Machine Language V:Miscellaneous TopicsSept. 25, 2001Topics• Linux Memory Layout• Understanding Pointers• Buffer Overflow• Floating Point Codeclass09.ppt15-213“The course that gives CMU its Zip!”CS 213 F’01– 2 –class09.pptLinux Memory LayoutStack• Runtime stack (8MB limit)Heap• Dynamically allocated storage• When call malloc, calloc, newDLLs• Dynamically Linked Libraries• Library routines (e.g., printf, malloc)• Linked into object code when first executedData• Statically allocated data• E.g., arrays & strings declared in codeText• Executable machine instructions• Read-onlyUpper2 hexdigits ofaddressRed Hatv. 6.2~1920MBmemorylimitFFBF7F3FC0804000StackDLLsTextDataHeapHeap08CS 213 F’01– 3 –class09.pptLinux Memory AllocationInitiallyBF7F3F804000StackTextDataLinkedBF7F3F804000StackDLLsTextDataSomeHeapBF7F3F804000StackDLLsTextDataHeapMoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08 08 08 08CS 213 F’01– 4 –class09.pptMemory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}CS 213 F’01– 5 –class09.pptDynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>Initially• Code in text segment that invokes dynamic linker• Address 0x8048454 should be read 0x08048454Final• Code in DLL regionCS 213 F’01– 6 –class09.pptBreakpointing Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78Main• Address 0x804856f should be read 0x0804856fStack• Address 0xbffffc78CS 213 F’01– 7 –class09.pptExample Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextData08501819CS 213 F’01– 8 –class09.pptC operatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary formsCS 213 F’01– 9 –class09.pptC pointer declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of intsCS 213 F’01– 10 –class09.pptInternet Worm and IM WarNovember, 1988• Internet Worm attacks thousands of Internet hosts.• How did it happen?July, 1999• Microsoft launches MSN Messenger (instant messaging system).• Messenger clients can access popular AOL Instant MessagingService (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserverCS 213 F’01– 11 –class09.pptInternet Worm and IM War (cont.)August 1999• Mysteriously, Messenger clients can no longer access AIM servers.• Microsoft and AOL begin the IM war:–AOL changes server to disallow Messenger clients–Microsoft makes changes to clients to defeat AOL changes.–At least 13 such skirmishes.• How did it happen?The Internet Worm and AOL/Microsoft War were bothbased on stack buffer overflow exploits!–many Unix functions, such as gets() and strcpy(), do not checkargument sizes.–allows target buffers to overflow.CS 213 F’01– 12 –class09.pptVulnerable Buffer Codeint main(){ printf("Type a string:"); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}CS 213 F’01– 13 –class09.pptBuffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation FaultCS 213 F’01– 14 –class09.pptBuffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor echoStackFramefor mainCS 213 F’01– 15 –class09.pptBufferOverflow StackExampleReturn AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor echoStackFramefor mainbf ff f8 f808 04 86 4dxx xx xx xxStackFramefor echoStackFramefor mainBefore Call to getsunix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d 8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point0xbffff8d8CS 213 F’01– 16 –class09.pptBuffer Overflow Stack Example #1Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor echoStackFramefor mainbf ff f8 f808 04 86 4dxx xx xx xxStackFramefor echoStackFramefor mainBefore Call to getsInput = “123”No Problembf ff f8 f808 04 86 4d00 33 32 31StackFramefor echoStackFramefor mainCS 213 F’01– 17 –class09.pptBuffer Overflow Stack Example #2Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor echoStackFramefor mainInput = “12345”Saved value of %ebp setto 0xbfff0035bf ff 00 3508 04 86 4d34 33 32 31StackFramefor echoStackFramefor main 8048592: push %ebx 8048593: call 80483e4 <_init+0x50> 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: ret0xbffff8d8echo code:CS 213 F’01– 18 –class09.pptBuffer Overflow Stack ExampleReturn AddressSaved
View Full Document
Unlocking...