CSCI 331: Introduction to Computer Security
Instructor: Dan Barowy
Lecture 12: Anatomy of a bug, part 3
Topics
Reading discussion (Miller, part 1)
Fuzz testing
Passing arguments in C
Your to-dos
1. Reading response (Blaze), due Tuesday 10/22. 2. Project part 2, due Sunday 10/27. 3. Midterm exam, October 31.
Next week
Tues: guest lecture on physical security.
David Boyer, Director of Campus Safety and Security
Thurs: class activity.
Black market rainbow tables
http://project-rainbowcrack.com/buy.htmPaper discussion
0
2
4
6
8
10
12
14
16
yes no
Is fuzzing still effective?
Steve Capps
afl-fuzz
SAGE: Whitebox Fuzzing for Security Testing
Research Challenges:- How to recover from imprecision ? PLDI’05, PLDI’11- How to scale to billions of x86 instructions? NDSS’08- How to check many properties together? EMSOFT’08- How to leverage grammar specifications? PLDI’08- How to deal with path explosion ? POPL’07,TACAS’08- How to reason precisely about pointers? ISSTA’09- How to deal with floating-point instr.? ISSTA’10- How to deal with input-dependent loops? ISSTA’11- How to synthesize x86 circuits automatically? PLDI’12- How to run 24/7/365 for months at a time? ICSE’2013+ research on constraint solvers
Impact: since 2007- 500+ machine years (in largest fuzzing lab in the world)- 3.4 Billion+ constraints (largest SMT solver usage ever!)- 100s of apps, 100s of bugs (missed by everything else…)- Ex: 1/3 of all Win7 WEX security bugs found by SAGE Æ- Bug fixes shipped quietly (no MSRCs) to 1 Billion+ PCs- Millions of dollars saved (for Microsoft and the world)- SAGE is now used daily in Windows, Office, etc.
Ella Bounimova Patrice Godefroid David Molnar
SAGE: Whitebox Fuzzing for Security Testing
Research Challenges:- How to recover from imprecision ? PLDI’05, PLDI’11- How to scale to billions of x86 instructions? NDSS’08- How to check many properties together? EMSOFT’08- How to leverage grammar specifications? PLDI’08- How to deal with path explosion ? POPL’07,TACAS’08- How to reason precisely about pointers? ISSTA’09- How to deal with floating-point instr.? ISSTA’10- How to deal with input-dependent loops? ISSTA’11- How to synthesize x86 circuits automatically? PLDI’12- How to run 24/7/365 for months at a time? ICSE’2013+ research on constraint solvers
Impact: since 2007- 500+ machine years (in largest fuzzing lab in the world)- 3.4 Billion+ constraints (largest SMT solver usage ever!)- 100s of apps, 100s of bugs (missed by everything else…)- Ex: 1/3 of all Win7 WEX security bugs found by SAGE Æ- Bug fixes shipped quietly (no MSRCs) to 1 Billion+ PCs- Millions of dollars saved (for Microsoft and the world)- SAGE is now used daily in Windows, Office, etc.
Ella Bounimova Patrice Godefroid David Molnar
void foo() {}
int main() { foo();}
_init:… 32 call main…foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
Observations: What are the meanings of values?
Question: What do the preamble and epilogue do?
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
espebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
espebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
?
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
espebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
0
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
espebp
eax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 reteip
0
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 reteip
0
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 reteip
0
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
0
36
1052
96
1036
Class Activity
_init1052
1048
1044
1040
1036
1032
1028
1024
1020
1016
1012
1008
1004
1000
996
992
esp
ebpeax
_init:… 32 call main 36 ……foo: 64 push ebp 68 mov ebp, esp 72 nop 76 pop ebp 80 retmain: 84 push ebp 88 mov ebp, esp 92 call foo 96 mov eax, 0 100 pop ebp 104 ret
eip
0
36
1052
96
1036
Everything is back to where it started except eip, which
was advanced to 36.
Observations
• After a function is “torn down,” everything is back where it was before the call, except that eip is advanced.
• Notice that the saved eip is the next instruction to run. All instructions except ret advance eip.
• Values are left on the stack. Nobody cleans up! • Automatic variables: only sort-of reclaimed. • Sometimes gcc adds NOP instructions. In general,
these are added to align branches to 16-byte boundaries.
int add(int a, int b) { return a + b;}
int main() { return add(1, 2);}
_init:… 32 call main…add: 64 push ebp 68 mov ebp, esp 72 mov edx, DWORD PTR [ebp+8] 76 mov eax, DWORD PTR [ebp+12] 80 add eax, edx 84 pop ebp 88 retmain: 92 push ebp 96 mov ebp, esp 100 push 2 104 push 1 108 call add 112 add esp, 8 116 leave 120 ret
Recap & Next Class
Today we learned:
Next class:
How passing arguments works
How C functions work
Physical security