Machine-Level Programming IX:Miscellaneous TopicsTopicsTopics Memory layout Understanding Pointers Buffer Overflow Floating Point CodeSystems I2Linux Memory LayoutStackStack Runtime stack (8MB limit)HeapHeap Dynamically allocated storage When call malloc, calloc, new More on this in Systems IIDLLsDLLs Dynamically Linked Libraries Library routines (e.g., printf, malloc) Linked into object code when first executedDataData Statically allocated data E.g., arrays & strings declared in codeTextText Executable machine instructions Read-onlyUpper2 hexdigits ofaddressRed Hatv. 6.2~1920MBmemorylimitFFBF7F3FC0804000StackDLLsTextDataHeapHeap083Linux Memory AllocationLinkedBF7F3F804000StackDLLsTextData08SomeHeapBF7F3F804000StackDLLsTextDataHeap08MoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08InitiallyBF7F3F804000StackTextData084Text & Stack Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78MainMain Address 0x804856f should be read0x0804856fStackStack Address 0xbffffc78InitiallyBF7F3F804000StackTextData085Dynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>InitiallyInitially Code in text segment that invokes dynamiclinker Address 0x8048454 should be read0x08048454FinalFinal Code in DLL regionLinkedBF7F3F804000StackDLLsTextData086Memory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}7Example Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextDataHeapHeap088Overview of C operatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary forms9C pointer declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints10Internet Worm and IM WarNovember, 1988November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?July, 1999July, 1999 Microsoft launches MSN Messenger (instant messagingsystem). Messenger clients can access popular AOL InstantMessaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver11Internet Worm and IM War (cont.)August 1999August 1999 Mysteriously, Messenger clients can no longer access AIMservers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen?The Internet Worm and AOL/Microsoft War were bothThe Internet Worm and AOL/Microsoft War were bothbased on based on stack buffer overflowstack buffer overflow exploits! exploits! many Unix functions do not check argument sizes. allows target buffers to overflow.12String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}13Vulnerable Buffer Codeint main(){ printf("Type a string:"); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}14Buffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault15Buffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo16BufferOverflow StackExampleBefore call to getsunix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d 8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return PointReturn AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff f8 f808 04 86 4dxx xx xx xx17Buffer Overflow Example #1Before Call to getsInput = “123”No Problem0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff f8 f808 04 86 4d00 33 32 31Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo18Buffer Overflow Stack Example #2Input = “12345” 8048592: push %ebx 8048593: call 80483e4 <_init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: retecho code:0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff 00 3508 04 86 4d34 33 32
View Full Document