程序代写 SFL @ TU Dortmund

SFL @ TU Dortmund

Tying Together Defenses You Already Learnt
Isolation Domain #A Isolation Domain #B

Copyright By PowCoder代写 加微信 powcoder

Operating System

What if Software has Security-Critical Vulnerabilities?
Isolation Domain #A Isolation Domain #B
Operating System

Software, Assembly and Machine Code
Software Creation
(1) “Inputs are no longer than 128 bytes anyway, so I just reserve 128B memory.”
(2) “The max number to expect is 80000, let’s use a 32-bit-wide integer then.”
High-level lang. (e.g., C)
int i; i = 42;
“DAP” (Java), “Betriebsssyteme” (C)
(“Übersetzerbau”)
“Rechnerstrukturen” (MIPS)
(“Rechnerstrukturen” / “Hardware-Praktikum”)
(1) : “Data and code is mixed. Changing data may allow arbitrary code execution.”
(2) (inventor of C): “If the multiplication result of two signed numbers is too large to fit the result data type, the program has undefined behavior.”
mov eax, 42h
mov [ebp-4], eax
Machine code
1010010001010101
1010000100101101

Intel x86/x64 vs. MIPS
• RS introduces MIPS, yet we will use Intel x86 (32-bit) / x64 (64- bit)
• MIPS is Reduced Instruction Set Computer (RISC)
• Keep it simple: instructions are designed to carry out a single purpose
• Load-and-store: do not combine arithmetic operations with memory accesses
• Constant instruction length (4 bytes)
• x86/x64 is Complex Instruction Set Computer (CISC)
• One CISC instruction can combine the semantics of several RISC instructions
• One instruction can read/write memory and perform arithmetic operations
• Variable instruction length (1-15 bytes)

Intel CPU Registers (1/2)
• Intel register history
• 1978: Intel 8086 8-bit •1982:Intel80186 16-bit •1985:Intel80386 32-bit • 2003: Intel x86-64 64-bit
Word DoubleWord Quad Word

Intel CPU Registers (2/2)
• General-purpose (GP) registers in Intel x64/x86
x64/x86 Purpose
rax/eax Accumulator
rbx/ebx Base address for addressing
rcx/ecx Counter (loop index)
rdx/edx Data (I/O, mul/div)
rsi/esi Source (string source)
rdi/edi Destination (string destination)
rbp/ebp Base Pointer (frame pointer)
rsp/esp Stack Pointer (top of stack)
• Intel x64 adds 8 additional GP registers: R8-R15
• Partial addr.: r10d last 32b, r10w last 16b, r10b last 8b

Intel CPU Registers (Continued #1)
• Further registers
Register Purpose
Code segment, 16-bit
Data segment, 16-bit
Stack segment, 16-bit
Further segmentation regs, 16-bit
Instruction Pointer (points to next instr .)
{R|E}FLAGS Flags register

Intel CPU Registers (Continued #2)
• Control registers change behavior of CPU
Basic control flags, e.g.: paging, mode
(reserved)
Address that was accessed causing a page fault
Contains page table address and PCID
Additional control flags (enable debugging, perf. counters, etc.)
(reserved)

Intel Assembly
• Intel assembly notation • ,
• OP1 is the destination operand • OP2 is the source operand
mov rax, rbx ; copy content of rbx into rax
• AT&T assembly notation is different
• Swaps operands (first is source, second is destination)
• Explicitly states operand type and length
• Example: movq %rbx, %rax ; copy quadword (64b) from rbx into rax

Intel Assembly
• Operand types
• Immediate: constant numbers
• Register: general-purpose registers
• Memory: address in memory
– Via explicit address offset (e.g., a variable)
– Via dereferencing a register that holds a pointer
– Note: Only a single memory access per instruction is allowed

x86/x64 Instructions in a Nutshell
; register operations
mov rax, 0x42 ; filling register with immediate values xchg ebx, eax ; register content swapping
; arithmetic operations
sub eax, ebx add eax, 0x42 mul ecx
; bitwise operations
; subtraction (eax = eax – ebx)
; addition (eax += 42)
; edx:eax = eax * ecx
; eax = edx:eax / ecx ; edx = remainder
inc eax
dec eax
; ecx = ecx | eax (bitwise OR)
; ecx = ecx & eax (bitwise AND)
; ecx = ecx ^ eax (bitwise Exclusive OR)
or ecx, eax
and ecx, eax
xor ecx, eax
shl eax,4 ; shifts contents of eax to left, extends with 0s shr eax,3 ; shifts contents of eax to right, extends with 0s

CPU Flags Register
• Flags register
Flag Meaning
CF = Carry result of unsigned op. is too large or below zero. 1=carry/borrow
OF = result of signed op. is too large or small. Overflow 1=overflow/underflow
SF = Sign sign of result. Reasonable for integer only. 1=neg. / 0=pos.
ZF = Zero result of operation is zero. 1=zero
PF = Parity result has even number of set bits. 1=even number
TF = Trap single step for debugging. 1=single stepping
IF = interrupts can occur. 1=interrupts enabled
Ctrl flags Status flags

CPU Flags Register
• Some assembly instructions do not affect flags regardless of result
• Examples
•inc/dec do not affect CF (but add/sub ,1 do)
• loop does not affect any flags • mov does not affect any flags
• Always check which flags an instruction affects • See Intel instruction reference
• … or any online reference, e.g.: https://c9x.me/x86/

No Operations (NOPs): Operations Without Side- Effects
• NOPs are instructions that “do nothing”
• NOPs do not change state (registers except IP, flags, memory, etc.) • Can be used as placeholder, to replace instructions, or to align code
; explicit 1B-long nop operation (translates to xchg reg, reg)
; 2B NOP operations
eax,[eax + byte 0x0]
eax,[eax + dword 0x0]
86 c0 xchg
87 db xchg
; 3B NOP operations
48 89 c0 mov
67 8d 00 lea
; 4B NOP operation
67 8d 40 00 lea
; 7B NOP operation
67 8d 80 00000000 lea

Memory Access in x86

Referencing Memory in ASM (1/2)
• Memory accesses via globals (ex17.asm)
• Syntax: [addr] dereferences address addr, i.e., reads from/writes
to addr Assembly
SECTION .data
var1: dd 0x00112233
var2: dd 0x55667788
SECTION .text
; interactions between memory and registers
mov eax, [var1] mov eax, var1 mov [var1], eax mov var1, eax
; store content at address `var1` in eax
; store address `var1` in eax
; store content of eax at address `var1`
; invalid!
; many more instructions allow to work on operands
add eax, [var1] ; add value at address `var1` to eax
add [var1], 0x42 ; add 0x42 to variable at address `var1`
; some combinations are invalid, e.g., two memory operands in ; arithmetic ops (but many others, too)
add [var1], [var2] ; invalid!

Referencing Memory in ASM (2/2)
• Offset addressing in Intel assembly
• Effective address = base register
+ (index register * scale factor)
+ displacement
Index Scale Displacement
rax rbx rcx …
Base address register
Index register
Scale factor (20-23)
Optional address displacement (offset length 0b-32b, i.e., up to 232-1 bytes)
rax rbx rcx …
8-bit 16-bit 32-bit

Referencing Memory with lea (1/2) • Obtaining pointers via lea (ex18.asm)
• Syntax: lea dstreg,[base + index*scale + displacement]
• lea never dereferences memory (despite the [] syntax) • Typical lea use case: Compute pointer in an array
• More reasons to use lea:
• Runs in separate ALU and can be processed in parallel • lea can perform simple multiplications/additions
• lea does not affect CPU flags

Referencing Memory with lea (2/2) •lea example (ex18.asm)
; array of 5 elements, each 2B wide (stored in little-endian)
SECTION .data
arr1: dw 0x5501, 0x1102, 0x2203, 0x6604, 0x7705
SECTION .text
mov rdx, 3
; element offset (3 -> 4rd element)
(base + index*scale + displ.)
; —> r9b = 0x66
mov rax, arr1 + rdx*2 + 1
; compute pointer (invalid!)
; store array addr in register (base)
; compute pointer
lea rax, [arr1]
lea rax, [rax + rdx*2 + 1]
mov byte r9b, [rax]

Control Flow

Control Flow Operations
• Control flows are common in programs
• An easy example (C syntax): goto error;
• Assembly offers the jmp directive
jmp error ; set the program counter to the
; address of label `error`

Conditional Control Flow Operations
• Most control flow operations are however conditional
if (a == 42) {
• Allows to compile if, switch, loops, etc. into assembly

Control Flow: Comparisons
• Special operations for comparison
• Both test and cmp affect only the flags, not the operand register
•test: bit-wise AND of two values (“eax == 0”, “eax != 0”) Assembly
test eax, eax ; sets flags based on eax & eax
•cmp: subtract 2nd operand from 1st (“eax > x”, “eax != x”, …)
cmp eax, 0x1 ; sets flags based on eax – 0x1 • Resulting flags can be used to control program flow

Control Flow: Jumps
• Conditional jumps allow control flow
• Example:
j*
cmp s1, s2
Instruction
Jump Condition
Jump if Equal
Jump if Not Equal
Jump if Greater
(ZF=0) AND (SF=OF)
Jump if Greater or
Jump if Less
Jump if Less or Equal
(ZF=1) OR (SF≠OF)
Jump if (Not) Negative
SF=1 (or SF=0)
a<0 (a>=0)
Jump if Above
(CF=0) AND (ZF=0)
Jump if Above or Equal
Jump if Below
Jump if Below or Equal
(CF=1) OR (ZF=1)
More: JC / JO / JP / …
unsigned signed

Control Flow: Conditional Jump Example
uint32_t i = 1234;
if (i == 3333) {
} i = 200;
elseblock: mov

Control Flow: Switch Statements (ex13.asm) • Simple switch via sequential checks
uint32_t a = 1234;
mov eax, 1234;
; default case
; end of switch
switch (a) {
default: b=0;
c3: mov ebx, 3
case 1: b=1;
cmp eax, 2
cmp eax, 3
def: mov ebx, 0
case 3: b=3;
c1: mov ebx, 1
c2: mov ebx, 2
cmpeax,1 ;a==1?

Control Flow: Switch Statements (ex14.asm) •switch via jump tables
SECTION .data
jumptable: dq sw.c1, sw.c2, sw.c3
uint64_t a = 1;
switch (a) {
cmp rax, 2
jmp [jumptable + rax*8]
case 0: b = 1; break;
case 1: b = 2; break;
case 2: b = 3; break;
default: b = 0;
SECTION .text
mov rax, 1
.c1: mov rbx,1;case1 jmp fin
.def: mov rbx, 0 ; default case
.c2: mov rbx,2;case2 jmp fin
.c3: mov rbx,3;case3 jmp fin

Control Flow: Switch Statements
•switch via binary search
• Complexity O(log n) instead of O(n)
switch (i) {
i = 11; break;
i = 22; break;
i = 33; break;
i = 44; break;
i = 55; break;
i = 66; break;
case 2587:
case 99999:
case 119752:
case 2195871: i = 77; break;
case 87608711: i = 88; break;
i > 119752?
i == 99999?
i == 2195871?
i == 2587?
i == 119752? 99999 119752
i == 87608711? 2195871 87608711

Control Flow: Loops (ex15.asm) •while and for loops (head check)
• Check condition and execute as long as condition is met
uint64_t a;
uint64_t b = 0;
xor rax, rax
for (a = 0; a < 10; a++) { chk:xor rbx, rbx cmp rax, 10 add rbx, rax fin:jmp chk Control Flow: Loops •do...while loop (tail check) • Requires just a single jump • Hence, compilers may convert while(cond) loops into do ... while(cond) loops for optimization purposes eax, 0 ebx, 0 uint32_t a = 0; uint32_t b = 0; do {b += a; whilect: add } while (a < 42); cmp jb ... Control Flow: Loops • The loop instruction • First, loop decrements the implicit count register (rcx) • Then, if not zero after decrement, it jumps to address specified in operand mov rcx, 3 loop_content: ; do something loop loop_content ; end of loop Jump Types • Relative jump • Change execution flow to +/- offset from current instruction • Offset encoded in instruction • Short (-/+ 7 bits away), near (same segment), far (other segment; rare) Relative jump examples jmp setzero ; jump to label in code nop ; code that is skipped setzero: ... • Absolute jump • Absolute addressing (entire address, not only offset) • Indirect if jump target is stored in register or in memory Absolute jump examples jmp 0x08005071 ; direct jump to 0x08005071 ; indirect jump to address in eax ; indirect jump to address stored in ; memory location that eax points to jmp [0x0800102c] ; jump to address stored at 0x0800102c 程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com