Machine-Level Programming V: Miscellaneous TopicsLinux Memory LayoutLinux Memory AllocationText & Stack ExampleDynamic Linking ExampleMemory Allocation ExampleExample AddressesC OperatorsC Pointer DeclarationsInternet Worm and IM WarInternet Worm and IM War (cont.)String Library CodeVulnerable Buffer CodeBuffer Overflow ExecutionsBuffer Overflow StackBuffer Overflow Stack ExampleBuffer Overflow Example #1Buffer Overflow Stack Example #2Buffer Overflow Stack Example #3Malicious Use of Buffer OverflowExploits Based on Buffer OverflowsSlide 22Slide 23Avoiding Overflow VulnerabilityIA32 Floating PointFPU Data Register StackFPU instructionsFinal ObservationsMachine-Level Programming V:Miscellaneous TopicsMachine-Level Programming V:Miscellaneous TopicsTopicsTopicsLinux Memory LayoutUnderstanding PointersBuffer OverflowFloating Point CodeX86.5a.ppt CS 105Tour of Black Holes of Computing– 2 –105Linux Memory LayoutLinux Memory LayoutStackStackRuntime stackHeapHeapDynamically allocated storageWhen call malloc, calloc, realloc, newDLLsDLLsDynamically Linked (Shared) LibrariesLibrary routines (e.g., printf, malloc)Linked into object code when first executedDataDataStatically allocated dataE.g., arrays & strings declared in codeTextTextExecutable machine instructionsRead-onlyUpper 2 hex digits of addressFFBF7F3FC0804000StackDLLsTextDataHeapHeap08(Stack)– 3 –105Linux Memory AllocationLinux Memory AllocationLinkedBF7F3F804000StackDLLsTextData08Some HeapBF7F3F804000StackDLLsTextDataHeap08MoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08InitiallyBF7F3F804000StackTextData08– 4 –105Text & Stack ExampleText & Stack Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78MainMainAddress 0x804856f should be read 0x0804856fStackStackAddress 0xbffffc78InitiallyBF7F3F804000StackTextData08– 5 –105Dynamic Linking ExampleDynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>InitiallyInitiallyCode in text segment that invokes dynamic linkerAddress 0x8048454 should be read 0x08048454FinalFinalCode in DLL regionLinkedBF7F3F804000StackDLLsTextData08– 6 –105Memory Allocation ExampleMemory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 << 28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 << 28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}– 7 –105Example AddressesExample Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640 p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextDataHeapHeap08– 8 –105C OperatorsC OperatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary forms– 9 –105C Pointer DeclarationsC Pointer Declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints– 10 –105Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988Internet Worm attacks thousands of Internet hosts.How did it happen?July, 1999July, 1999Microsoft launches MSN Messenger (instant messaging system).Messenger clients can access popular AOL Instant Messaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver– 11 –105Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999Mysteriously, Messenger clients can no longer access AIM servers.Microsoft and AOL begin the IM war:AOL changes server to disallow Messenger clientsMicrosoft makes changes to clients to defeat AOL changes.At least 13 such skirmishes.How did it happen?The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflow exploits! exploits!Many Unix functions do not check argument sizes.Allows target buffers to overflow.– 12 –105String Library CodeString Library CodeImplementation of Unix function getsNo way to specify limit on number of characters to readSimilar problems with other Unix functionsstrcpy: Copies string of arbitrary lengthscanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}– 13 –105Vulnerable Buffer CodeVulnerable Buffer Codeint main(){ printf("Type a string: "); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}– 14 –105Buffer Overflow ExecutionsBuffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault– 15 –105Buffer Overflow StackBuffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo– 16 –105Buffer Overflow Stack
View Full Document