Introduction to Information

SecuritySecurity :מרצים

Dr. Eran Tromer: tromer@cs.tau.ac.ilProf. Avishai Wool: yash@eng.tau.ac.il

:מתרגלים

Itamar Gilad (itamargi@post.tau.ac.il)Nir Krakowski (nirkrako@post.tau.ac.il)

Course guidlines• The course exercises aren’t easy!

o You will have to learn and do a lot.

o Google is your friend, but so are we!

• Best 75% of exercises will be used to calculate the average exercise grade.average exercise grade.

• Exercises are to be submitted the week after the recitation

• Ask questions!!

• Download exercises from website https://course.cs.tau.ac.il/infosec13/exercises

• Fill out the course questionnaire!

Instructors• We’ll be instructing the course together

• Reception hour:

o Schedule an appointment by email

• General note: Please keep in mind that the lectures and recitations will often not match. This is by design, not a mistake.

Recitation #1• Subjects:

oCourse IT Framework

o X86 Assembly

o Reverse Engineeringo Reverse Engineering

o IDA

oOther tools

IT Framework• VirtualBox VM file, with Ubuntu 12.04.2 LTS

o Username: ‘student’

o Password: ‘do or do not there is no try’

o Change the password with the command: passwd

• Wine: IDA, Hexworkshop

• Python• Python

• vi, gedit, ghex, hexedit

• To get more tools:o sudo apt-get install [toolname]

o sudo pip install [pythonmodulename]

o Google for more tools

• All exercises will be provided to work within the VM Framework.

• Most exercises will not work on a standard machine.

VM Demo

X86 assembly• Command elements:

o Instruction – a whole command

o Opcode – what you want to do

o Operand – what do you want to operate on (source) or with (dest)

Opcode types:• Opcode types:

o Data opcode examples: MOV, XOR, ADD, SUB, INC, SHL, SHR, TEST, CMP

o Unconditional control flow (branching) opcode examples: JMP, CALL, RET

o Flag based conditional control flow examples: JZ, JNE, JNZ, JBE, JG.

o Stack operations: POP, PUSH, PUSHA, POPA

X86 assembly• Operand types:

o Registers

oConstants

oMemory addressesoMemory addresses

o Pointers

o Flags

• Commands or Instructions are variable length:

o 1 to 8 bytes long.

Command structure• Command structure (no operand):

oOpcode

o Example: NOP

o Example: RETo Example: RET

• Command structure (single operand):

oOpcode operand

o Example: INT 0x3

o Example: JMP [memory address]

o Example: POP [register]

Command structure• Command structure (dual operand):

oOpcode dest-operand source-operand

o Example: MOV EAX, 0

o Example: SAR EBX, 2o Example: SAR EBX, 2

o Example: MOV ECX, [EBX]

• Cheat Sheet: https://www.ssucet.org/mod/resource/view.php?id=886

• Google: x86 assembly cheat sheet

Reverse Engineering• What does the following code do:

o LEA EDX, [address to “Hello, world!”]

oMOV ECX, 12

MYLOOP:MYLOOP:

o PUSH EDX

oCALL printf

oADD ESP, 4

o LOOP MYLOOP

Reverse Engineering• What is assembly reverse engineering:

o Compiling is like a one-way function.

o Information is lost, and we might loose access to:

• Variable and function names

• Comments

o What do we still have:o What do we still have:

• Import and export name (relations between modules)

• Structure of parameters to functions.

• Starting point

• Hard-coded strings

• Constants

• Our objectives:

o Find the most interesting piece of code in the least amount of time

o Understand what it does and how

o Find weaknesses and figure out how to exploit them

RE Process• Use leads:

o Strings, UI

o Dynamic debugging, breakpoints.

o Library and system functionso Library and system functions

• Interpret the assembled code by using intelligent guesses:

o Context-based

o Code is written by people using regular code conventions

o Code is written in an upper level language

IDA• The Interactive Dis-Assembler (IDA) is the most popular

reverse engineering toolo Version 5.0 is free-ware and that is what we’ll use.

• IDA does several things automatically:o Disassemble x86 binary code into human readable formato Identifies ELF headers (executable file formats)o Signature based recognition for library functions and compiler tricksoo Creates code graph by basic blockso Code and data xrefs (references to memory addresses, functions)

• Provides a good environment for research:o Adding comments (‘;’)o Renaming labels: code blocks, variables, function names, structures. (‘n’)o Change interpretation of binary data (code->data, data->code, data type

change, etc.)

• https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf

IDA Options

IDA Demo• [Helllo World]

IDA Demo• [stricmp]

This week’s exercise• VM setup

• First reverse engineering task

• It isn’t hard – but please start early and contact us if you have any trouble with the setup