Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
added assembly programs
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 05 Oct 2015 20:42:11 +0100
changeset 395 60f64793266f
parent 394 ea1ee786d5a7
child 396 2f4296a0ab21
added assembly programs
handouts/ho03.pdf file | annotate | diff | comparison | revisions
handouts/ho03.tex file | annotate | diff | comparison | revisions
progs/README file | annotate | diff | comparison | revisions
progs/example1a.s file | annotate | diff | comparison | revisions
progs/example1b.s file | annotate | diff | comparison | revisions 
Binary file handouts/ho03.pdf has changed
--- a/handouts/ho03.tex	Mon Oct 05 12:47:56 2015 +0100
+++ b/handouts/ho03.tex	Mon Oct 05 20:42:11 2015 +0100
@@ -49,10 +49,11 @@
 \end{tikzpicture}
 \end{center}
 
-\noindent This statistics indicates that in the last
-five years or so the number of buffer overflow attacks is
-around 10\% of all attacks (whereby the absolute numbers of
-attacks grow each year).
+\noindent This statistics shows that in the last seven years
+or so the number of buffer overflow attacks is around 10\% of
+all attacks (whereby the absolute numbers of attacks grow each
+year). So you can see buffer overflow attacks are very
+relevant today.
 
 
 To understand how buffer overflow attacks work, we have to have
@@ -67,10 +68,10 @@
 then better you get to know the details too.
  
 For buffer overflow attacks to work, a number of innocent
-design decisions, which are really benign on their own, need
-to conspire against you. All these decisions were taken at a
-time when there was no Internet: C was introduced around 1973;
-the Internet TCP/IP protocol was standardised in 1982 by which
+design decisions, which are really benign on their own, have
+to come together. All these decisions were taken at a time
+when there was no Internet: C was introduced around 1973; the
+Internet TCP/IP protocol was standardised in 1982 by which
 time there were maybe 500 servers connected (and all users
 were well-behaved, mostly academics); Intel's first 8086 CPUs
 arrived around 1977. So nobody of the ``forefathers'' can
@@ -110,7 +111,7 @@
 with the control flow of the program. Notice that the stack
 grows from higher addresses to lower addresses (i.e.~from the
 back to the front). That means that older items on the stack
-will be stored behind, or after, newer items. Let's look a bit
+are stored behind, or after, newer items. Let's look a bit
 closer what happens with the stack when a program is running.
 Consider the following simple C program.
  
@@ -121,8 +122,8 @@
 two (local) buffers, but does not do anything interesting with
 them. The only purpose of this program is to illustrate what
 happens behind the scenes with the stack. The interesting
-question is what will the stack be after Line 3 has been
-executed? The answer can be illustrated as follows:
+question is what will the stack look like after Line 3 has
+been executed? The answer can be illustrated as follows:
  
 \begin{center} 
  \begin{tikzpicture}[scale=0.65]
@@ -188,10 +189,14 @@
 How to do this will be explained later.}
 
 \begin{center}\small
-\begin{tabular}[t]{@{}c@{\hspace{8mm}}c@{}}
+\begin{tabular}[t]{p{10cm}}
 {\lstinputlisting[language={[x86masm]Assembler},
   morekeywords={movl},xleftmargin=5mm]
-  {../progs/example1a.s}} &
+  {../progs/example1a.s}}
+\end{tabular}
+\end{center}
+\begin{center}\small
+\begin{tabular}[t]{p{10cm}}
 {\lstinputlisting[language={[x86masm]Assembler},
   morekeywords={movl,movw},xleftmargin=5mm]
   {../progs/example1b.s}}  
--- a/progs/README	Mon Oct 05 12:47:56 2015 +0100
+++ b/progs/README	Mon Oct 05 20:42:11 2015 +0100
@@ -4,8 +4,63 @@
 
 The programs are under 
 
-  cu$> test/app-material/progs
+  cu$> app-material/progs
+
+
+Programs can be updated using
+
+  hg pull
+  hg update
+  hg revert --all
+
+Emacs can be used to edit files
+
+  emacs -nw ...file....     (is also an alias)
+
+
+C0.c
+====
+
+Add the bigger string and the long is printed out differently.
+
+C1.c
+====
+
+needs to be called using
+
+  ./C1 `args1-good`
+  ./C1 `args1-bad`
+
+or in gdb using
 
+  gdb --args ./C1 `args1-bad`
+
+
+C2.c
+====
+
+called with
+  
+  ./args2-good | ./C2
+  ./args2-bad  | ./C2
+
+C3.c
+====
+(shell injection)
+
+called with 
+
+  ./C3
+
+opens a new shell
+
+
+C4.c
+====
+Format string attack
+
+  ./C4 "%s"
+  ./C4 `./args4`
 
 
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/example1a.s	Mon Oct 05 20:42:11 2015 +0100
@@ -0,0 +1,10 @@
+_main:    
+  push    %ebp
+  mov     %esp,%ebp
+  sub     %0xc,%esp
+  movl    $0x3,0x8(%esp)
+  movl    $0x2,0x4(%esp)
+  movl    $0x1,(%esp)
+  call    0x8048394 <foo>
+  leave
+  ret
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/example1b.s	Mon Oct 05 20:42:11 2015 +0100
@@ -0,0 +1,11 @@
+_foo:   
+  push    %ebp
+  mov     %esp,%ebp
+  sub     $0x10,%esp
+  movl    $0x64636261,-0x6(%ebp)
+  movw    $0x65,-0x2(%ebp)
+  movl    $0x34333231,-0x10(%ebp)
+  movl    $0x38373635,-0xc(%ebp)
+  movw    $0x39,-0x8(%ebp)
+  leave
+  ret
\ No newline at end of file
sen-material