Machine-Level Programming V:Advanced TopicsFebruary 7, 2008Machine-Level Programming V:Advanced TopicsFebruary 7, 2008TopicsTopics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Codeclass08.ppt15-213“The course that gives CMU its Zip!”– 2 –15-213, S’08IA32 Linux Memory LayoutIA32 Linux Memory LayoutStackStack Runtime stack (8MB limit)HeapHeap Dynamically allocated storage When call malloc(), calloc(), new()DataData Statically allocated data E.g., arrays & strings declared in codeTextText Executable machine instructions Read-onlyUpper 2 hex digits of addressFF00StackTextDataHeap08– 3 –15-213, S’08Memory Allocation ExampleMemory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){p1 = malloc(1 <<28); /* 256 MB */p2 = malloc(1 << 8); /* 256 B */p3 = malloc(1 <<28); /* 256 MB */p4 = malloc(1 << 8); /* 256 B *//* Some print statements ... */}– 4 –15-213, S’08IA32 Example AddressesIA32 Example Addresses$esp 0xffffbcd0p3 0x65586008p1 0x55585008p4 0x1904a110p2 0x1904a008beyond 0x08049744big_array 0x18049780huge_array 0x08049760main() 0x080483c6useless() 0x08049744final malloc() 0x006be166FF8000StackTextDataHeap08&p20x18049760address range ~232– 5 –15-213, S’08x86-64 Example Addressesx86-64 Example Addresses$rsp 0x7ffffff8d1f8p3 0x2aaabaadd010p1 0x2aaaaaadc010p4 0x000011501120p2 0x000011501010beyond 0x000000500a44big_array 0x000010500a80huge_array 0x000000500a50main() 0x000000400510useless() 0x000000400500final malloc() 0x00386ae6a1707F3000StackTextDataHeap08&p20x000010500a60address range ~247– 6 –15-213, S’08C operatorsC operatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to right -> has very high precedence () has very high precedence monadic * just below– 7 –15-213, S’08C pointer declarationsC pointer declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13]of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints– 8 –15-213, S’08Avoiding Complex DeclarationsAvoiding Complex DeclarationsUse Use typedeftypedefto build up the declarationto build up the declarationInstead of Instead of intint(*(*x[3])())[5](*(*x[3])())[5]::typedeftypedefintintfiveints[5];fiveints[5];typedeftypedeffiveintsfiveints* p5i;* p5i;typedeftypedefp5i (*f_of_p5is)();p5i (*f_of_p5is)();f_of_p5is x[3];f_of_p5is x[3];xxis an array of 3 elements, each of which is a pointer to is an array of 3 elements, each of which is a pointer to a function returning an array of 5 a function returning an array of 5 intsints..– 9 –15-213, S’08Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?July, 1999July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver– 10 –15-213, S’08Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war:z AOL changes server to disallow Messenger clientsz Microsoft makes changes to clients to defeat AOL changes.z At least 13 such skirmishes. How did it happen?The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflowexploits!exploits!z many Unix functions do not check argument sizes.z allows target buffers to overflow.– 11 –15-213, S’08String Library CodeString Library Code Implementation of Unix function gets()z No way to specify limit on number of characters to read Similar problems with other Unix functionsz strcpy: Copies string of arbitrary lengthz scanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){int c = getchar();char *p = dest;while (c != EOF && c != '\n') {*p++ = c;c = getchar();}*p = '\0';return dest;}– 12 –15-213, S’08Vulnerable Buffer CodeVulnerable Buffer Codeint main(){printf("Type a string:");echo();return 0;}/* Echo Line */void echo(){char buf[4]; /* Way too small! */gets(buf);puts(buf);}– 13 –15-213, S’08Buffer Overflow ExecutionsBuffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault– 14 –15-213, S’08Buffer Overflow StackBuffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate stack spacepushl %ebx # Save %ebxaddl $-12,%esp # Allocate stack spaceleal -4(%ebp),%ebx# Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){char buf[4]; /* Way too small! */gets(buf);puts(buf);}Return AddressSaved %ebp[3] [2] [1] [0]buf%ebpStackFramefor mainStackFramefor echo– 15 –15-213, S’08Buffer Overflow Stack ExampleBuffer Overflow Stack ExampleBefore call to getsunix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d8048648: call 804857c <echo>804864d: mov 0xffffffe8(%ebp),%ebx # Return PointReturn AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo0xbffff8f8Return AddressSaved %ebp[3][2][1][0]bufStackFramefor mainStackFramefor echobf ff f8 f808 04 86 4dxx xx xx xx– 16 –15-213, S’08Buffer Overflow Example #1Buffer Overflow Example #1Before Call to getsInput = “123”No Problem0xbffff8d8Return
View Full Document