Andrew login ID:Full Name:CS 15-213, Spring 2003Exam 1February 27, 2003Instructions:• Make sure that your exam is not missing any sheets, then write your full name and Andrew login IDon the front.• Write your answers in the space provided below the problem. If you make a mess, clearly indicateyour final answer.• The exam has a maximum score of 60 points.• The problems are of varying difficulty. The point value of each problem is indicated. Pile up the easypoints quickly and then come back to the harder problems.• This exam is OPEN BOOK. You may use any books or notes you like. No electronic devices areallowed. Good luck!1 (1):2 (9):3 (8):4 (4):5 (8):6 (12):7 (10):8 (8):TOTAL (60):Page 1 of 11Problem 1. (1 points):The correct answer to this problem is worth 1 point. An incorrect answer is worth -2 points. No answer willbe scored as 0 points. Note: The answer to this question was given in lecture.The correct answer to this problem is:Page 2 of 11Problem 2. (9 points):Assume we are running code on an 8-bit machine using two’s complement arithmetic for signed integers.Short integers are encoded using 4 bits. Sign extension is performed whenever a short is casted to an int.For this problem, assume that all shift operations are arithmetic. Fill in the empty boxes in the table below.int i = -11;unsigned ui = i;short s = -2;unsigned short us = s;Note: You need not fill in entries marked with ”–”. TMax denotes the largest positive two’s complementnumber and TMin denotes the minimum negative two’s complement number. Finally, you may use hexidec-imal notation for your answers in the “Binary Representation” column.Expression Decimal Representation Binary RepresentationZero 0– −3ii >> 4ui(int) s(int)(s ˆ 7)(int) usTMaxTMinPage 3 of 11Problem 3. (8 points):Consider the following 7-bit floating point representation based on the IEEE floating point format:• There is a sign bit in the most significant bit.• The next 3 bits are the exponent. The exponent bias is 3.• The last 3 bits are the fraction.• The representation encodes numbers of the form: V = (−1)s× M × 2E, where M is the significandand E the integer value of the exponent.Please fill in the table below. You do not have to fill in boxes with ”——” in them. If a number is NANor infinity, you may disregard the M , E, and V fields below. However, fill the Description and Binaryfields with valid data.Here are some guidelines for each field:• Description - A verbal description if the number has a special meaning• Binary - Binary representation of the number• M - Significand (same as the M in the formula above)• E - Exponent (same as the E in 2E)• V - Fractional Value representedPlease fill the M , E, and V fields below with rational numbers (fractions) rather than decimals orbinary decimalsDescription Binary M E V—— 0 010 0102381 111 000Most Negative NormalizedSmallest Positive DenormalizedPage 4 of 11Problem 4. (4 points):Consider the following assembly instructions and C functions:080483b4 <funcX>:80483b4: 55 push %ebp80483b5: 89 e5 mov %esp,%ebp80483b7: 8b 45 08 mov 0x8(%ebp),%eax80483ba: 8d 04 80 lea (%eax,%eax,4),%eax80483bd: 8d 04 85 f6 ff ff ff lea 0xfffffff6(,%eax,4),%eax80483c4: 89 ec mov %ebp,%esp80483c6: 5d pop %ebp80483c7: c3 retCircle the C function below that generates the above assembly instructions:int func1(int n) {return n * 20 - 10;}int func2(int n) {return n * 24 + 6;}int func3(int n) {return n * 16 - 4;}Page 5 of 11Problem 5. (8 points):Consider the following pairs of C functions and assembly code. Draw a line connecting each C function withthe block(s) of assembly code that implements it. There is not necessarily a one-to-one correspondence.Draw an X through any C and/or assembly code fragments that don’t have a match.int scooby(int *a){return a[4];}pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxsall $2, %eaxpopl %ebpretint dooby(int a){return a*4;}pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxmovsbl 4(%eax),%eaxpopl %ebpretint doo(int a){return a<<4;}pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxsall $4, %eaxpopl %ebpretchar scrappy(char *a){return a[4];}pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxleal 0(,%eax,4), %eaxpopl %ebpretPage 6 of 11Problem 6. (12 points):Recently, Microsoft’s SQL Server was hit by the SQL Slammer worm, which exploits a known bufferoverflow in the SQL Resolution Service. Today, we’ll be writing our own 213 Slammer that exploits thevulnerability introduced in bufbomb, the executable used in your Lab 3 assignment. And as such, Getshas the same functionality as in Lab 3 except that it strips off the newline character before storing the inputstring.Consider the following exploit code, which runs the program into an infinite loop:infinite.o: file format elf32-i386Disassembly of section .text:00000000 <.text>:0: 68 fc b2 ff bf push $0xbfffb2fc5: c3 ret6: 89 f6 mov %esi,%esiHere is a disassembled version of the getbuf function in bufbomb, along with the values of the relevantregisters and a printout of the stack before the call to Gets().(gdb) disasDump of assembler code for function getbuf:0x8048a44 <getbuf>: push %ebp0x8048a45 <getbuf+1>: mov %esp,%ebp0x8048a47 <getbuf+3>: sub $0x18,%esp0x8048a4a <getbuf+6>: add $0xfffffff4,%esp0x8048a4d <getbuf+9>: lea 0xfffffff4(%ebp),%eax0x8048a50 <getbuf+12>: push %eax0x8048a51 <getbuf+13>: call 0x8048b50 <Gets>0x8048a56 <getbuf+18>: mov $0x1,%eax0x8048a5b <getbuf+23>: mov %ebp,%esp0x8048a5d <getbuf+25>: pop %ebp0x8048a5e <getbuf+26>: ret0x8048a5f <getbuf+27>: nopEnd of assembler dump.(gdb) info registerseax 0xbfffb2fc ecx 0xffffffffedx 0x0 ebx 0x0esp 0xbfffb2e0 ebp 0xbfffb308esi 0xffffffff edi 0x804b820(gdb) x/20xb $ebp-120xbfffb2fc: 0xf0 0x17 0x02 0x40 0x18 0xb3 0xff 0xbf0xbfffb304: 0x50 0x80 0x06 0x40 0x28 0xb3 0xff 0xbf0xbfffb30c: 0xee 0x89 0x04 0x08 0x24 0xb3 0xff 0xbfPage 7 of 11Here are the questions:1. Write down the address of the location on the stack which contains the return address where getbufis supposed to return to:0x____________________2. Using the exploit code illustrated above, fill in the the following blanks on the stack after the call toGets(). All the numbers must be in a two character hexadecimal representation of a byte. We’vealready filled in the terminating \0 (0x00) character for you.(gdb) x/20xb $ebp-120xbfffb2fc: 0x___ 0x___ 0x___ 0x___ 0x___ 0x___ 0x___ 0x___0xbfffb304: 0x___ 0x___ 0x___ 0x___ 0x___ 0x___ 0x___ 0x___0xbfffb30c: 0x___ 0x___ 0x___ 0x___ 0x00 0xb3 0xff
View Full Document