Harvey Mudd CS 105 - Machine-Level Programming V: Miscellaneous Topics - D692899

Home> Schools> Harvey Mudd College> (CS) > CS 105> Machine-Level Programming V: Miscellaneous Topics

DOC PREVIEW

Harvey Mudd CS 105 - Machine-Level Programming V: Miscellaneous Topics

School name Harvey Mudd College

Course Cs 105- Computer Systems

Pages 27

This preview shows page 1-2-3-25-26-27 out of 27 pages.

Save

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Premium Document

Do you want full access? Go Premium and unlock all 27 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Unformatted text preview:

Machine-Level Programming V: Miscellaneous TopicsLinux Memory LayoutLinux Memory AllocationText & Stack ExampleDynamic Linking ExampleMemory Allocation ExampleExample AddressesC OperatorsC Pointer DeclarationsInternet Worm and IM WarInternet Worm and IM War (cont.)String Library CodeVulnerable Buffer CodeBuffer Overflow ExecutionsBuffer Overflow StackBuffer Overflow Stack ExampleBuffer Overflow Example #1Buffer Overflow Stack Example #2Buffer Overflow Stack Example #3Malicious Use of Buffer OverflowExploits Based on Buffer OverflowsSlide 22Avoiding Overflow VulnerabilityIA32 Floating PointFPU Data Register StackFPU instructionsFinal ObservationsMachine-Level Programming V:Miscellaneous TopicsMachine-Level Programming V:Miscellaneous TopicsTopicsTopicsLinux Memory LayoutUnderstanding PointersBuffer OverflowFloating-Point Code CS 105Tour of Black Holes of Computing– 2 –105Linux Memory LayoutLinux Memory LayoutStackStackRuntime stackHeapHeapDynamically allocated storageWhen call malloc, calloc, realloc, newDLLsDLLsDynamically Linked (Shared) LibrariesLibrary routines (e.g., printf, malloc)Linked into object code when first executedDataDataStatically allocated dataE.g., arrays & strings declared in codeTextTextExecutable machine instructionsRead-onlyUpper 2 hex digits of addressFFBF7F3FC0804000StackDLLsTextDataHeapHeap08(Stack)– 3 –105Linux Memory AllocationLinux Memory AllocationLinkedBF7F3F804000StackDLLsTextData08Some HeapBF7F3F804000StackDLLsTextDataHeap08MoreHeapBF7F3F804000StackDLLsTextDataHeapHeap08InitiallyBF7F3F804000StackTextData08– 4 –105Text & Stack ExampleText & Stack Example(gdb) break main(gdb) run Breakpoint 1, 0x804856f in main ()(gdb) print $esp $3 = (void *) 0xbffffc78MainMainAddress 0x804856f should be read 0x0804856fStackStackAddress 0xbffffc78InitiallyBF7F3F804000StackTextData08– 5 –105Dynamic Linking ExampleDynamic Linking Example(gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc>(gdb) run Program exited normally.(gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc>InitiallyInitiallyCode in text segment that invokes dynamic linkerAddress 0x8048454 should be read 0x08048454FinalFinalCode in DLL regionLinkedBF7F3F804000StackDLLsTextData08– 6 –105Memory Allocation ExampleMemory Allocation Examplechar big_array[1<<24]; /* 16 MB */char huge_array[1<<28]; /* 256 MB */int beyond;char *p1, *p2, *p3, *p4;int useless() { return 0; }int main(){ p1 = malloc(1 << 28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 << 28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */}– 7 –105Example AddressesExample Addresses$esp 0xbffffc78p3 0x500b5008p1 0x400b4008Final malloc 0x40006240p4 0x1904a640 p2 0x1904a538beyond 0x1904a524big_array 0x1804a520huge_array 0x0804a510main() 0x0804856fuseless() 0x08048560Initial malloc 0x08048454BF7F3F804000StackDLLsTextDataHeapHeap08– 8 –105C OperatorsC OperatorsOperators Associativity() [] -> . left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to rightNote: Unary +, -, and * have higher precedence than binary forms– 9 –105C Pointer DeclarationsC Pointer Declarationsint *p p is a pointer to intint *p[13] p is an array[13] of pointer to intint *(p[13]) p is an array[13] of pointer to intint **p p is a pointer to a pointer to an intint (*p)[13] p is a pointer to an array[13] of intint *f() f is a function returning a pointer to intint (*f)() f is a pointer to a function returning intint (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning intint (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints– 10 –105Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988Internet Worm attacks thousands of Internet hosts.How did it happen?July, 1999July, 1999Microsoft launches MSN Messenger (instant messaging system).Messenger clients can access popular AOL Instant Messaging Service (AIM) serversAIMserverAIMclientAIMclientMSNclientMSNserver– 11 –105Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999Mysteriously, Messenger clients can no longer access AIM servers.Microsoft and AOL begin the IM war:AOL changes server to disallow Messenger clientsMicrosoft makes changes to clients to defeat AOL changes.At least 13 such skirmishes.How did it happen?The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflow exploits! exploits!Many Unix functions do not check argument sizes.Allows target buffers to overflow.– 12 –105String Library CodeString Library CodeImplementation of Unix function getsNo way to specify limit on number of characters to readSimilar problems with other Unix functionsstrcpy: Copies string of arbitrary lengthscanf, fscanf, sscanf, when given %s conversion specification/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}– 13 –105Vulnerable Buffer CodeVulnerable Buffer Codeint main(){ printf("Type a string: "); echo(); return 0;}/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}– 14 –105Buffer Overflow ExecutionsBuffer Overflow Executionsunix>./bufdemoType a string:123123unix>./bufdemoType a string:12345Segmentation Faultunix>./bufdemoType a string:12345678Segmentation Fault– 15 –105Buffer Overflow StackBuffer Overflow Stackecho:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . ./* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}Return AddressSaved %ebp[3][2][1][0]buf%ebpStackFramefor mainStackFramefor echo– 16 –105Buffer Overflow Stack ExampleBuffer

View Full Document