A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
A short introduction on how functions work. Functions are the building blocks of any modern programming language. This tutorial shows you how functions are implemented and how the process stack plays an important role in supporting functions.
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.
This PPT discusses the concept of Dynamic Linker as in Linux and its porting to Solaris ARM platform. It starts from the very basics of linking process
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Shuah Khan, Linux kernel power management developer and Senior Linux Engineer from the Samsung OSG discusses how to use the DMA Debug API in Linux to find data corruptions and memory leaks.
The presentation given at MSBTE sponsored content updating program on 'PC Maintenance and Troubleshooting' for Diploma Engineering teachers of Maharashtra. Venue: Government Polytechnic, Nashik Date: 17/01/2011 Session-2: Computer Organization and Architecture.
* What are Embedded Systems?
* C for Embedded Systems vs. Embedded C.
* Code Compilation process.
* Error types.
* Code Compilation using command line.
Linux Kernel Booting Process (2) - For NLKBshimosawa
Describes the bootstrapping part in Linux, and related architectural mechanisms and technologies.
This is the part two of the slides, and the succeeding slides may contain the errata for this slide.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Often called as the Swiss Army Knife of Embedded Linux, BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It is written with size-optimization
and limited resources in mind. Here is a presentation that details about BusyBox.
Getting started with setting up embedded platform requires audience to understand some of the key aspects of Linux. Starting with basics of Linux this presentation talks about basic commands, vi editor, shell scripting and advanced commands
This PPT discusses the concept of Dynamic Linker as in Linux and its porting to Solaris ARM platform. It starts from the very basics of linking process
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Shuah Khan, Linux kernel power management developer and Senior Linux Engineer from the Samsung OSG discusses how to use the DMA Debug API in Linux to find data corruptions and memory leaks.
The presentation given at MSBTE sponsored content updating program on 'PC Maintenance and Troubleshooting' for Diploma Engineering teachers of Maharashtra. Venue: Government Polytechnic, Nashik Date: 17/01/2011 Session-2: Computer Organization and Architecture.
* What are Embedded Systems?
* C for Embedded Systems vs. Embedded C.
* Code Compilation process.
* Error types.
* Code Compilation using command line.
Linux Kernel Booting Process (2) - For NLKBshimosawa
Describes the bootstrapping part in Linux, and related architectural mechanisms and technologies.
This is the part two of the slides, and the succeeding slides may contain the errata for this slide.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Often called as the Swiss Army Knife of Embedded Linux, BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It is written with size-optimization
and limited resources in mind. Here is a presentation that details about BusyBox.
Getting started with setting up embedded platform requires audience to understand some of the key aspects of Linux. Starting with basics of Linux this presentation talks about basic commands, vi editor, shell scripting and advanced commands
What really happens when your Java program runs? After the transformation from Java source through bytecode and machine code to microcode, and the various optimizations that take place along the way, the instructions that are actually executed may be very different from what you imagined when you wrote the program. This session shows what a simple program actually looks like when it really hits the hardware.
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...Faisal Akber
Presented at PGCon 2014 in Ottawa.
Program crashes are a fact of life and occasionally unavoidable. If there are core dumps that get generated then understanding what happened becomes easier.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
Secrets of building a debuggable runtime: Learn how language implementors sol...Dev_Events
Bjørn Vårdal, J9VM Software Developer, IBM, @bvaardal
New language runtimes appear all the time, but most of them die young. Failure can be attributed to
different reasons, but an important factor is that lack of support can limit the community’s and
industry’s willingness to adopt the new language.
Quicker development and improved serviceability allows emerging languages to overcome this obstacle.
By building on the proven technology available in Eclipse OMR, language developers can get more than
performance and stability; you also get tools that help you quickly debug your language runtime,
allowing you to provide competitive serviceability.
From this presentation, you will learn how to enable Eclipse OMR’s mature debugging features in your
language runtime, and also how Eclipse OMR can assist with development and debugging
Presentation about bytecode and what is going on at the JVM at AndroidMakers conference Paris. Fine-tuned information from my presentation at 360|AnDev Denver.
For over two decades, working as an cybersecurity entrepreneur, researcher and instructor, I have heard over and over again that attacks and defense are two sides of the same coin. But what does it really mean in application? What happens when sophisticated attacks collide with sophisticated defenses? Who wins?
This is talk is aimed at a wide audience in cybersecurity – from the strategists to the practitioners. We will discuss Evolution, Attacks, Defense and PEBKAC. What factors shall affect the posture of trustworthiness and safety in the digital world in the next two years to come depend largely on the road we have followed over the past two decades. This talk looks above and beyond, albeit optimistically, about realigning some of the conventional approaches, slowly but strategically shifting mindsets of stakeholders and consumers alike, to bring about a more proactive approach to security.
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years.
The Debugging with EMUX workshop shall be in two parts:
Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX
Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
After 4 years, ARMX is changing its call sign. EMUX now features both ARM and MIPS device emulation, in a unified framework! Join us as we unveil EMUX and take you into the inner workings of emulating both ARM and MIPS IoT devices. We will be releasing a new Docker image featuring a MIPS CTF challenge to test your MIPS exploit development skills.
Slides from my workshop at Ringzer0's December 2021 Workshop Advent Calendar.
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
A webinar on what it takes to conduct an effective webinar! Understand how to prepare your story for an invisible audience, keep them engaged and anticipate "in-flight turbulence". Enjoy!
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The Road To Defendable Systems - Emirates NBDSaumil Shah
"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape.
This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
My talk on creating ARM/Thumb Polyglot shellcode for obfuscation, signature evasion and downright novelty of approach! Presented at Hack in the Box Amsterdam 2019
Slides from my lectures on Photography As An Art Form. Follow me on facebook at https://www.facebook.com/my.spectral.lines and on Instagram at @therealsaumil.
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
3. # who am i Saumil Shah CEO Net-square. Hacker, Speaker, Trainer, Author. M.S. Computer Science Purdue University. Google: "saumil" LinkedIn: saumilshah
7. What is a debugger? A program used for debugging other programs or process. It provides...
8. What is a debugger? A program used for debugging other programs or process. It provides... Fine grained control over process execution Inspection of CPU state Inspection of process memory
16. What does crash1.c do? crash1 takes the first command line argument and converts it to an integer
17. What does crash1.c do? crash1 takes the first command line argument and converts it to an integer It then assigns a pointer to this integer... ...and passes it to a function - printnum()
18. What does crash1.c do? crash1 takes the first command line argument and converts it to an integer It then assigns a pointer to this integer... ...and passes it to a function - printnum() There are TWO bugs in this program Can you spot them?
25. Compile crash1.c and load it using gdb $ gcc crash1.c -o crash1 $ gdb crash1 GNU gdb (GDB) 7.2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/user0/crash1...done. (gdb)
28. Now run it... ...with no command line arguments. (gdb) run Starting program: /home/user0/crash1 Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6
29. Now run it... ...with no command line arguments. (gdb) run Starting program: /home/user0/crash1 Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 The program crashes.
30. Now run it... ...with no command line arguments. (gdb) run Starting program: /home/user0/crash1 Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 The program crashes. Where in the code did it crash?
31. Now run it... ...with no command line arguments. (gdb) run Starting program: /home/user0/crash1 Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 The program crashes. Where in the code did it crash? Let us find out where exactly it has crashed.
33. Use gdb command "backtrace" It tries to reconstruct frames on the stack. We can find out the sequence of function calls at the time of the crash.
34. Use gdb command "backtrace" It tries to reconstruct frames on the stack. We can find out the sequence of function calls at the time of the crash. (gdb) backtrace #0 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 #1 0x40042579 in atoi () from /lib/i686/libc.so.6 #2 0x0804838c in main ()
35. Use gdb command "backtrace" It tries to reconstruct frames on the stack. We can find out the sequence of function calls at the time of the crash. (gdb) backtrace #0 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 #1 0x40042579 in atoi () from /lib/i686/libc.so.6 #2 0x0804838c in main () Looks like it crashed after calling atoi().
36. Use gdb command "backtrace" It tries to reconstruct frames on the stack. We can find out the sequence of function calls at the time of the crash. (gdb) backtrace #0 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 #1 0x40042579 in atoi () from /lib/i686/libc.so.6 #2 0x0804838c in main () Looks like it crashed after calling atoi(). That's right. Let us check out the instructions in the code where it has crashed. EIP points to the last instruction executed.
38. "x" to examine memory (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] 0x40044c31: mov eax,DWORD PTR [esi] 0x40044c33: movsx edx,cl 0x40044c36: movzx eax,WORD PTR [eax+edx*2] 0x40044c3a: and eax,0x2000 0x40044c3f: test ax,ax
39. "x" to examine memory (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] 0x40044c31: mov eax,DWORD PTR [esi] 0x40044c33: movsx edx,cl 0x40044c36: movzx eax,WORD PTR [eax+edx*2] 0x40044c3a: and eax,0x2000 0x40044c3f: test ax,ax So what is x/10i ?
40. "x" to examine memory (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] 0x40044c31: mov eax,DWORD PTR [esi] 0x40044c33: movsx edx,cl 0x40044c36: movzx eax,WORD PTR [eax+edx*2] 0x40044c3a: and eax,0x2000 0x40044c3f: test ax,ax So what is x/10i ? "x" displays memory contents in various formats. "i" is for instructions (disassembly). 10 is the count of instructions to disassemble. Here are some more options for "x"
43. Where did the fault occur? Let us see the faulting instruction again.
44. Where did the fault occur? Let us see the faulting instruction again. (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi]
45. Where did the fault occur? Let us see the faulting instruction again. (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] movzx ecx, byte ptr [edi] takes the byte at memory address stored within EDI and copies it into the ECX register.
46. Where did the fault occur? Let us see the faulting instruction again. (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] movzx ecx, byte ptr [edi] takes the byte at memory address stored within EDI and copies it into the ECX register. I see no apparent error here.
47. Where did the fault occur? Let us see the faulting instruction again. (gdb) x/10i $eip => 0x40044c2e: movzx ecx,BYTE PTR [edi] movzx ecx, byte ptr [edi] takes the byte at memory address stored within EDI and copies it into the ECX register. I see no apparent error here. It depends on where EDI points to. Let us inspect the registers.
49. Use the "info registers" command. (gdb) info registers eax 0x40136660 0x40136660 ecx 0x0 0x0 edx 0x0 0x0 ebx 0x40148f50 0x40148f50 esp 0xbffff8d0 0xbffff8d0 ebp 0xbffff928 0xbffff928 esi 0x4014b8b8 0x4014b8b8 edi 0x0 0x0 eip 0x40044c2e 0x40044c2e <__strtol_internal+142> eflags 0x10206 [ PF IF RF ]
50. Use the "info registers" command. (gdb) info registers eax 0x40136660 0x40136660 ecx 0x0 0x0 edx 0x0 0x0 ebx 0x40148f50 0x40148f50 esp 0xbffff8d0 0xbffff8d0 ebp 0xbffff928 0xbffff928 esi 0x4014b8b8 0x4014b8b8 edi 0x0 0x0 eip 0x40044c2e 0x40044c2e <__strtol_internal+142> eflags 0x10206 [ PF IF RF ] I see that EDI is 0.
51. Use the "info registers" command. (gdb) info registers eax 0x40136660 0x40136660 ecx 0x0 0x0 edx 0x0 0x0 ebx 0x40148f50 0x40148f50 esp 0xbffff8d0 0xbffff8d0 ebp 0xbffff928 0xbffff928 esi 0x4014b8b8 0x4014b8b8 edi 0x0 0x0 eip 0x40044c2e 0x40044c2e <__strtol_internal+142> eflags 0x10206 [ PF IF RF ] I see that EDI is 0. EDI is a NULL pointer. It points to non-existent memory. Hence the crash.
52. Let us try and inspect local variables and arguments, if any.
53. Let us try and inspect local variables and arguments, if any. Use the "info locals" and "info args" commands.
54. Let us try and inspect local variables and arguments, if any. Use the "info locals" and "info args" commands. (gdb) info locals No symbol table info available. (gdb) info args No symbol table info available.
55. Let us try and inspect local variables and arguments, if any. Use the "info locals" and "info args" commands. (gdb) info locals No symbol table info available. (gdb) info args No symbol table info available. What does this mean?
56. Let us try and inspect local variables and arguments, if any. Use the "info locals" and "info args" commands. (gdb) info locals No symbol table info available. (gdb) info args No symbol table info available. What does this mean? The compiled binary does not contain debugging information to resolve symbols.
57. Let us try and inspect local variables and arguments, if any. Use the "info locals" and "info args" commands. (gdb) info locals No symbol table info available. (gdb) info args No symbol table info available. What does this mean? The compiled binary does not contain debugging information to resolve symbols. We need to compile the binary again, this time with proper debugging information.
59. Quit the debugger (gdb) q Recompile with debugging information enabled. $ gcc -g crash1.c -o crash1
60. Quit the debugger (gdb) q Recompile with debugging information enabled. $ gcc -g crash1.c -o crash1 The "-g" flag tells the compiler to include symbolic debugging information in the compiled binary.
62. Load crash1 in gdb again $ gdb crash1 GNU gdb (GDB) 7.2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/user0/crash1...done. (gdb)
63. Load crash1 in gdb again $ gdb crash1 GNU gdb (GDB) 7.2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/user0/crash1...done. (gdb) Let us look at the program listing, which is now available from the debugging information.
65. Use gdb's "list" command (gdb) list 1 #include <stdio.h> 2 3 void printnum(int *x); 4 5 int main(int argc, char *argv[]) 6 { 7 int number; 8 int *pointer; 9 10 number = atoi(argv[1]);
66. Use gdb's "list" command (gdb) list 1 #include <stdio.h> 2 3 void printnum(int *x); 4 5 int main(int argc, char *argv[]) 6 { 7 int number; 8 int *pointer; 9 10 number = atoi(argv[1]); But there are more than 10 lines in this program.
67. Use gdb's "list" command (gdb) list 1 #include <stdio.h> 2 3 void printnum(int *x); 4 5 int main(int argc, char *argv[]) 6 { 7 int number; 8 int *pointer; 9 10 number = atoi(argv[1]); But there are more than 10 lines in this program. Press Enter on a blank gdb prompt to get another screenful of program listing.
68. Recap We know that the program crashed when executing atoi(argv[1]).
69. Recap We know that the program crashed when executing atoi(argv[1]). We shall now set a breakpoint at the statement where atoi() is called.
70. Recap We know that the program crashed when executing atoi(argv[1]). We shall now set a breakpoint at the statement where atoi() is called. atoi() is called in line #10: 7 int number; 8 int *pointer; 9 10 number = atoi(argv[1]);
72. Use gdb's "break" command to set a breakpoint. (gdb) break 10 Breakpoint 1 at 0x804837c: file crash1.c, line 10.
73. Use gdb's "break" command to set a breakpoint. (gdb) break 10 Breakpoint 1 at 0x804837c: file crash1.c, line 10. Now let us run the program.
74. Use gdb's "break" command to set a breakpoint. (gdb) break 10 Breakpoint 1 at 0x804837c: file crash1.c, line 10. Now let us run the program. (gdb) run Starting program: /home/user0/crash1 Breakpoint 1, main (argc=0x1, argv=0xbffff9b4) at crash1.c:10 10 number = atoi(argv[1]);
75. Use gdb's "break" command to set a breakpoint. (gdb) break 10 Breakpoint 1 at 0x804837c: file crash1.c, line 10. Now let us run the program. (gdb) run Starting program: /home/user0/crash1 Breakpoint 1, main (argc=0x1, argv=0xbffff9b4) at crash1.c:10 10 number = atoi(argv[1]); Process execution is suspended when it reaches the breakpoint. Control is transferred to gdb.
76. Use gdb's "break" command to set a breakpoint. (gdb) break 10 Breakpoint 1 at 0x804837c: file crash1.c, line 10. Now let us run the program. (gdb) run Starting program: /home/user0/crash1 Breakpoint 1, main (argc=0x1, argv=0xbffff9b4) at crash1.c:10 10 number = atoi(argv[1]); Process execution is suspended when it reaches the breakpoint. Control is transferred to gdb. Let us now look at argv[1]. gdb will now allow us to inspect variables symbolically.
79. gdb's "print" command lets us inspect variables. (gdb) print argv[1] $1 = 0x0 argv[1] is the culprit NULL pointer! This is what gets loaded into the EDI register (remember?)
80. gdb's "print" command lets us inspect variables. (gdb) print argv[1] $1 = 0x0 argv[1] is the culprit NULL pointer! This is what gets loaded into the EDI register (remember?) Let us continue with the process execution.
81. gdb's "print" command lets us inspect variables. (gdb) print argv[1] $1 = 0x0 argv[1] is the culprit NULL pointer! This is what gets loaded into the EDI register (remember?) Let us continue with the process execution. (gdb) continue Continuing. Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6
82. gdb's "print" command lets us inspect variables. (gdb) print argv[1] $1 = 0x0 argv[1] is the culprit NULL pointer! This is what gets loaded into the EDI register (remember?) Let us continue with the process execution. (gdb) continue Continuing. Program received signal SIGSEGV, Segmentation fault. 0x40044c2e in __strtol_internal () from /lib/i686/libc.so.6 As expected, here's the segmentation fault. Verify the value of EDI using "info registers" and the disassembly of the crash using "x/10i $eip"
83. Bug #1 - Null pointer To fix this problem the programmer needs to check the number of command line arguments before using argv[1] in the program.
84. Bug #1 - Null pointer To fix this problem the programmer needs to check the number of command line arguments before using argv[1] in the program. For now, we shall run the program with a valid argv[1] supplied.
85. Bug #1 - Null pointer To fix this problem the programmer needs to check the number of command line arguments before using argv[1] in the program. For now, we shall run the program with a valid argv[1] supplied. On to bug #2. Quit gdb and load crash1 again.
86. Load crash1 in gdb again. $ gdb crash1 GNU gdb (GDB) 7.2 ... Reading symbols from /home/user0/crash1...done. (gdb)
87. Load crash1 in gdb again. $ gdb crash1 GNU gdb (GDB) 7.2 ... Reading symbols from /home/user0/crash1...done. (gdb) Run it with argument 1 as 255 (or any number) (gdb) run 255 Starting program: /home/user0/crash1 255 Program received signal SIGSEGV, Segmentation fault. 0x080483b4 in printnum (x=0xff) at crash1.c:17 17 printf("The number supplied is %d", *x);
88. Load crash1 in gdb again. $ gdb crash1 GNU gdb (GDB) 7.2 ... Reading symbols from /home/user0/crash1...done. (gdb) Run it with argument 1 as 255 (or any number) (gdb) run 255 Starting program: /home/user0/crash1 255 Program received signal SIGSEGV, Segmentation fault. 0x080483b4 in printnum (x=0xff) at crash1.c:17 17 printf("The number supplied is %d", *x); Another segmentation fault. Another crash.
90. What do we do now? I thought I asked the questions!
91. What do we do now? I thought I asked the questions! We see where we crashed by examining frames from the stack. The "backtrace" command. (gdb) backtrace #0 0x080483b4 in printnum (x=0xff) at crash1.c:17 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12
92. What do we do now? I thought I asked the questions! We see where we crashed by examining frames from the stack. The "backtrace" command. (gdb) backtrace #0 0x080483b4 in printnum (x=0xff) at crash1.c:17 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 We crashed inside printnum(). Let us inspect the arguments passed to printnum().
93. What do we do now? I thought I asked the questions! We see where we crashed by examining frames from the stack. The "backtrace" command. (gdb) backtrace #0 0x080483b4 in printnum (x=0xff) at crash1.c:17 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 We crashed inside printnum(). Let us inspect the arguments passed to printnum(). (gdb) info args x = 0xff
94. What do we do now? I thought I asked the questions! We see where we crashed by examining frames from the stack. The "backtrace" command. (gdb) backtrace #0 0x080483b4 in printnum (x=0xff) at crash1.c:17 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 We crashed inside printnum(). Let us inspect the arguments passed to printnum(). (gdb) info args x = 0xff Isn't x a pointer to an integer (int *x)?
96. That's right. x is an integer pointer, set to 0xff. So it points to memory address 0x000000ff?
97. That's right. x is an integer pointer, set to 0xff. So it points to memory address 0x000000ff? Yes. This memory cannot be referenced. Fetching its contents (*x) results in an error.
98. That's right. x is an integer pointer, set to 0xff. So it points to memory address 0x000000ff? Yes. This memory cannot be referenced. Fetching its contents (*x) results in an error. How did x get set to 0x000000ff?
99. That's right. x is an integer pointer, set to 0xff. So it points to memory address 0x000000ff? Yes. This memory cannot be referenced. Fetching its contents (*x) results in an error. How did x get set to 0x000000ff? The answer lies in how printnum() was called.
100. That's right. x is an integer pointer, set to 0xff. So it points to memory address 0x000000ff? Yes. This memory cannot be referenced. Fetching its contents (*x) results in an error. How did x get set to 0x000000ff? The answer lies in how printnum() was called. Let us switch to its calling frame - frame 1 - and inspect frame 1's local variables.
102. gdb's "frame <n>" command lets you switch context to other frames. (gdb) frame 1 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 12 printnum(pointer);
103. gdb's "frame <n>" command lets you switch context to other frames. (gdb) frame 1 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 12 printnum(pointer); Inspect frame 1's local variables.
104. gdb's "frame <n>" command lets you switch context to other frames. (gdb) frame 1 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 12 printnum(pointer); Inspect frame 1's local variables. (gdb) info locals number = 0xff pointer = 0xff
105. gdb's "frame <n>" command lets you switch context to other frames. (gdb) frame 1 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 12 printnum(pointer); Inspect frame 1's local variables. (gdb) info locals number = 0xff pointer = 0xff Do you see the second bug now?
106. gdb's "frame <n>" command lets you switch context to other frames. (gdb) frame 1 #1 0x080483a3 in main (argc=0x2, argv=0xbffff9b4) at crash1.c:12 12 printnum(pointer); Inspect frame 1's local variables. (gdb) info locals number = 0xff pointer = 0xff Do you see the second bug now? We are reading the number 255 (0xff) and assigning it to the pointer directly.
109. Absolutely correct. What should we do instead? Make the pointer POINT to the number. Set the pointer's value to be the ADDRESS of the number and not its value.
110. Bug #2 - Pointer mess-up The faulting statement is: pointer = number;
111. Bug #2 - Pointer mess-up The faulting statement is: pointer = number; Instead it should be: pointer = &number; //address of number
112. Bug #2 - Pointer mess-up The faulting statement is: pointer = number; Instead it should be: pointer = &number; //address of number Let us see what happens at assembly level. Dump instructions at EIP and inspect the registers.
116. (gdb) frame 0 (gdb) x/10i $eip => 0x80483b4 <printnum+12>: push DWORD PTR [eax] 0x80483b6 <printnum+14>: push 0x8048488 0x80483bb <printnum+19>: call 0x804828c <printf@plt> 0x80483c0 <printnum+24>: add esp,0x10 0x80483c3 <printnum+27>: leave 0x80483c4 <printnum+28>: ret (gdb) info registers eax 0xff 0xff ecx 0x0 0x0 edx 0x0 0x0 ebx 0x40148f50 0x40148f50 esp 0xbffff938 0xbffff938 ebp 0xbffff948 0xbffff948 esi 0x40012780 0x40012780 edi 0xbffff9b4 0xbffff9b4 eip 0x80483b4 0x80483b4 <printnum+12> eflags 0x10292 [ AF SF IF RF ] We are trying to push a value whose address is stored in EAX. This address is 0x000000ff.
117. There are two PUSHes. The first pushes the contents at address EAX onto the stack.
118. There are two PUSHes. The first pushes the contents at address EAX onto the stack. EAX stores the address of the pointer x.
119. There are two PUSHes. The first pushes the contents at address EAX onto the stack. EAX stores the address of the pointer x. DWORD PTR [EAX] implies *x (contents at addr x)
120. There are two PUSHes. The first pushes the contents at address EAX onto the stack. EAX stores the address of the pointer x. DWORD PTR [EAX] implies *x (contents at addr x) What does the second PUSH do? push 0x08048488
121. There are two PUSHes. The first pushes the contents at address EAX onto the stack. EAX stores the address of the pointer x. DWORD PTR [EAX] implies *x (contents at addr x) What does the second PUSH do? push 0x08048488 0x08048488 looks like a memory address. Notice that the next instruction is a CALL to printf. => 0x80483b4 <printnum+12>: push DWORD PTR [eax] 0x80483b6 <printnum+14>: push 0x8048488 0x80483bb <printnum+19>: call 0x804828c <printf@plt>
122. There are two PUSHes. The first pushes the contents at address EAX onto the stack. EAX stores the address of the pointer x. DWORD PTR [EAX] implies *x (contents at addr x) What does the second PUSH do? push 0x08048488 0x08048488 looks like a memory address. Notice that the next instruction is a CALL to printf. => 0x80483b4 <printnum+12>: push DWORD PTR [eax] 0x80483b6 <printnum+14>: push 0x8048488 0x80483bb <printnum+19>: call 0x804828c <printf@plt> The two PUSHes set up the parameters passed to printf().
129. So where does address 0x08048488 point to? It should point to the string: "The number supplied is %d"
130. So where does address 0x08048488 point to? It should point to the string: "The number supplied is %d" Let us use the "x" command and find out. We shall use "x/s" to display the output as a string.
131. So where does address 0x08048488 point to? It should point to the string: "The number supplied is %d" Let us use the "x" command and find out. We shall use "x/s" to display the output as a string. (gdb) x/s 0x08048488 0x8048488: "The number supplied is %d"
132. Disassembling printnum() To wrap this up, let us dive into the assembly code of function printnum(). We shall map out the concepts discussed in "HOW FUNCTIONS WORK".
134. Use the "disassemble" command (gdb) disassemble printnum Dump of assembler code for function printnum: 0x080483a8 <+0>: push ebp 0x080483a9 <+1>: mov ebp,esp 0x080483ab <+3>: sub esp,0x8 0x080483ae <+6>: sub esp,0x8 0x080483b1 <+9>: mov eax,DWORD PTR [ebp+0x8] => 0x080483b4 <+12>: push DWORD PTR [eax] 0x080483b6 <+14>: push 0x8048488 0x080483bb <+19>: call 0x804828c <printf@plt> 0x080483c0 <+24>: add esp,0x10 0x080483c3 <+27>: leave 0x080483c4 <+28>: ret End of assembler dump.
135. Use the "disassemble" command (gdb) disassemble printnum Dump of assembler code for function printnum: 0x080483a8 <+0>: push ebp 0x080483a9 <+1>: mov ebp,esp 0x080483ab <+3>: sub esp,0x8 0x080483ae <+6>: sub esp,0x8 0x080483b1 <+9>: mov eax,DWORD PTR [ebp+0x8] => 0x080483b4 <+12>: push DWORD PTR [eax] 0x080483b6 <+14>: push 0x8048488 0x080483bb <+19>: call 0x804828c <printf@plt> 0x080483c0 <+24>: add esp,0x10 0x080483c3 <+27>: leave 0x080483c4 <+28>: ret End of assembler dump. Let us map this disassembly to the various components of a function.
136. printnum() disassembly Prologue push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Body Epilogue Return
137. printnum() disassembly Prologue push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] > push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Body Epilogue Return Crash occurs at "push dword ptr [eax]".
138. printnum() disassembly Prologue push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] > push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Body Epilogue Return Crash occurs at "push dword ptr [eax]". Let us see how the stack is built up.
139. Before printnum() is called push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Pointer x is pushed on the stack... 0x000000ff ESP ... EBP
140. Before printnum() is called > push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret ...and printnum is CALLed. Saved EIP ESP 0x000000ff param 1 ... EBP
141. Prologue push ebp > mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Old EBP ESP Save the old frame pointer. Saved EIP 0x000000ff param 1 ... EBP
142. Prologue push ebp mov ebp,esp > sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret Old EBP EBP ESP Set the EBP to the current frame. Saved EIP 0x000000ff param 1 ...
143. Prologue push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 > mov eax,DWORD PTR [ebp+0x8] push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret ... ESP ... ... ... Old EBP EBP Leave some space on the stack (16 bytes) Saved EIP 0x000000ff param 1 ...
144. Body push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] > push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret ... ESP ... ... ... Old EBP EBP EAX = 0x000000ff Saved EIP 0x000000ff param 1 ...
145. Segmentation Fault! push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] >push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret ... ESP ... ... ... Old EBP EBP Memory at 0x000000ff cannot be referenced. Saved EIP 0x000000ff param 1 ...
146. Segmentation Fault! push ebp mov ebp,esp sub esp,0x8 sub esp,0x8 mov eax,DWORD PTR [ebp+0x8] >push DWORD PTR [eax] push 0x8048488 call 0x804828c <printf@plt> add esp,0x10 leave ret ... ESP ... ... ... Old EBP EBP Memory at 0x000000ff cannot be referenced. Saved EIP 0x000000ff param 1 What will stack memory contain at this moment? ...