15 213 The course that gives CMU its Zip Machine Level Programming III Procedures February 6 2001 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables Stack buffer overflow exploits finger AIM AOL Instant Messenger class07 ppt IA32 Stack Region of memory managed with stack discipline Register esp indicates lowest allocated position in stack i e address of top element Pushing Stack Bottom Increasing Addresses pushl Src Fetch operand at Src Decrement esp by 4 Write operand at address given by esp Stack Popping Pointer esp popl Dest Read operand at address given by esp Increment esp by 4 Write to Dest class07 ppt 2 Stack Grows Down Stack Top CS 213 S 01 Stack Operation Examples pushl eax popl edx 0x110 0x110 0x110 0x10c 0x10c 0x10c 0x108 123 0x108 123 0x104 213 0x108 123 eax 213 eax 213 eax 213 edx 555 edx 555 edx 213 esp 0x108 esp 0x104 esp 0x108 class07 ppt 3 CS 213 S 01 Procedure Control Flow Use stack to support procedure call and return Procedure call call label Push return address on stack Jump to label Return address value Address of instruction beyond call Example from disassembly 804854e e8 3d 06 00 00 call 8048553 50 pushl Return address 0x8048553 8048b90 main eax Procedure return ret class07 ppt Pop address from stack Jump to address 4 CS 213 S 01 Procedure Call Return Example 804854e 8048553 e8 3d 06 00 00 50 call call pushl 8048b90 main eax 8048b90 ret 0x110 0x110 0x110 0x10c 0x10c 0x10c 0x108 0x108 123 123 0x108 123 esp 0x108 0x104 0x8048553 esp esp 0x108 eip 0x804854e 0x104 eip 0x8048b90 eip 0x8048553 eip is program counter class07 ppt 5 CS 213 S 01 Stack Based Languages Languages that Support Recursion e g C Pascal Java Code must be Reentrant Multiple simultaneous instantiations of single procedure Need some place to store state of each instantiation Arguments Local variables Return pointer Stack Discipline State for given procedure needed for limited time From when called to when return Callee returns before caller does Stack Allocated in Frames state for single procedure instantiation class07 ppt 6 CS 213 S 01 Call Chain Example Code Structure yoo who yoo who amI Procedure amI recursive class07 ppt Call Chain who amI amI amI 7 amI amI CS 213 S 01 IA32 Stack Structure Stack Growth Toward lower addresses yoo Stack Pointer Increasing Addresses Address of next available location in stack Use register esp who Frame Pointer amI Start of current stack frame Use register ebp Stack Grows Frame Pointer ebp amI amI Stack Pointer esp class07 ppt 8 Stack Top CS 213 S 01 IA32 Linux Stack Frame Callee Stack Frame Top to Bottom Parameters for called functions Local variables If can t keep in registers Saved register context Old frame pointer Caller Frame Arguments Frame Pointer ebp Caller Stack Frame Saved Registers Return address Pushed by call instruction Arguments for this call Local Variables Stack Pointer esp class07 ppt Return Addr Old ebp 9 Argument Build CS 213 S 01 Revisiting swap int zip1 15213 int zip2 91125 void call swap swap zip1 zip2 call swap pushl zip2 pushl zip1 call swap void swap int xp int yp int t0 xp int t1 yp xp t1 yp t0 class07 ppt Resulting Stack zip2 zip1 Rtn adr 10 CS 213 S 01 esp Revisiting swap void swap int xp int yp int t0 xp int t1 yp xp t1 yp t0 swap pushl ebp movl esp ebp pushl ebx movl movl movl movl movl movl 12 ebp ecx 8 ebp edx ecx eax edx ebx eax edx ebx ecx movl 4 ebp ebx movl ebp esp popl ebp ret class07 ppt 11 CS 213 S 01 Set Up Body Finish swap Setup Entering Stack Resulting Stack ebp Offset zip2 12 yp zip1 8 xp 4 Rtn adr Rtn adr esp 0 Old ebp ebp Old ebx esp swap pushl ebp movl esp ebp pushl ebx class07 ppt 12 CS 213 S 01 swap Finish ebp swap s Stack 12 yp zip2 8 xp zip1 4 Rtn adr Offset 0 Old ebp ebp 4 Old ebx esp Exiting Stack esp movl 4 ebp ebx movl ebp esp popl ebp ret Observation Saved restored register ebx Didn t do so for eax ecx or edx class07 ppt 13 CS 213 S 01 Register Saving Conventions When procedure yoo calls who yoo is the caller who is the callee Can Register be Used for Temporary Storage yoo movl 15213 edx call who addl edx eax ret who movl 8 ebp edx addl 91125 edx ret Contents of register edx overwritten by who Conventions Caller Save Caller saves temporary in its frame before calling Callee Save Callee saves temporary in its frame before using class07 ppt 14 CS 213 S 01 IA32 Linux Register Usage Surmised by looking at code examples Integer Registers Two have special uses ebp esp eax Caller Save Temporaries Three managed as calleesave ebx esi edi Callee Save Old values saved on Temporaries stack prior to using Three managed as callersave Special eax edx ecx Do what you please but expect any callee to do so as well Register eax also stores returned value class07 ppt 15 edx ecx ebx esi edi esp ebp CS 213 S 01 Recursive Factorial int rfact int x int rval if x 1 return 1 rval rfact x 1 return rval x Complete Assembly Assembler directives Lines beginning with Not of concern to us Labels Lxx Actual instructions class07 ppt 16 globl rfact type rfact function rfact pushl ebp movl esp ebp pushl ebx movl 8 ebp ebx cmpl 1 ebx jle L78 leal 1 ebx eax pushl eax call rfact imull ebx eax jmp L79 align 4 L78 movl 1 eax L79 movl 4 ebp ebx movl ebp esp popl ebp ret CS 213 S 01 Rfact Stack Setup Entering Stack Caller x esp Rtn adr rfact pushl ebp movl esp ebp pushl ebx Caller Callee class07 ppt 8 x 4 Rtn adr 0 Old ebp ebp 4 Old ebx esp 17 CS 213 S 01 Rfact Body movl 8 ebp ebx cmpl 1 ebx jle L78 leal 1 ebx eax pushl eax call rfact imull ebx eax jmp L79 L78 movl 1 eax L79 int rfact int x int rval if x 1 return 1 rval rfact x 1 return rval x class07 ppt ebx x Compare x 1 If goto Term eax x 1 Push x 1 rfact x 1 rval x Goto done Term return val 1 Done Registers ebx Stored value of x eax Temporary value of x 1 Returned value from rfact x 1 Returned value from this call 18 CS 213 S 01 Rfact Recursion leal 1 ebx eax x pushl eax Rtn adr Old ebp ebp x Old ebx esp Rtn adr Old ebp call rfact ebp x Old ebx x 1 eax x 1 ebx x class07 ppt Rtn adr esp Old ebp ebp Old ebx eax x 1 ebx x 19 x 1 Rtn adr eax x 1 ebx x CS 213 S 01 esp Rfact Result Return from Call imull ebx eax x x Rtn …
View Full Document
Unlocking...