CSCI6268L29 - Foundations of Network and Computer Security...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
Foundations of Network and Foundations of Network and Computer Security Computer Security J J ohn Black Lecture #29 Nov 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Stack Frames Simple example: example1.c: void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); } gcc -S -o example1.s example1.c
Background image of page 2
Calling Convention main: . . . pushl $3 // push parameters in rev order pushl $2 pushl $1 call function // pushes ret addr on stack . . . function: pushl %ebp // save old frame ptr movl %esp,%ebp // set frame ptr to stack ptr subl $20,%esp // allocate space for locals mov %ebp, %esp // clean-up code and exit pop %ebp ret
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Stack Memory What does the stack look like when “function” is called? Bottom of stack Top of stack c b a ret sfp buffer1 buffer2 3 2 1 Return address to main Saved Frame Pointer 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 8 bytes 12 bytes
Background image of page 4
example2.c void function(char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Stack Memory Now What does the stack look like when “function” is called? Bottom of stack Top of stack *str ret sfp buffer Ptr to large_string Return address to main Saved Frame Pointer 4 bytes 4 bytes 4 bytes 16 bytes Segmentation fault occurs We write 255 A’s starting from buffer down through sfp, ret, *str and beyond We then attempt to return to the address 0x41414141
Background image of page 6
example3.c void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; // overwrite return addr (*ret) += 10; // return 10 bytes later in text seg } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } Write-up says 8 bytes, but it’s wrong
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
How did we know the values? Look at disassembly: 0x8000490 <main>: pushl %ebp 0x8000491 <main+1>: movl %esp,%ebp 0x8000493 <main+3>: subl $0x4,%esp 0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp) 0x800049d <main+13>: pushl $0x3 0x800049f <main+15>: pushl $0x2 0x80004a1 <main+17>: pushl $0x1 0x80004a3 <main+19>: call 0x8000470 <function> 0x80004a8 <main+24>: addl $0xc,%esp 0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp) 0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax 0x80004b5 <main+37>: pushl %eax 0x80004b6 <main+38>: pushl $0x80004f8 0x80004bb <main+43>: call 0x8000378 <printf> 0x80004c0 <main+48>: addl $0x8,%esp 0x80004c3 <main+51>: movl %ebp,%esp 0x80004c5 <main+53>: popl %ebp 0x80004c6 <main+54>: ret = 10, so skip 10 bytes down; note: leaves SP messed up!
Background image of page 8
So we can change return addresses… and then?! If we can arbitrarily change return addresses, what power do we really have? Cause program to execute other than intended code
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 03/11/2010 for the course CS 6268 taught by Professor Black during the Spring '09 term at University of Colombo.

Page1 / 37

CSCI6268L29 - Foundations of Network and Computer Security...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online