We Need to Talk About Computers…

Its been a little while since I’ve posted but that doesn’t mean I haven’t been working on the 100 days of hacking.  I have been hitting books and gaining background knowledge to gain a deeper understanding of computers.  Rather than simply copying code and hitting return the goal is to be able to come up with our own code.  With that in mind we need to talk about computers.

A Little Computer Structure.

Lets talk a little bit about the structure of a computer.  If you’ve never built your own computer and you need to upgrade/have the money I would definitely recommend it.  You will learn a lot about the components and how they interact with each other.  I’m going to assume you are already familiar with CPU’s, memory, registers, etc.

We need to take a look at the control structure of the computer software.  In particular we are interested in kernel space and user space.  Kernel space is where the OS is running and it runs in privileged mode, i.e. it can run any command.  User space is where the applications you run that aren’t considered part of the operating system.  The web browser you are using to read this is running in user space right now.  Because we don’t want user space programs interfering with the operation of our computer the privileges to run any command is limited for user space programs.

As a good hacker we should be thinking about the implications of that.  Our ultimate goal is to run any command that we wish on the target machine, so we want to either operate in kernel space, or we want to elevate privileges in user space.

One of the ways to elevate privileges in user space is via system calls.

System Calls

The operating system is what controls I/O such as printing to screen and opening/closing files.  When we run a simple program such as the helloworld.c program the program has to ask the OS to print something out to the screen.  This is accomplished in C by using libraries.  When we use include directives like
#include <stdio.h>

we are actually including prepackaged functions and system calls in our program.  The library will take care of all the details of actually getting printf() to print our string literal “Hello World!” to the standard output.

So a system call is a request by an active process for a service performed by the kernel.  If we want to see just how many system calls a program makes we can make use of the strace command in Linux.

Lets see how many times the helloworld.c program actually asks the kernel for services.

$ strace ./hello
execve("./hello", ["./hello"], [/* 45 vars */]) = 0
brk(0)                                  = 0x95e0000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77d9000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=100112, ...}) = 0
mmap2(NULL, 100112, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb77c0000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/i686/cmov/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1750780, ...}) = 0
mmap2(NULL, 1755772, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7613000
               0x1a7000) = 0xb77ba000
               = 0xb77bd000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7612000
set_thread_area({entry_number:-1, base_addr:0xb7612940, limit:1048575, seg_32bit:1, 
               contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) 
               = 0 (entry_number:6)
mprotect(0xb77ba000, 8192, PROT_READ)   = 0
mprotect(0xb77fd000, 4096, PROT_READ)   = 0
munmap(0xb77c0000, 100112)              = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77d8000
write(1, "Hello World!\n", 13Hello World!
)          = 13
exit_group(0)                           = ?
+++ exited with 0 +++

That’s actually a lot going on for such a simple program.  Though we can see the actual system call that outputs the “Hello World!” string shown in bold.  Note that this is all directly from HTAE.  I’m including it here to get us thinking about how the program executes.

Why Do We Care?

Now we know a little more about how our program executes.  What does that mean for us though?  Remember when I said that we want to elevate our privileges while running in user land?  We took a program, a simple one to be sure, and we ran it in user land with no special permissions.  That program made a lot of requests to the kernel and got the kernel to execute a I/O operation for it.  Sounds promising.


We are starting to get into the meat of what it actually means to be a hacker in my opinion.  My goal is to understand operating systems, architecture, and programs inside and out.  Once I understand all three of those things I can fully understand how to break those systems implementations and make them do whatever I want.  Not all the learning associated with becoming a hacker is going to be about how to break something.

With that in mind we need to start looking at the attack surfaces of our machines.  In this case we have a naive notion of an attack surface.  The system call.  Keep asking yourself how can this be exploited when you’re learning about a new component of a computer.

Next time we are going to keep following along in 0x500 Shellcode in HTAE.  We will convert our helloworld.c program into an assembly language version that makes the same system call directly.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s