Skip to content

Instantly share code, notes, and snippets.

@rygorous

rygorous/dead_store.cpp

Created May 19, 2017 11:18
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
C++ ver of memzero example
Raw
dead_store.cpp
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct SekritKey
{
uint8_t key[32];
};
void totally_secure_delete(SekritKey *key)
{
memset(key, 0, sizeof(*key));
delete key;
}
void dump_key(SekritKey *key)
{
for (size_t i = 0; i < 32; ++i)
printf(" %02x", key->key[i]);
printf("\n");
}
int main(int argc, char **argv)
{
SekritKey *key = new SekritKey;
// dummy dataflow from args to key
key->key[0] = atoi(argv[1]);
for (size_t i = 1; i < 32; ++i)
key->key[i] = 0;
// dummy work
dump_key(key);
// delete it
totally_secure_delete(key);
return 0;
}
Raw
disasm
(just go ahead to <main>; my annotations marked "#***")
[ryg@ryg-horizon dead_store]$ clang++ --version
clang version 3.9.1 (tags/RELEASE_391/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
[ryg@ryg-horizon dead_store]$ clang++ -O2 -flto=thin -o dead_store dead_store.cpp && objdump -dCS dead_store
dead_store: file format elf64-x86-64
Disassembly of section .init:
0000000000400598 <_init>:
400598: 48 83 ec 08 sub $0x8,%rsp
40059c: 48 8b 05 4d 0a 20 00 mov 0x200a4d(%rip),%rax # 600ff0 <_DYNAMIC+0x200>
4005a3: 48 85 c0 test %rax,%rax
4005a6: 74 02 je 4005aa <_init+0x12>
4005a8: ff d0 callq *%rax
4005aa: 48 83 c4 08 add $0x8,%rsp
4005ae: c3 retq
Disassembly of section .plt:
00000000004005b0 <printf@plt-0x10>:
4005b0: ff 35 52 0a 20 00 pushq 0x200a52(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8>
4005b6: ff 25 54 0a 20 00 jmpq *0x200a54(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10>
4005bc: 0f 1f 40 00 nopl 0x0(%rax)
00000000004005c0 <printf@plt>:
4005c0: ff 25 52 0a 20 00 jmpq *0x200a52(%rip) # 601018 <_GLOBAL_OFFSET_TABLE_+0x18>
4005c6: 68 00 00 00 00 pushq $0x0
4005cb: e9 e0 ff ff ff jmpq 4005b0 <_init+0x18>
00000000004005d0 <operator delete(void*)@plt>:
4005d0: ff 25 4a 0a 20 00 jmpq *0x200a4a(%rip) # 601020 <_GLOBAL_OFFSET_TABLE_+0x20>
4005d6: 68 01 00 00 00 pushq $0x1
4005db: e9 d0 ff ff ff jmpq 4005b0 <_init+0x18>
00000000004005e0 <putchar@plt>:
4005e0: ff 25 42 0a 20 00 jmpq *0x200a42(%rip) # 601028 <_GLOBAL_OFFSET_TABLE_+0x28>
4005e6: 68 02 00 00 00 pushq $0x2
4005eb: e9 c0 ff ff ff jmpq 4005b0 <_init+0x18>
00000000004005f0 <strtol@plt>:
4005f0: ff 25 3a 0a 20 00 jmpq *0x200a3a(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30>
4005f6: 68 03 00 00 00 pushq $0x3
4005fb: e9 b0 ff ff ff jmpq 4005b0 <_init+0x18>
0000000000400600 <operator new(unsigned long)@plt>:
400600: ff 25 32 0a 20 00 jmpq *0x200a32(%rip) # 601038 <_GLOBAL_OFFSET_TABLE_+0x38>
400606: 68 04 00 00 00 pushq $0x4
40060b: e9 a0 ff ff ff jmpq 4005b0 <_init+0x18>
Disassembly of section .text:
0000000000400610 <_start>:
400610: 31 ed xor %ebp,%ebp
400612: 49 89 d1 mov %rdx,%r9
400615: 5e pop %rsi
400616: 48 89 e2 mov %rsp,%rdx
400619: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40061d: 50 push %rax
40061e: 54 push %rsp
40061f: 49 c7 c0 00 08 40 00 mov $0x400800,%r8
400626: 48 c7 c1 90 07 40 00 mov $0x400790,%rcx
40062d: 48 c7 c7 10 07 40 00 mov $0x400710,%rdi
400634: ff 15 be 09 20 00 callq *0x2009be(%rip) # 600ff8 <_DYNAMIC+0x208>
40063a: f4 hlt
40063b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0000000000400640 <deregister_tm_clones>:
400640: b8 4f 10 60 00 mov $0x60104f,%eax
400645: 55 push %rbp
400646: 48 2d 48 10 60 00 sub $0x601048,%rax
40064c: 48 83 f8 0e cmp $0xe,%rax
400650: 48 89 e5 mov %rsp,%rbp
400653: 76 1b jbe 400670 <deregister_tm_clones+0x30>
400655: b8 00 00 00 00 mov $0x0,%eax
40065a: 48 85 c0 test %rax,%rax
40065d: 74 11 je 400670 <deregister_tm_clones+0x30>
40065f: 5d pop %rbp
400660: bf 48 10 60 00 mov $0x601048,%edi
400665: ff e0 jmpq *%rax
400667: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
40066e: 00 00
400670: 5d pop %rbp
400671: c3 retq
400672: 0f 1f 40 00 nopl 0x0(%rax)
400676: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40067d: 00 00 00
0000000000400680 <register_tm_clones>:
400680: be 48 10 60 00 mov $0x601048,%esi
400685: 55 push %rbp
400686: 48 81 ee 48 10 60 00 sub $0x601048,%rsi
40068d: 48 c1 fe 03 sar $0x3,%rsi
400691: 48 89 e5 mov %rsp,%rbp
400694: 48 89 f0 mov %rsi,%rax
400697: 48 c1 e8 3f shr $0x3f,%rax
40069b: 48 01 c6 add %rax,%rsi
40069e: 48 d1 fe sar %rsi
4006a1: 74 15 je 4006b8 <register_tm_clones+0x38>
4006a3: b8 00 00 00 00 mov $0x0,%eax
4006a8: 48 85 c0 test %rax,%rax
4006ab: 74 0b je 4006b8 <register_tm_clones+0x38>
4006ad: 5d pop %rbp
4006ae: bf 48 10 60 00 mov $0x601048,%edi
4006b3: ff e0 jmpq *%rax
4006b5: 0f 1f 00 nopl (%rax)
4006b8: 5d pop %rbp
4006b9: c3 retq
4006ba: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
00000000004006c0 <__do_global_dtors_aux>:
4006c0: 80 3d 7d 09 20 00 00 cmpb $0x0,0x20097d(%rip) # 601044 <_edata>
4006c7: 75 11 jne 4006da <__do_global_dtors_aux+0x1a>
4006c9: 55 push %rbp
4006ca: 48 89 e5 mov %rsp,%rbp
4006cd: e8 6e ff ff ff callq 400640 <deregister_tm_clones>
4006d2: 5d pop %rbp
4006d3: c6 05 6a 09 20 00 01 movb $0x1,0x20096a(%rip) # 601044 <_edata>
4006da: f3 c3 repz retq
4006dc: 0f 1f 40 00 nopl 0x0(%rax)
00000000004006e0 <frame_dummy>:
4006e0: bf e8 0d 60 00 mov $0x600de8,%edi
4006e5: 48 83 3f 00 cmpq $0x0,(%rdi)
4006e9: 75 05 jne 4006f0 <frame_dummy+0x10>
4006eb: eb 93 jmp 400680 <register_tm_clones>
4006ed: 0f 1f 00 nopl (%rax)
4006f0: b8 00 00 00 00 mov $0x0,%eax
4006f5: 48 85 c0 test %rax,%rax
4006f8: 74 f1 je 4006eb <frame_dummy+0xb>
4006fa: 55 push %rbp
4006fb: 48 89 e5 mov %rsp,%rbp
4006fe: ff d0 callq *%rax
400700: 5d pop %rbp
400701: e9 7a ff ff ff jmpq 400680 <register_tm_clones>
400706: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40070d: 00 00 00
0000000000400710 <main>:
400710: 41 57 push %r15
400712: 41 56 push %r14
400714: 53 push %rbx
400715: 49 89 f6 mov %rsi,%r14
400718: bf 20 00 00 00 mov $0x20,%edi
40071d: e8 de fe ff ff callq 400600 <operator new(unsigned long)@plt> #*** alloc key
400722: 49 89 c7 mov %rax,%r15
400725: 49 8b 7e 08 mov 0x8(%r14),%rdi
400729: 31 f6 xor %esi,%esi
40072b: ba 0a 00 00 00 mov $0xa,%edx
400730: e8 bb fe ff ff callq 4005f0 <strtol@plt> #*** atoi from command line arg
400735: 41 88 07 mov %al,(%r15)
400738: 0f 57 c0 xorps %xmm0,%xmm0
40073b: 41 0f 11 47 10 movups %xmm0,0x10(%r15) #*** clears bytes 16-31 (inclusive)
400740: 41 0f 11 47 01 movups %xmm0,0x1(%r15) #*** clears bytes 1-16 (inclusive)
400745: 31 db xor %ebx,%ebx
400747: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) #*** align start of looop
40074e: 00 00
400750: 41 0f b6 34 1f movzbl (%r15,%rbx,1),%esi #*** loop: print current byte
400755: bf 20 08 40 00 mov $0x400820,%edi
40075a: 31 c0 xor %eax,%eax
40075c: e8 5f fe ff ff callq 4005c0 <printf@plt>
400761: 48 ff c3 inc %rbx
400764: 48 83 fb 20 cmp $0x20,%rbx
400768: 75 e6 jne 400750 <main+0x40> #*** this is the print loop
40076a: bf 0a 00 00 00 mov $0xa,%edi
40076f: e8 6c fe ff ff callq 4005e0 <putchar@plt> #*** print final \n
400774: 4c 89 ff mov %r15,%rdi
400777: e8 54 fe ff ff callq 4005d0 <operator delete(void*)@plt> #*** and delete - note no memset to 0!
40077c: 31 c0 xor %eax,%eax
40077e: 5b pop %rbx
40077f: 41 5e pop %r14
400781: 41 5f pop %r15
400783: c3 retq
400784: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40078b: 00 00 00
40078e: 66 90 xchg %ax,%ax
0000000000400790 <__libc_csu_init>:
400790: 41 57 push %r15
400792: 41 56 push %r14
400794: 41 89 ff mov %edi,%r15d
400797: 41 55 push %r13
400799: 41 54 push %r12
40079b: 4c 8d 25 36 06 20 00 lea 0x200636(%rip),%r12 # 600dd8 <__frame_dummy_init_array_entry>
4007a2: 55 push %rbp
4007a3: 48 8d 2d 36 06 20 00 lea 0x200636(%rip),%rbp # 600de0 <__init_array_end>
4007aa: 53 push %rbx
4007ab: 49 89 f6 mov %rsi,%r14
4007ae: 49 89 d5 mov %rdx,%r13
4007b1: 4c 29 e5 sub %r12,%rbp
4007b4: 48 83 ec 08 sub $0x8,%rsp
4007b8: 48 c1 fd 03 sar $0x3,%rbp
4007bc: e8 d7 fd ff ff callq 400598 <_init>
4007c1: 48 85 ed test %rbp,%rbp
4007c4: 74 20 je 4007e6 <__libc_csu_init+0x56>
4007c6: 31 db xor %ebx,%ebx
4007c8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
4007cf: 00
4007d0: 4c 89 ea mov %r13,%rdx
4007d3: 4c 89 f6 mov %r14,%rsi
4007d6: 44 89 ff mov %r15d,%edi
4007d9: 41 ff 14 dc callq *(%r12,%rbx,8)
4007dd: 48 83 c3 01 add $0x1,%rbx
4007e1: 48 39 dd cmp %rbx,%rbp
4007e4: 75 ea jne 4007d0 <__libc_csu_init+0x40>
4007e6: 48 83 c4 08 add $0x8,%rsp
4007ea: 5b pop %rbx
4007eb: 5d pop %rbp
4007ec: 41 5c pop %r12
4007ee: 41 5d pop %r13
4007f0: 41 5e pop %r14
4007f2: 41 5f pop %r15
4007f4: c3 retq
4007f5: 90 nop
4007f6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
4007fd: 00 00 00
0000000000400800 <__libc_csu_fini>:
400800: f3 c3 repz retq
Disassembly of section .fini:
0000000000400804 <_fini>:
400804: 48 83 ec 08 sub $0x8,%rsp
400808: 48 83 c4 08 add $0x8,%rsp
40080c: c3 retq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment