Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002Linux Memory LayoutLinux Memory AllocationText & Stack ExampleDynamic Linking ExampleMemory Allocation ExampleExample AddressesC operatorsC pointer declarationsInternet Worm and IM WarInternet Worm and IM War (cont.)String Library CodeVulnerable Buffer CodeBuffer Overflow ExecutionsBuffer Overflow StackBuffer Overflow Stack ExampleBuffer Overflow Example #1Buffer Overflow Stack Example #2Buffer Overflow Stack Example #3Malicious Use of Buffer OverflowExploits Based on Buffer OverflowsSlide 22PowerPoint PresentationCode Red WormCode Red Exploit CodeCode Red EffectsAvoiding Overflow VulnerabilityIA32 Floating PointFPU Data Register StackFPU instructionsFloating Point Code ExampleInner Product Stack TraceFinal ObservationsMachine-Level Programming V:Miscellaneous TopicsSept. 24, 2002Machine-Level Programming V:Miscellaneous TopicsSept. 24, 2002TopicsTopicsLinux Memory LayoutUnderstanding PointersBuffer OverflowFloating Point Codeclass09.ppt15-213“The course that gives CMU its Zip!”– 2 –15-213, F’02Linux Memory LayoutLinux Memory LayoutStackStackRuntime stack (8MB limit)HeapHeapDynamically allocated storageWhen call malloc, calloc, newDLLsDLLsDynamically Linked LibrariesLibrary routines (e.g., printf, malloc)Linked into object code when first executedDataDataStatically allocated dataE.g., arrays & strings declared in codeTextTextExecutable machine instructionsRead-onlyUpper 2 hex digits of addressRed Hatv. 6.2~1920MBmemorylimitFFBF7F3FC0804000StackDLLsTextDataHeapHeap08– 3 –15-213, F’02Linux Memory AllocationLinux Memory AllocationLinkedBF7F3F804000StackDLLsTextData08Some HeapBF7F3F804000StackDLLsTextDataHeap08MoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08InitiallyBF7F3F804000StackTextData08– 4 –15-213, F’02Text & Stack ExampleText & Stack Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78MainMainAddress 0x804856f should be read 0x0804856fStackStackAddress 0xbffffc78InitiallyBF7F3F804000StackTextData08– 5 –15-213, F’02Dynamic Linking ExampleDynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>InitiallyInitiallyCode in text segment that invokes dynamic linkerAddress 0x8048454 should be read 0x08048454FinalFinalCode in DLL regionLinkedBF7F3F804000StackDLLsTextData08– 6 –15-213, F’02Memory Allocation ExampleMemory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}– 7 –15-213, F’02Example AddressesExample Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640 p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextDataHeapHeap08– 8 –15-213, F’02C operatorsC operatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary forms– 9 –15-213, F’02C pointer declarationsC pointer declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints– 10 –15-213, F’02Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988Internet Worm attacks thousands of Internet hosts.How did it happen?July, 1999July, 1999Microsoft launches MSN Messenger (instant messaging system).Messenger clients can access popular AOL Instant Messaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver– 11 –15-213, F’02Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999Mysteriously, Messenger clients can no longer access AIM servers.Microsoft and AOL begin the IM war:AOL changes server to disallow Messenger clientsMicrosoft makes changes to clients to defeat AOL changes.At least 13 such skirmishes.How did it happen?The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflow exploits! exploits!many Unix functions do not check argument sizes.allows target buffers to overflow.– 12 –15-213, F’02String Library CodeString Library CodeImplementation of Unix function getsNo way to specify limit on number of characters to readSimilar problems with other Unix functionsstrcpy: Copies string of arbitrary lengthscanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}– 13 –15-213, F’02Vulnerable Buffer CodeVulnerable Buffer Codeint main(){ printf("Type a string:"); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}– 14 –15-213, F’02Buffer Overflow ExecutionsBuffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault– 15 –15-213, F’02Buffer Overflow StackBuffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl
View Full Document
Unlocking...