Basic Concepts

In order to understand the content of this book, you need a well-developed understanding of computer languages, operating systems, and architectures. If you do not understand how something works, it is difficult to detect that it is malfunctioning. This holds true for computers as well as for discovering and exploiting security holes.

Before you begin to understand the concepts, you must be able to speak the language. You will need to know a few definitions, or terms, that are part of the vernacular of security researchers so that you can better apply the concepts in this book.

Vulnerability (n.): A flaw in a system's security that can lead to an attacker utilizing the system in a manner other than that which the designer intended. This can include impacting the availability of the system, elevating access privileges to an unintended level, complete control of the system by an unauthorized party, and many other possibilities. Also known as a security hole or security bug .

Exploit (v.): To take advantage of a vulnerability so that the target system reacts in a manner other than that which the designer intended.

Exploit (n.): The tool, set of instructions, or code that is used to take advantage of a vulnerability. Also known as a Proof of Concept (POC).

0day (n.): An exploit for a vulnerability that has not been publicly disclosed. Sometimes used to refer to the vulnerability itself.

Fuzzer (n.): A tool or application that attempts all, or a wide range of, unexpected input values to a system. The purpose of a fuzzer is to determine whether a bug exists in the system, which could later be exploited without having to fully know the target system's internal functioning.

Memory Management

To use this book, you will need a knowledge of modern memory management, specifically for the Intel Architecture, 32 Bit (IA32). Linux on IA32 will be covered exclusively in the first section of this book and used in the introductory chapters. You will need to understand how memory is managed, because most security holes described in this book come from overwriting or overflowing one portion of memory into another.

When a program is executed, it is laid out in an organized manner ”various elements of the program are mapped into memory. First, the operating system creates address space in which the program will run. This address space will include the actual program instructions as well as any required data.

start sidebar
Instructions and Data

A modern computer makes no real distinction between instructions and data. If a processor can be fed instructions when it should be seeing data, it will happily go about executing the passed instructions. This characteristic makes system exploitation possible. In this book, we will teach you how to insert instructions when the system designer expected data. We will also use the concept of overflowing to overwrite the designer's instructions with our own. The goal is to gain control of execution.

end sidebar
 

Next , information is loaded from the program's excutable to the newly created address space. There are three types of segments: .text , .bss , and .data . The .text segment is mapped as read-only, while .data and .bss are writable. The .bss and .data segments are reserved for global variables . The .data segment contains static initialized data, while the .bss segment contains uninitialized data. The final segment, .text , holds the program instructions.

Finally, the stack and the heap are initialized. The stack is a data structure, more specifically a Last In First Out (LIFO) data structure, which means that the most recent data placed, or pushed , onto the stack is the next item to be removed, or popped, from the stack. A LIFO data structure is ideal for storing transitory information, or information that does not need to be stored for a lengthy period of time. The stack stores local variables, functional calls, and other information used to clean up the stack after a function or proceedure is called.

Another important feature of the stack is that it grows down the address space: as more data is added to the stack, it is added at increasingly lower address values.

The heap is another data structure used to hold program information, more specifically, dynamic variables. The heap is a First In First Out (FIFO) data structure. Data is placed and removed from the heap as it builds. The heap grows up the address space: As data is added to the heap, it is added at an increasingly higher address value, as shown in Figure 1.1.


Figure 1.1: Memory space diagram

Memory management presented in this section must be understood on a much deeper, more detailed level to fully comprehend, and more importantly, apply what is contained in this book. Check the first half of Chapter 13 for places to learn more about memory management. You can also pay a visit to http://linux-mm.org/ for more detailed information on memory management on Linux. Understanding memory management concepts will help you better comprehend the programming language you will use to manipulate them ”assembly.

Assembly

Knowledge of assembly language specific to IA32 is required in order to understand much of this book. Much of the bug discovery process involves interpreting and understanding assembly, and much of this book focuses on assembly with the 32-bit Intel processor. Exploiting security holes will require a firm grasp of assembly language, as most exploits will require you to write (or modify existing) code in assembly.

Because systems other than IA32 are important, but somewhat more difficult to exploit, this book also covers bug discovery and exploitation on other processor families. If you are planning to pursue security research on other platforms, it is important for you to have a strong understanding of assembly specific to your chosen architecture.

If you are not well versed in or have no experience with assembly, you will first need to learn number systems (you should already know base 10), data sizes, and number sign representations. These computer-engineering concepts can be found in most college-level computer architecture books.

Registers

Understanding how the registers work on an IA32 processor and how they are manipulated via assembly is essential for vulnerability development and exploitation. Registers can be accessed, read, and changed with assembly.

Registers are memory, usually connected directly to circuitry for performance reasons. They are responsible for manipulations that allow modern computers to function, and can be manipulated with assembly instructions. From a high level, registers can be grouped into four categories:

  • General purpose

  • Segment

  • Control

  • Other

General purpose registers are used to perform a range of common mathematical operations. They include registers such as EAX , EBX , and ECX for the IA32, and can be used to store data and addresses, offset addresses, perform counting functions, and many other things.

A general purpose register to take note of is the extended stack pointer register ( ESP ) or simply the stack pointer . ESP points to the memory address where the next stack operation will take place. In order to understand stack overflows in the next chapter, you should thoroughly understand how ESP is used with common assembly instructions and the effect it has on data stored on the stack.

The next class of register of interest is the segment register. Unlike the other registers on an IA32 processor, the segment registers are 16 bit (other registers are 32 bits in size ). Segment registers, such as CS , DS , and SS are used to keep track of segments and to allow backward compatibility with 16-bit applications.

Control registers are used to control the function of the processor. The most important of these registers for the IA32 is the Extended Instruction Pointer ( EIP ) or simply the Instruction Pointer . EIP contains the address of the next machine instruction to be executed. Naturally, if you want to control the execution path of a program, which is incidentally what this book is all about, it is important to have the ability to access and change the value stored in the EIP register.

The registers in the other category are simply extraneous registers that do not fit neatly into the first three categories. One of these registers is the Extended Flags ( EFLAGS ) register, which comprises many single-bit registers that are used to store the results of various tests performed by the processor.

Once you have a solid understanding of the registers, you can move onto assembly programming itself.



The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net