Question for the multiple calls to System("/bin/bash"). When we enter the System() function, the first thing the function did was to push %ebp into the stack, thus overwriting the address we saved for the pop-eax gadget. So there should be a 4 bytes or 8 bytes, depending on 32 bits system or 64 bits system you are using, empty space we reserve for the function to place the old ebp inside so not to mess up the address we placed there.
"Backward" string storage would allow transferring string data with no danger of buffer overflow, if scaled index addressing was used. For example, in the line of code below, edi would point to the start of the destination buffer, and ebx would (initially) contain its length. As each byte was transferred, ebx would be decremented. If decremented below zero, ebx would wrap around to 4 billion, which, when added to the buffer's start address during the next byte transfer, would exceed the size of any normal-sized data segment. mov byte ptr [edi + ebx], al I don't know if backward string storage would be practical, but it seemed like an interesting alternative to arranging for buffer over- runs to generate GPFs in the usual, RAM-wasting way (placing a buffer near the end of a dedicated segment).
I am not familiar with x86 instruction, or the 'ebp, esp' here, it's frequently mentioned in video. For beginners probably we should study some material to warm-up for the Basics, which one?
For posterity: this is a graduate level course, meaning this is instruction intended for CS students who have already completed a bachelors or equivalent level of education. So the “basics” here is a bachelors degree in software or computer design and engineering.
@@dewdop Eh CS / EE I would say my degree is in electronics engineering technologies and I can still understand the course, but I also independently study system security and exploits and enjoy coding so there is that. Luckily for me 8086 asm isn't too far off of the stuff we used on the 89C420 chips 20 years ago so it has a small bump, but we were taught in ASM / C++ so all the memory leaks and such I'm now understanding them more and what I can do with that.
gets(buf) is a horrible functions , rather use fgets(). If your web applications allows system() function commands from the public, you are in trouble.
I've been working on memory safety for years and working on/with arm, so I can tell. Baggy bounds introduced compact shadow space, which is adopted to widely used current memory safety solutions such as Google's sanitizer series. More importantly, its "relative location" using memory alignment inspired up to current on-going security projects to 128 bit Cheri and Morello. It is a "must know" concept if you work on memory safety area.
baggy bounds ends at 20:42
thank you ; )
hero
I was looking for videos about Return-oriented programming and I saw James Mickens in the thumbnail and I was ecstatic.
Question for the multiple calls to System("/bin/bash"). When we enter the System() function, the first thing the function did was to push %ebp into the stack, thus overwriting the address we saved for the pop-eax gadget. So there should be a 4 bytes or 8 bytes, depending on 32 bits system or 64 bits system you are using, empty space we reserve for the function to place the old ebp inside so not to mess up the address we placed there.
It's just a different calling convention. I'm sure you figured it out by now.
"Backward" string storage would allow transferring string data with no danger of buffer overflow, if scaled index addressing was used.
For example, in the line of code below, edi would point to the start of the destination buffer, and ebx would (initially) contain its length.
As each byte was transferred, ebx would be decremented. If decremented below zero, ebx would wrap around to 4 billion, which,
when added to the buffer's start address during the next byte transfer, would exceed the size of any normal-sized data segment.
mov byte ptr [edi + ebx], al
I don't know if backward string storage would be practical, but it seemed like an interesting alternative to arranging for buffer over-
runs to generate GPFs in the usual, RAM-wasting way (placing a buffer near the end of a dedicated segment).
I didn't know Matt was teaching after finishing his Wii Sports career!
00:25 alright, let's get started
very good lecture
I am not familiar with x86 instruction, or the 'ebp, esp' here, it's frequently mentioned in video. For beginners probably we should study some material to warm-up for the Basics, which one?
For posterity: this is a graduate level course, meaning this is instruction intended for CS students who have already completed a bachelors or equivalent level of education. So the “basics” here is a bachelors degree in software or computer design and engineering.
@@dewdop Eh CS / EE I would say my degree is in electronics engineering technologies and I can still understand the course, but I also independently study system security and exploits and enjoy coding so there is that. Luckily for me 8086 asm isn't too far off of the stuff we used on the 89C420 chips 20 years ago so it has a small bump, but we were taught in ASM / C++ so all the memory leaks and such I'm now understanding them more and what I can do with that.
Very nice thank you
ROP at 31:45
good lecture :)
Awesome
thanks learnt a lot
Can we say that 1/16 of memory size is used (or reserved) for baggy bounds table in x86 systems ? (16 is the slot size of course)
Thanks
in malloc(44) we are telink to alocate 44bytes of memory but it will alocate 64bytes why ?
Because 2^ 5 = 32 and 2^ 6 = 64. and 44 is greater than 32, so it will allocate next higher size of memory.
@Borgilian wow, thanks for writing that.
@Borgilianso is it 48 bytes or 64 bytes in the end
He should teach our lecturer how to teach
MIT lecture but I saved $60,000
Is JavaScript still relevant? I think I just found my passion
Lol
Hope you’ve been working to ignite your passion.
gets(buf) is a horrible functions , rather use fgets(). If your web applications allows system() function commands from the public, you are in trouble.
Dexploit E-1
Jessy lee Peterson is a smart man.
thanks for turkish subtitle
What is the name of the paper that has the full attack mentioned in the second half of the lecture? Broth? Brawf?
Edit: Ohhh, BROP! 😁
Why would they spend so much time talking about baggy bounds if no one uses it in practice 🤔
I've been working on memory safety for years and working on/with arm, so I can tell. Baggy bounds introduced compact shadow space, which is adopted to widely used current memory safety solutions such as Google's sanitizer series. More importantly, its "relative location" using memory alignment inspired up to current on-going security projects to 128 bit Cheri and Morello. It is a "must know" concept if you work on memory safety area.
That "Aja!" is very annoying.