Reserved 96 Reserved GS 92 Reserved FS 88 TSS Reserved DS 84 Reserved 80 SS Jump to Reserved CS 76 userland Reserved ES 72 EDI 68 Conclusion ESI 64 EBP 60 ESP 56 EBX 52 EDX 48 ECX 44 EAX 40 EFLAGS 36 EIP 32 CR3 (PDBR) 28 Reserved SS2 24 ESP2 20 Reserved SS1 16 12 ESP1 Reserved SS0 8 ESP0 4 Reserved Previous Task Link 0 Reserved bits. Set to 0. LSE Team (EPITA) The K Project May 06, 2019 10 / 17

  11. TSS Descriptor The K Project LSE Team TSS Descriptor 31 24 23 22 21 20 19 16 15 14 13 12 11 8 7 0 Binary loading A D Type TSS Limit 4 Base 31:24 G 0 Base 23:16 0 V P P 19:16 L L 0 1 0 B 1 Jump to userland 31 16 15 0 Conclusion Base Address 15:00 Segment Limit 15:00 0 AVL Available for use by system software B Busy flag BASE Segment Base Address DPL Descriptor Privilege Level G Granularity LIMIT Segment Limit P Segment Present TYPE Segment Type LSE Team (EPITA) The K Project May 06, 2019 11 / 17

  12. Load TSS The K Project LSE Team Binary loading TSS Jump to userland Conclusion movw $0x10, %ax ltr %ax /* The second GDT entry describe the TSS */ LSE Team (EPITA) The K Project May 06, 2019 12 / 17

  13. GDT requirements The K Project LSE Team Binary loading TSS GDT should then contain: Jump to userland Null descriptor Conclusion Kernel code segment Kernel data segment Userland code segment Userland data segment TSS LSE Team (EPITA) The K Project May 06, 2019 13 / 17

  14. Register setting to go to Userland The K Project LSE Team Binary loading TSS Jump to userland To jump to Userland, register values must be: Conclusion cs , ds , ss , es esp must be set to a task stack address eip must be set to program entry point LSE Team (EPITA) The K Project May 06, 2019 14 / 17

  15. Events in userland The K Project LSE Team Stack Usage with No Privilege-Level Change Interrupted Procedure’s Binary loading and Handler’s Stack TSS ESP Before Transfer to Handler Jump to EFLAGS CS userland EIP Error Code ESP After Conclusion Transfer to Handler Stack Usage with Privilege-Level Change Interrupted Procedure’s Handler’s Stack Stack ESP Before Transfer to Handler SS ESP EFLAGS CS EIP ESP After Error Code Transfer to Handler LSE Team (EPITA) The K Project May 06, 2019 15 / 17

  16. Events in userland The K Project LSE Team Binary loading TSS Jump to userland Conclusion Did you notice DS and ES are not on the stack ? LSE Team (EPITA) The K Project May 06, 2019 16 / 17

  17. Contact The K Project LSE Team Binary loading TSS Jump to k[at]lse.epita.fr userland labos.lse with [K] tag Conclusion #k (irc.rezosup.org) guillaume.pagnoux[at]lse.epita.fr tom.decrette[at]lse.epita.fr LSE Team (EPITA) The K Project May 06, 2019 17 / 17

Recommend


More recommend