A. Encodings of movq instructions movq S, D Source S %rax %rax 48 89 c0 %rcx 48 89 c8 %rdx 48 89 d0 %rbx 48 89 d8 %rsp 48 89 e0 %rbp 48 89 e8 %rsi 48 89 f0 %rdi 48 89 f8 %rcx 48 89 c1 48 89 c9 48 89 dl 48 89 d9 48 89 el %rdx Destination D %rbx %rsp %rbp %rsi %rdi 48 89 c2 48 89 ca 48 89 d2 48 89 da 48 89 e2 48 89 e9 48 89 fl 48 89 9 48 89 ea 48 89 f2 48 89 c3 48 89 cb 48 89 d3 48 89 db 48 89 e3 48 89 eb 48 89 f3 48 89 fa 48 89 fb 48 89 c4 48 89 cc 48 89 d4 48 89 dc 48 89 e4 48 89 ec 48 89 f4 48 89 fc 48 89 c5 48 89 cd 48 89 d5 48 89 dd 48 89 e5 48 89 ed 48 89 f5 48 89 fd 48 89 c6 48 89 ce 48 89 d6 48 89 de 48 89 e6 48 89 ee 48 89 f6 48 89 fe 48 89 c7 48 89 cf 48 89 d7 48 89 df 48 89 e7 48 89 ef 48 89 f7 48 89 ff B. Encodings of popq instructions Operation Register R %rax popq R 58 %rcx %rdx 59 5a %rbx %rsp %rbp 5b 5c 5d %rsi %rdi 5e 5f C. Encodings of movl instructions movl S, D Source Destination D S %eax %ecx %edx %ebx esp %ebp %esi %eax %ecx 89 c8 89 co 89 c1 89 c2 89 c3 89 c4 89 c5 89 c6 %edi 89 c7 89 c9 89 ca 89 cb 89 cc 89 cd 89 ce 89 cf %edx 89 do 89 d1 89 d2 89 d3 89 d4 89 d5 89 d6 89 d7 %ebx 89 d8 89 d9 89 da 89 db 89 dc 89 dd 89 de 89 df %esp 89 e0 89 el 89 e2 89 e3 89 e4 89 e5 89 e6 89 e7 %ebp 89 e8 89 e9 %esi %edi 89 ea 89 eb 89 ec 89 ed 89 ee 89 ef 89 f0 89 f1 89 f2 89 £3 89 f4 89 £5 89 f6 89 f7 89 f8 89 19 89 fa 89 fb 89 fc 89 fd 89 fe 89 ff D. Encodings of 2-byte functional nop instructions Operation 응al %cl Register R %dl %bl andb R, R 20 co orb R, R cmpb R, R testb Ꭱ, Ꭱ 20 c9 20 d2 20 db 08 co 08 c9 08 d2 08 db 38 co 38 c9 38 d2 38 db 84 CO 84 c9 84 d2 84 db Figure 3: Byte encodings of instructions. All values are shown in hexadecimal. 10 %rsp Stack Gadget n code C3 Gadget 2 code C3 Gadget 1 code C3 Figure 2: Setting up sequence of gadgets for execution. Byte value 0xc3 encodes the ret instruction. • Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0. Type "man ascii" on any Linux machine to see the byte representations of the characters you need. • Your injected code should set register %rdi to the address of this string. • When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful where you place the string representation of your cookie. 5 Part II: Return-Oriented Programming Performing code-injection attacks on program RTARGET is much more difficult than it is for CTARGET, because it uses two techniques to thwart such attacks: • It uses randomization so that the stack positions differ from one run to another. This makes it impos- sible to determine where your injected code will be located. • It marks the section of memory holding the stack as nonexecutable, so even if you could set the program counter to the start of your injected code, the program would fail with a segmentation fault. Fortunately, clever people have devised strategies for getting useful things done in a program by executing existing code, rather than injecting new code. The most general form of this is referred to as return-oriented programming (ROP) [1, 2]. The strategy with ROP is to identify byte sequences within an existing program that consist of one or more instructions followed by the instruction ret. Such a segment is referred to as a gadget. Figure 2 illustrates how the stack can be set up to execute a sequence of n gadgets. In this figure, the stack contains a sequence of gadget addresses. Each gadget consists of a series of instruction bytes, with the final one being 0xc3, encoding the ret instruction. When the program executes a ret instruction starting with this configuration, it will initiate a chain of gadget executions, with the ret instruction at the end of each gadget causing the program to jump to the beginning of the next. 8
A. Encodings of movq instructions movq S, D Source S %rax %rax 48 89 c0 %rcx 48 89 c8 %rdx 48 89 d0 %rbx 48 89 d8 %rsp 48 89 e0 %rbp 48 89 e8 %rsi 48 89 f0 %rdi 48 89 f8 %rcx 48 89 c1 48 89 c9 48 89 dl 48 89 d9 48 89 el %rdx Destination D %rbx %rsp %rbp %rsi %rdi 48 89 c2 48 89 ca 48 89 d2 48 89 da 48 89 e2 48 89 e9 48 89 fl 48 89 9 48 89 ea 48 89 f2 48 89 c3 48 89 cb 48 89 d3 48 89 db 48 89 e3 48 89 eb 48 89 f3 48 89 fa 48 89 fb 48 89 c4 48 89 cc 48 89 d4 48 89 dc 48 89 e4 48 89 ec 48 89 f4 48 89 fc 48 89 c5 48 89 cd 48 89 d5 48 89 dd 48 89 e5 48 89 ed 48 89 f5 48 89 fd 48 89 c6 48 89 ce 48 89 d6 48 89 de 48 89 e6 48 89 ee 48 89 f6 48 89 fe 48 89 c7 48 89 cf 48 89 d7 48 89 df 48 89 e7 48 89 ef 48 89 f7 48 89 ff B. Encodings of popq instructions Operation Register R %rax popq R 58 %rcx %rdx 59 5a %rbx %rsp %rbp 5b 5c 5d %rsi %rdi 5e 5f C. Encodings of movl instructions movl S, D Source Destination D S %eax %ecx %edx %ebx esp %ebp %esi %eax %ecx 89 c8 89 co 89 c1 89 c2 89 c3 89 c4 89 c5 89 c6 %edi 89 c7 89 c9 89 ca 89 cb 89 cc 89 cd 89 ce 89 cf %edx 89 do 89 d1 89 d2 89 d3 89 d4 89 d5 89 d6 89 d7 %ebx 89 d8 89 d9 89 da 89 db 89 dc 89 dd 89 de 89 df %esp 89 e0 89 el 89 e2 89 e3 89 e4 89 e5 89 e6 89 e7 %ebp 89 e8 89 e9 %esi %edi 89 ea 89 eb 89 ec 89 ed 89 ee 89 ef 89 f0 89 f1 89 f2 89 £3 89 f4 89 £5 89 f6 89 f7 89 f8 89 19 89 fa 89 fb 89 fc 89 fd 89 fe 89 ff D. Encodings of 2-byte functional nop instructions Operation 응al %cl Register R %dl %bl andb R, R 20 co orb R, R cmpb R, R testb Ꭱ, Ꭱ 20 c9 20 d2 20 db 08 co 08 c9 08 d2 08 db 38 co 38 c9 38 d2 38 db 84 CO 84 c9 84 d2 84 db Figure 3: Byte encodings of instructions. All values are shown in hexadecimal. 10 %rsp Stack Gadget n code C3 Gadget 2 code C3 Gadget 1 code C3 Figure 2: Setting up sequence of gadgets for execution. Byte value 0xc3 encodes the ret instruction. • Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0. Type "man ascii" on any Linux machine to see the byte representations of the characters you need. • Your injected code should set register %rdi to the address of this string. • When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful where you place the string representation of your cookie. 5 Part II: Return-Oriented Programming Performing code-injection attacks on program RTARGET is much more difficult than it is for CTARGET, because it uses two techniques to thwart such attacks: • It uses randomization so that the stack positions differ from one run to another. This makes it impos- sible to determine where your injected code will be located. • It marks the section of memory holding the stack as nonexecutable, so even if you could set the program counter to the start of your injected code, the program would fail with a segmentation fault. Fortunately, clever people have devised strategies for getting useful things done in a program by executing existing code, rather than injecting new code. The most general form of this is referred to as return-oriented programming (ROP) [1, 2]. The strategy with ROP is to identify byte sequences within an existing program that consist of one or more instructions followed by the instruction ret. Such a segment is referred to as a gadget. Figure 2 illustrates how the stack can be set up to execute a sequence of n gadgets. In this figure, the stack contains a sequence of gadget addresses. Each gadget consists of a series of instruction bytes, with the final one being 0xc3, encoding the ret instruction. When the program executes a ret instruction starting with this configuration, it will initiate a chain of gadget executions, with the ret instruction at the end of each gadget causing the program to jump to the beginning of the next. 8
Related questions
Question
Transcribed Image Text:A. Encodings of movq instructions
movq S, D
Source
S
%rax
%rax 48 89 c0
%rcx 48 89 c8
%rdx 48 89 d0
%rbx 48 89 d8
%rsp
48 89 e0
%rbp 48 89 e8
%rsi 48 89 f0
%rdi 48 89 f8
%rcx
48 89 c1
48 89 c9
48 89 dl
48 89 d9
48 89 el
%rdx
Destination D
%rbx
%rsp
%rbp
%rsi
%rdi
48 89 c2
48 89 ca
48 89 d2
48 89 da
48 89 e2
48 89 e9
48 89 fl
48 89 9
48 89 ea
48 89 f2
48 89 c3
48 89 cb
48 89 d3
48 89 db
48 89 e3
48 89 eb
48 89 f3
48 89 fa
48 89 fb
48 89 c4
48 89 cc
48 89 d4
48 89 dc
48 89 e4
48 89 ec
48 89 f4
48 89 fc
48 89 c5
48 89 cd
48 89 d5
48 89 dd
48 89 e5
48 89 ed
48 89 f5
48 89 fd
48 89 c6
48 89 ce
48 89 d6
48 89 de
48 89 e6
48 89 ee
48 89 f6
48 89 fe
48 89 c7
48 89 cf
48 89 d7
48 89 df
48 89 e7
48 89 ef
48 89 f7
48 89 ff
B. Encodings of popq instructions
Operation
Register R
%rax
popq R 58
%rcx %rdx
59
5a
%rbx %rsp %rbp
5b
5c
5d
%rsi %rdi
5e
5f
C. Encodings of movl instructions
movl S, D
Source
Destination D
S
%eax
%ecx
%edx
%ebx
esp
%ebp
%esi
%eax
%ecx 89 c8
89 co
89 c1
89 c2
89 c3
89 c4
89 c5
89 c6
%edi
89 c7
89 c9
89 ca
89 cb
89 cc
89 cd
89 ce
89 cf
%edx
89 do
89 d1
89 d2
89 d3
89 d4
89 d5
89 d6
89 d7
%ebx
89 d8
89 d9
89 da
89 db
89 dc
89 dd
89 de
89 df
%esp
89 e0
89 el
89 e2
89 e3
89 e4
89 e5
89 e6
89 e7
%ebp 89 e8 89 e9
%esi
%edi
89 ea
89 eb
89 ec
89 ed
89 ee
89 ef
89 f0 89 f1
89 f2
89 £3
89 f4
89 £5
89 f6
89 f7
89 f8 89 19 89 fa
89 fb
89 fc
89 fd
89 fe
89 ff
D. Encodings of 2-byte functional nop instructions
Operation
응al
%cl
Register R
%dl
%bl
andb R, R 20 co
orb R, R
cmpb R, R
testb Ꭱ, Ꭱ
20 c9 20 d2
20 db
08 co
08 c9
08 d2
08 db
38 co
38 c9
38 d2
38 db
84 CO
84 c9
84 d2
84 db
Figure 3: Byte encodings of instructions. All values are shown in hexadecimal.
10
![%rsp
Stack
Gadget n code
C3
Gadget 2 code
C3
Gadget 1 code
C3
Figure 2: Setting up sequence of gadgets for execution. Byte value 0xc3 encodes the ret instruction.
• Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0. Type
"man ascii" on any Linux machine to see the byte representations of the characters you need.
• Your injected code should set register %rdi to the address of this string.
• When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
where you place the string representation of your cookie.
5 Part II: Return-Oriented Programming
Performing code-injection attacks on program RTARGET is much more difficult than it is for CTARGET,
because it uses two techniques to thwart such attacks:
• It uses randomization so that the stack positions differ from one run to another. This makes it impos-
sible to determine where your injected code will be located.
• It marks the section of memory holding the stack as nonexecutable, so even if you could set the
program counter to the start of your injected code, the program would fail with a segmentation fault.
Fortunately, clever people have devised strategies for getting useful things done in a program by executing
existing code, rather than injecting new code. The most general form of this is referred to as return-oriented
programming (ROP) [1, 2]. The strategy with ROP is to identify byte sequences within an existing program
that consist of one or more instructions followed by the instruction ret. Such a segment is referred to as a
gadget. Figure 2 illustrates how the stack can be set up to execute a sequence of n gadgets. In this figure, the
stack contains a sequence of gadget addresses. Each gadget consists of a series of instruction bytes, with the
final one being 0xc3, encoding the ret instruction. When the program executes a ret instruction starting
with this configuration, it will initiate a chain of gadget executions, with the ret instruction at the end of
each gadget causing the program to jump to the beginning of the next.
8](/v2/_next/image?url=https%3A%2F%2Fcontent.bartleby.com%2Fqna-images%2Fquestion%2F3b25bdcc-1f5e-4716-88d3-d1e15ee2df25%2F3235e0a2-df6a-4311-a3b1-c80bf4b11887%2Fddlrfje_processed.png&w=3840&q=75)
Transcribed Image Text:%rsp
Stack
Gadget n code
C3
Gadget 2 code
C3
Gadget 1 code
C3
Figure 2: Setting up sequence of gadgets for execution. Byte value 0xc3 encodes the ret instruction.
• Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0. Type
"man ascii" on any Linux machine to see the byte representations of the characters you need.
• Your injected code should set register %rdi to the address of this string.
• When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
where you place the string representation of your cookie.
5 Part II: Return-Oriented Programming
Performing code-injection attacks on program RTARGET is much more difficult than it is for CTARGET,
because it uses two techniques to thwart such attacks:
• It uses randomization so that the stack positions differ from one run to another. This makes it impos-
sible to determine where your injected code will be located.
• It marks the section of memory holding the stack as nonexecutable, so even if you could set the
program counter to the start of your injected code, the program would fail with a segmentation fault.
Fortunately, clever people have devised strategies for getting useful things done in a program by executing
existing code, rather than injecting new code. The most general form of this is referred to as return-oriented
programming (ROP) [1, 2]. The strategy with ROP is to identify byte sequences within an existing program
that consist of one or more instructions followed by the instruction ret. Such a segment is referred to as a
gadget. Figure 2 illustrates how the stack can be set up to execute a sequence of n gadgets. In this figure, the
stack contains a sequence of gadget addresses. Each gadget consists of a series of instruction bytes, with the
final one being 0xc3, encoding the ret instruction. When the program executes a ret instruction starting
with this configuration, it will initiate a chain of gadget executions, with the ret instruction at the end of
each gadget causing the program to jump to the beginning of the next.
8
Expert Solution
This question has been solved!
Explore an expertly crafted, step-by-step solution for a thorough understanding of key concepts.
Step by step
Solved in 2 steps
