Machine-Level Programming IX:Miscellaneous TopicsTopicsTopics Memory layout Understanding Pointers Buffer Overflow Floating Point CodeSystems I2Linux Memory LayoutStackStack Runtime stack (8MB limit)HeapHeap Dynamically allocated storage When call malloc, calloc, new More on this in Systems IIDLLsDLLs Dynamically Linked Libraries Library routines (e.g., printf, malloc) Linked into object code when first executedDataData Statically allocated data E.g., arrays & strings declared in codeTextText Executable machine instructions Read-onlyUpper2 hexdigits ofaddressRed Hatv. 6.2~1920MBmemorylimitFFBF7F3FC0804000StackDLLsTextDataHeapHeap083Linux Memory AllocationLinkedBF7F3F804000StackDLLsTextData08SomeHeapBF7F3F804000StackDLLsTextDataHeap08MoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08InitiallyBF7F3F804000StackTextData084Text & Stack Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78MainMain Address 0x804856f should be read0x0804856fStackStack Address 0xbffffc78InitiallyBF7F3F804000StackTextData085Dynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>InitiallyInitially Code in text segment that invokes dynamiclinker Address 0x8048454 should be read0x08048454FinalFinal Code in DLL regionLinkedBF7F3F804000StackDLLsTextData086Memory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}7Example Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextDataHeapHeap088Overview of C operatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary forms9C pointer declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints10Internet Worm and IM WarNovember, 1988November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?July, 1999July, 1999 Microsoft launches MSN Messenger (instant messagingsystem). Messenger clients can access popular AOL InstantMessaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver11Internet Worm and IM War (cont.)August 1999August 1999 Mysteriously, Messenger clients can no longer access AIMservers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen?The Internet Worm and AOL/Microsoft War were bothThe Internet Worm and AOL/Microsoft War were bothbased on based on stack buffer overflowstack buffer overflow exploits! exploits! many Unix functions do not check argument sizes. allows target buffers to overflow.12String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}13Vulnerable Buffer Codeint main(){ printf("Type a string:"); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}14Buffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault15Buffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo16BufferOverflow StackExampleBefore call to getsunix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d 8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return PointReturn AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff f8 f808 04 86 4dxx xx xx xx17Buffer Overflow Example #1Before Call to getsInput = “123”No Problem0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff f8 f808 04 86 4d00 33 32 31Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo18Buffer Overflow Stack Example #2Input = “12345” 8048592: push %ebx 8048593: call 80483e4 <_init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: retecho code:0xbffff8d8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff 00 3508 04 86 4d34 33 32