1.1 Architecture Foundamentals
Architecture Foundamentals
CPU, ISA, and Assembly
The CPU serves as the component responsible for executing a program's machine code.
CPU instructions are typically represented in hexadecimal (HEX) format. Due to its intricacy, using it in its natural form is impractical for humans.
Hence, the code is translated into a more readable form known as assembly language (ASM). Two widely used assemblers are NASM (Netwide Assembler) and MASM (Microsoft Macro Assembler). In this case, we will be using NASM.
Here is an example of machine language code accompanied by its corresponding assembly code:
Note: Every CPU possesses its own Instruction Set Architecture (ISA).
The ISA constitutes the set of instructions that a programmer or compiler must comprehend and utilize to accurately write a program tailored for that specific CPU and machine. In essence, ISA encompasses what a programmer can perceive: memory, registers, instructions, etc. It furnishes all the essential information for those interested in writing a program in that machine language.
One of the widely adopted ISAs is the x86 instruction set, or architecture, which originated from the Intel 8086. The term 'x86' denotes 32-bit processors, while 'x64' (also known as x86_64 or AMD64) signifies the 64-bit versions.
Registers
The bit count, whether 32 or 64, pertains to the width of the CPU registers.
Every CPU is equipped with a predefined set of registers that it accesses as needed. Registers can be visualized as temporary variables employed by the CPU to retrieve and store data.
Registers are broadly categorized into two types: specific-purpose CPU registers and general-purpose registers (GPRs).
The table below provides a summary of the eight general-purpose registers for the x86 architecture:"
eax
Accumulator
Used in arithmetic operation
ecx
Counter
Used in shift/rotate instruction and loops
edx
Data
Used in arithmetic operation and I/O
ebx
Base
Used as a pointer to data
esp
Stack Pointer
Pointer to the top of the stack
ebp
Base Pointer
Pointer to the base of the stack (aka Stack Base Pointer)
esi
Source Index
Used as a pointer to a source in stream operation
edi
Destination
Used as a pointer to a destination in stream operation
The naming convention of the old 8-bit CPU had 16-bit register divided into 2 parts:
In the 16-bit naming convention, the combination of the Low (L) and High (H) parts is replaced with an X. However, for Stack Pointer, Base Pointer, Source, and Destination registers, the Low part is simply removed.
In the 32-bit representation, the register acronym is prefixed with E, indicating extended. In the 64-bit representation, E is replaced with R.
Summary:
In addition to these general-purpose registers, another register crucial for our purposes is the EIP, following the x86 naming convention. The Instruction Pointer (EIP) plays a pivotal role in controlling program execution by storing a pointer to the address of the next instruction (machine code) that will be executed.
Process Memory
The process memory is segmented into four regions: Text, Data, Heap, and Stack.
Text (Code) Region: This fixed segment of the program contains instructions and is marked as read-only since the program should not alter during execution.
Data Region: It is further divided into initialized data, which includes static and globally declared variables that are predefined and modifiable, and uninitialized data (BSS) for variables initialized to zero or without explicit initialization (e.g.,
static int t
).Heap: Located after the BSS segment, the Heap dynamically allocates memory during execution. The program can request additional space in memory through system calls like
brk
andsbrk
, commonly used bymalloc
,realloc
, andfree
.Stack: Positioned as the last region in memory, the Stack is particularly significant for our purposes. It is crucial in managing program execution.
The Stack
The stack functions as a Last-In-First-Out (LIFO) block of memory situated in the higher part of memory. Conceptually, the stack can be envisioned as an array employed for preserving a function's return address, passing function arguments, and holding local variables.
The ESP register (Stack Pointer) serves the purpose of indicating the top of the stack. It undergoes modification each time a value is pushed onto (PUSH) or popped off (POP) the stack.
Crucially, the stack grows in a downward direction, toward lower memory addresses.
PUSH
When a PUSH instruction is executed, the ESP register undergoes modification.
Starting Value: Initially, the ESP points to the top of the stack.
Process: During the PUSH process, the ESP subtracts 4 (in 32-bit) or 8 (in 64-bit) and then writes the data to the memory address at the updated ESP. Subsequently, the ESP is updated to point to the new top of the stack. It's crucial to note that since the stack grows downward, subtracting 4 or 8 is necessary. Failure to do so would overwrite the current location pointed to by ESP (the top), resulting in data loss.
POP
When a PUSH instruction is executed, the ESP register undergoes modification.
Starting Value: Initially, the ESP points to the top of the stack, which is the previous ESP value plus 4.
Process: The POP operation, in contrast to PUSH, retrieves data from the top of the stack and stores it in a specified register. Consequently, the data at the address location in ESP (representing the top of the stack) is retrieved and stored, usually in another register.
After a POP operation, the ESP value is incremented, typically by 4 in x86 or by 8 in x64.
Importantly, it should be noted that values in the stack are not deleted or zeroed; they are only dereferenced.
Procedures and functions
Procedures and function alter the normal flow of the process. When a function or procedure terminates, it returns control to the statement or instruction that called the function.
Stack Frames
The stack consists of logical stack frames (portions/areas of the stack) that are PUSH ed when calling a function and POP ped when returning a value.
When a subroutine, such a a function or procedure, is started, a stack frame is created and assigned to the current ESP location (top of the stack); this allows the subroutine to operate independently in its own location in the stack.
When subroutine ends, 2 things happen:
The program receives the parameters passed from the subroutine
The Instruction Pointer (EIP) is reset to the location at the time of the initial call.
In other words, the stack frame keeps track of the location where each subroutine should return the control when it terminates.
This process has 3 main operations:
When a function is called, the arguments [(in brackets)] need to be evaluated
The control flow jumps to the body of the function, and the program executes its code
Once the function ends, a return statement is encountered, the program returns to the function call (the next statement in the code)
Example:
Simple Example
Memory Address
initial
main() calls a()
a() calls b()
return from b()
return from a()
Lower
Frame for b()
Frame for a()
Frame for a()
Frame for a()
Frame for main()
Frame for main()
Frame for main()
Frame for main()
Frame for main()
Higher
Parameterized function
Lower
old EBP
old EIP
old EIP
old EIP
argc
argc
argc
argc
argv
argv
argv
argv
...
...
...
...
...
Higher
Step 1: Upon program initiation, the function main() parameters (argc, argv) are pushed onto the stack, following a right-to-left order.
Step 2: The program proceeds to CALL the main() function. During this process, the processor PUSHes the content of the EIP (Instruction Pointer) onto the stack, indicating the address of the next instruction after the CALL. This is crucial for proper continuation upon returning from the called function.
Step 3: Control transitions from the caller (the instruction executing the function call, typically the operating system) to the callee (the called function, in this case, the main() function).
Step 4: Inside the main() function, a new stack frame must be established. This stack frame is defined by the EBP (Base Pointer) and the ESP (Stack Pointer). To preserve the information of the old stack frame and avoid its loss upon returning, the current EBP is saved on the stack. Without this step, there would be no reference to the information from the previous stack frame—the function that invoked main(). After storing its value, the EBP is updated and points to the top of the stack.
Prologue
The steps outlined in Example 2 are referred to as the prologue—a sequence of instructions that occurs at the commencement of a function and is common to all functions. Once the callee gains control, it executes the following instructions:
push ebp
: This instruction saves the old base pointer onto the stack.mov ebp, esp
: The value of the stack pointer (ESP) is copied to the base pointer (EBP). This action establishes a new stack frame on top of the existing stack. The base of the new stack frame is positioned above the old stack frame.sub esp, X
: The Stack Pointer (top of the stack) is moved by decreasing its value. This step is essential to allocate space for local variables that will be introduced.
The resultant stack configuration at the conclusion of this process is as follows:
FT
56
55
Old ebp (main)
M
old EIP
30
31
32
...
13 (y)
12 (z)
11 (x)
old EBP
OS
old EIP
argc
argv
...
FT : Functest stack M : Main stack OS : OS stack frame
Epilogue
When a code executes a return statement, control reverts to the previous procedure, leading to the destruction of the current stack. This process is known as the epilogue.
The operations performed during the epilogue are as follows:
Return control to the caller.
Replace the stack pointer with the current base pointer: This involves restoring the stack pointer's value to its state before the prologue. It is achieved by popping the base pointer from the stack.
Return to the caller by popping the instruction pointer from the stack: This pointer, stored in the stack, is popped, and the program counter jumps to its location.
The following code snippet represents the epilogue:
Alternatively, it can be expressed as:
When functest()
concludes, the mov esp, ebp
instruction copies the value of ebp
into esp
, effectively relocating esp
. The pop ebp
instruction pops the value from the top of the stack (pointed to by the new esp
) and stores it in ebp
. As the top of the stack points to the memory address where the old EBP
is stored (the EBP
of the caller), the caller's stack frame is restored.
The ret
instruction pops the value from the top of the stack, which represents the old EIP
(the next instruction after the caller). It then jumps to that location, relinquishing control back to the caller. The RET
instruction only affects the EIP
and ESP
registers.
Endianess
Endianness is the way of representing (storing) values in memory.
In Big-Endian representation, the least significant byte (LSB) is stored at the highest memory address, while the most significant byte is stored at the lower memory address.
Example: For the value 0x12345678
, it would be represented as follows in memory:
In this example, the byte 0x12
(the most significant byte) is stored at the lowest memory address (0x1000
), and the byte 0x78
(the least significant byte) is stored at the highest memory address (0x1003
).
Small-Endian: In small-endian representation, the least significant byte (LSB) is stored at the lower memory address, while the most significant byte is stored at the highest memory address.
Example:
Memory Address: 0028FEBC
Data: 12 34 56 78
In this example:
Byte at
0028FEBC
is0x12
(the least significant byte).Byte at
0028FEBC + 1
is0x34
.Byte at
0028FEBC + 2
is0x56
.Byte at
0028FEBC + 3
is0x78
(the most significant byte).
So, the value 0x12345678
is stored in memory in a small-endian representation. When reading from left to right, you'd see the byte sequence 12 34 56 78
.
NOP
NOP (No Operation) Instruction: NOP, which stands for "No Operation," is an assembly language instruction that essentially does nothing when executed. When a program encounters a NOP, it simply moves on to the next instruction in sequence. In Intel x86 CPUs, NOP instructions are represented with the hexadecimal value 0x90
.
NOP Sled: A NOP sled, short for "No Operation sled," is a technique commonly used during the exploitation process of buffer overflows. Its primary purpose is to fill a significant portion of the stack (or other areas of memory) with NOP instructions. The NOP sled allows for a degree of flexibility in reaching a specific target instruction.
In the context of buffer overflows, a common scenario involves overwriting a return address on the stack. By placing a NOP sled before the actual malicious payload, the program's execution can slide through the NOPs until reaching the intended payload. This compensates for variations in the exact memory location of the injected code, providing a more robust and reliable exploitation technique.
Security Implementations
ASLR (Address Space Layout Randomization)
The primary objective of ASLR is to introduce randomness to the memory address space for executables, libraries, and stacks. This randomization enhances security by making it challenging for attackers to predict memory addresses accurately, thereby causing exploits to fail and resulting in crashes.
When ASLR is enabled, the operating system loads the same executables at different locations in memory each time a program is executed. This variability adds a layer of complexity for potential attackers attempting to exploit security vulnerabilities.
It's crucial to recognize that ASLR might not be applied uniformly across all modules within a process. Even if ASLR is enabled for a specific process, certain Dynamic Link Libraries (DLLs) in the address space may lack this protection, potentially exposing the process to ASLR bypass attacks.
For verifying the ASLR status on different programs, tools such as Process Explorer can be utilized.
Enhanced Mitigation Experience Toolkit (EMET)
Windows provides an additional tool to address exploitation concerns known as the Enhanced Mitigation Experience Toolkit (EMET). EMET is designed to provide supplementary layers of security by applying various mitigation techniques to help safeguard against both known and unknown exploits. It adds an extra defense layer, especially for legacy software or systems facing potential vulnerabilities.
DEP (Data Execution Prevention):
DEP is a security measure implemented in both hardware and software to thwart the execution of code from memory pages not explicitly designated as executable. By preventing the execution of injected code from non-executable regions, DEP adds a layer of defense that significantly complicates buffer overflow exploitations.
Stack Cookies (Canary):
A stack cookie, also known as a canary, is a security mechanism that involves placing a specific value next to the return address on the stack.
During the function prologue, a value is loaded into this location, and in the epilogue, it ensures that the value remains unchanged. Consequently, when the epilogue runs, it verifies the presence and correctness of the value.
If the value is not as expected, it signals a potential buffer overflow. This is because buffer overflows typically involve overwriting data in the stack, including the canary value. The stack cookie thus acts as a sentinel, helping to detect and mitigate buffer overflow attacks.