18 213 Recitation Bomb Lab Your TAs January 30th 2023 Agenda Logistics Bomb Lab Overview Introduction to GDB Appendix GDB and Assembly Tips Activity walkthrough What is Bomb Lab An exercise in reading x86 64 assembly code A chance to practice using GDB a debugger Why x86 assembly is low level machine code Useful for understanding security exploits or tuning performance GDB can save you days of work in future labs cough Malloc cough and can be helpful long after you finish this class Downloading Your Bomb Here are some highlights of the write up Bombs can only run on the shark machines They fail if you run them locally or on another CMU server Each bomb is unique if you download a second bomb bad things can happen Stick to only one bomb Bombs have six phases which get progressively harder Make sure to read the writeup for more tips and common mistakes you might make Detonating Your Bomb Blowing up your bomb automatically notifies Autolab Dr Evil deducts 0 5 points each time the bomb explodes It s very easy to prevent explosions using break points in GDB More information on that soon Inputting the correct string moves you to the next phase Don t tamper with the bomb Skipping or jumping between phases detonates the bomb You have to solve the phases in order they are given Finishing a phase also notifies Autolab automatically Bomb Hints Dr Evil may be evil but he isn t cruel You may assume that functions do what their name implies i e phase 1 is most likely the first phase printf is just printf If there is an explode bomb function it would probably help to set a breakpoint there Use the man pages for library functions Although you can examine the assembly for snprintf we assure you that it s easier to use the man pages man snprintf than to decipher assembly code for system calls Most cryptic function calls you ll see e g callq exit plt are also calls to C library functions You can safely ignore the plt as that refers to dynamic linking x86 64 Linux Register Usage 1 rax Return value Also caller saved Can be modified by procedure rdi r9 Arguments Also caller saved Can be modified by procedure r10 r11 Caller saved Can be modified by procedure Return value Arguments Caller saved temporaries rax rdi rsi rdx rcx r8 r9 r10 r11 x86 64 Linux Register Usage 2 rbx r12 r13 r14 Callee saved Callee must save restore rbp Callee saved Callee must save restore May be used as a frame pointer Can mix match rsp Callee saved Temporaries Special rbx r12 r13 r14 rbp rsp Stack pointer special form of callee save Restored to original value upon exit from procedure x86 64 Linux Register Usage 3 Most Important Registers rax return value rsp stack pointer rdi first argument rsi second argument What to do Don t understand what a big block of assembly does GDB Need to figure out what s in a specific memory address GDB Can t trace how 4 6 registers are changing over time GDB Have no idea how to start the assignment Writeup Need to know how to use certain GDB commands Writeup Also useful http csapp cs cmu edu 3e docs gdbnotes x86 64 pdf Don t know what an assembly instruction does Lecture slides Confused about control flow or stack discipline Lecture slides Let s look at some assembly Quick Assembly Info rdi holds the first argument to a function call rsi holds the second argument and rax will hold the return value of the function call Many functions start with push rbx and end with pop rbx Long story short this is because rbx is callee saved The stack is often used to hold local variables Addresses in the stack are usually in the 0x7fffffff range Know how rax is related to eax and al Most cryptic function calls you ll see e g callq exit plt are calls to C library functions If necessary use the Unix man pages to figure out what the functions do Use your textbook Quick Assembly Info objdump d name of executable any file name Saves the assembly code of the executable into the file Feel free to annotate the assembly in your favorite text editor GDB GDB is a powerful debugger let s you inspect your program as it s executing You can open gdb by typing into the shell gdb This is the notation we ll be using for the rest of the slides cd The command should be typed in the bash shell gdb break The command should be typed in GDB Helpful GDB Commands Disassemble displays assembly int squareInt int x return x x gdb disassemble squareInt Dump of assembler code for function squareInt 0x000000000040091d 0 mov edi eax 0x000000000040091f 2 imul edi eax 0x0000000000400922 5 retq End of assembler dump disas disa in gdb Be careful with these shortcuts on bomblab Helpful GDB Commands Breakpoints stops execution of program when it reaches certain point break function name breaks once you call a specific function break 0x breaks when you execute instruction at a certain address info b displays information about all breakpoints currently set disable disables breakpoint with id equal to Helpful GDB Commands Navigating through assembly stepi moves one instruction forward will step into functions encountered nexti moves one instruction forward skips over functions called c continues execution until next breakpoint is hit Form Pairs One student needs a laptop SSH into a shark machine and type these commands wget http www cs cmu edu 213 activities rec4 tar tar xvpf rec4 tar cd rec4 make gdb act1 Source code for Activity 1 Abridged include stdio h int main int argc char argv int ret printf s n argv argc 1 return ret number of characters printed Follow along on the handout Source code for Activity 2 Abridged include string h int stc char char Defined in a separate assembly file int main int argc char argv int ret stc 15213 argv argc 1 argv 0 0 Forces gcc to generate a callq instead of jmp return ret Follow along on the handout Activity 3 Activity 3 has a Bomb Lab feel to it It will print out good args if you type in the right numbers into the command line Use GDB to find what numbers to use and if you get stuck look at the handout cat act3 c gdb act3 display the source code of act3 Q Which register holds the return value from a function Hint Use disassemble in main and look at what register is used right after the function call to compare Activity 4 Use what you have learned to get act4 to print Finish The source code is available in act4 c if you get stuck Also you can ask TAs for help understanding the assembly code Appendix GDB help Assembly help Text User Interface TUI Problem walkthroughs Basic GDB tips Many commands have shortcuts
View Full Document
Unlocking...