Day 4: Take a Deeper Look.

Beneath the surface.

When we run a program on a computer there is a lot going on that we don’t see.  Consider the simple “Hello World!” program from K and R.  The code we enter into our editor and save is simple and easily understood with basic programming knowledge.

#include <stdio.h>

int main(void) {
    printf("Hello World!\n");

    return 0;
}

 

This is not the code that actually gets executed by the computer hardware. The program above is written so that humans can understand it. It is meaningless to the CPU.  That’s where the compiler comes in.  The compiler takes what we enter into the file and then turns it into something that a computer can execute.

Using gdb we can display the assembly language version of our program running.

  0x00000000004004e6 <+0>:	push   rbp
  0x00000000004004e7 <+1>:	mov    rbp,rsp
  0x00000000004004ea <+4>:	mov    edi,0x400584
  0x00000000004004ef <+9>:	call   0x4003c0 <puts@plt>
  0x00000000004004f4 <+14>:	mov    eax,0x0
  0x00000000004004f9 <+19>:	pop    rbp
  0x00000000004004fa <+20>:	ret  

This is intel assembly language. There is a one-to-one correspondence between machine language and assembly language commands. So this is essentially machine language in a readable form for humans.  Note that the left column and second to left column are memory addresses and lines after main is invoked.  If you want to see something interesting use the command

cat ./a.out

on the executable created by the compiler.
The takeaway here is that the actual executable portion of the program is a list of instructions that the CPU follows exactly to the letter.  This is what we need to focus on.  We are going to be finding ways to get instructions to the CPU to do what we want.

Instructions are sent to the CPU from memory.  The OS loads a program into memory for the CPU to execute.  The first section of memory we are going to look at is the stack.  The stack is where local function data is stored.  One of the most important things that the stack does is store the memory address of the next instruction after a function call ends.  If we can change the memory address to point to our own instructions we can take control of execution.

Protections.

Modern Linux distros have some security in place to try and mitigate the risk of doing just that.  Some will impact what we are doing some will not.

SELinux

One reason that I chose Debian is because of SELinux.  SELinux stands for Security Enhanced Linux.  It is a form of mandatory access control.  Which means it controls what processes or users are allowed to do to what objects.  Debian does not ship with SELinux turned on.  So we don’t have to disable it.  Fedora on the other hand has it enabled by default so if you’re using a distro that enables it you should find out how to turn it off.

ASLR

Address Space Layout Randomization is another protection that is enabled in Debian.  What it does is randomize the address space positions of key data areas of a process (running program).  The areas randomized include the base of the executable and the locations of the stack, heap, and libraries.  This is a problem for our exploits from Hacking The Art of Exploitation.  Fortunately it is easily disabled by executing the following shell command:

$sudo echo 0 > /proc/sys/kernel/randomize_va_space

My machine resets the value to 2 every time I restart it so I have to do this every time.  The available values are 0, 1, and 2.  Different machines set it to different things so check your distro to know which one is default.

Canaries

Canaries are introduced from gcc and compiled into our program.  A canary is a buffer protection that introduces some data to check that our program isn’t writing into places it shouldn’t.  If a data check fails then a flag is thrown.  In our case we simply compile our program to not include canaries using:

-fno-stack-protector

as a flag when we compile our programs.

Conclusion.

This was a very brief introduction to what goes on underneath an executing program.  I focused on some ideas to get us started thinking about how an exploit can happen.  The protections listed are also the protections that are important for what we will be doing shortly.  It is not a complete list or even a good discussion of them.  I am keeping my posts short to begin with because of the frequency of posting.  As topics get more complicated I will move towards posting every other day or so to provide more quality discussion.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s