Lecture Slides on Machine-Level Programming V: Wrap-up | CSCE 230, Study notes of Computer Architecture and Organization

Material Type: Notes; Class: Computer Organization; Subject: Computer Science and Engineering ; University: University of Nebraska - Lincoln; Term: Unknown 2000;

Typology: Study notes

Pre 2010

Uploaded on 08/30/2009

koofers-user-min
koofers-user-min 🇺🇸

10 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Page 1
Machine-Level Programming V:
Wrap-up
CSCE 230J
Computer Organization
Dr. Steve Goddard
http://cse.unl.edu/~goddard/Courses/CSCE230J
2
Giving credit where credit is due
Most of slides for this lecture are based on
slides created by Drs. Bryant and
O’Hallaron, Carnegie Mellon University.
I have modified them and added new
slides.
3
Topics
Linux Memory Layout
Understanding Pointers
Buffer Overflow
Floating Point Code
4
Linux Memory Layout
Stack
Runtime stack (8MB limit)
Heap
Dynamically allocated storage
When call malloc, calloc, new
DLLs
Dynamically Linked Libraries
Library routines (e.g., printf, malloc)
Linked into object code when first executed
Data
Statically allocated data
E.g., arrays & strings declared in code
Text
Executable machine instructions
Read-only
Upper
2 hex
digits of
address
Red Hat
v. 6.2
~1920MB
memory
limit
FF
BF
7F
3F
C0
80
40
00
Stack
DLLs
Text
Data
Heap
Heap
08
5
Linux Memory Allocation
Linked
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
08
Some
Heap
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
Heap
08
More
Heap
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
Heap
Heap
08
Initially
BF
7F
3F
80
40
00
Stack
Text
Data
08
6
Text & Stack Example
(gdb) break main
(gdb) run
Breakpoint 1, 0x804856f in main ()
(gdb) print $esp
$3 = (void *) 0xbffffc78
Main
Address 0x804856f should be read
0x0804856f
Stack
Address 0xbffffc78
Initially
BF
7F
3F
80
40
00
Stack
Text
Data
08
pf3
pf4
pf5

Partial preview of the text

Download Lecture Slides on Machine-Level Programming V: Wrap-up | CSCE 230 and more Study notes Computer Architecture and Organization in PDF only on Docsity!

Machine-Level Programming V:

Wrap-up

CSCE 230J

Computer Organization

Dr. Steve Goddard

[email protected]

http://cse.unl.edu/~goddard/Courses/CSCE230J

2

Giving credit where credit is due

 Most of slides for this lecture are based on

slides created by Drs. Bryant and

O’Hallaron, Carnegie Mellon University.

 I have modified them and added new

slides.

3

Topics

 Linux Memory Layout

 Understanding Pointers

 Buffer Overflow

 Floating Point Code

4

Linux Memory Layout

Stack

 Runtime stack (8MB limit)

Heap

 Dynamically allocated storage  When call malloc , calloc , new

DLLs

 Dynamically Linked Libraries  Library routines (e.g., printf , malloc )  Linked into object code when first executed

Data

 Statically allocated data  E.g., arrays & strings declared in code

Text

 Executable machine instructions  Read-only

Upper 2 hex digits of address

Red Hat v. 6. ~1920MB memory limit

FF

BF

7F

3F

C

Stack

DLLs

Text

Data

Heap

Heap

5

Linux Memory Allocation

Linked

BF

7F

3F

Stack

DLLs

Text

Data 08

Some

Heap

BF

7F

3F

Stack

DLLs

Text

Data

Heap

More

Heap

BF

7F

3F

Stack

DLLs

Text

Data

Heap

Heap

Initially

BF

7F

3F

Stack

Text

Data

08

6

Text & Stack Example

(gdb) break main

(gdb) run

Breakpoint 1, 0x804856f in main ()

(gdb) print $esp

$3 = (void *) 0xbffffc

Main

 Address 0x804856f should be read

Stack

 Address 0x bf fffc

Initially

BF

7F

3F

Stack

Text

Data 08

7

Dynamic Linking Example

(gdb) print malloc

$1 = {}

0x8048454

(gdb) run

Program exited normally.

(gdb) print malloc

$2 = {void *(unsigned int)}

0x40006240

Initially

 Code in text segment that invokes dynamic

linker

 Address 0x8048454 should be read

0x

Final

 Code in DLL region

Linked BF

7F

3F

Stack

DLLs

Text

Data 08

8

Memory Allocation Example

char big_array[1<<24]; /* 16 MB / char huge_array[1<<28]; / 256 MB */

int beyond; char *p1, *p2, *p3, *p4;

int useless() { return 0; }

int main() { p1 = malloc(1 <<28); /* 256 MB / p2 = malloc(1 << 8); / 256 B / p3 = malloc(1 <<28); / 256 MB / p4 = malloc(1 << 8); / 256 B / / Some print statements ... */ }

9

Example Addresses

$esp 0xbffffc p3 0x500b p1 0x400b Final malloc 0x p4 0x1904a p2 0x1904a beyond 0x1904a big_array 0x1804a huge_array 0x0804a main() 0x0804856f useless() 0x Initial malloc 0x

BF

7F

3F

Stack

DLLs

Text

Data

Heap

Heap

10

C operators

Operators Associativity () [] ->. left to right ! ~ ++ -- + - * & (type) sizeof right to left

  • / % left to right
    • left to right << >> left to right < <= > >= left to right == != left to right & left to right ^ left to right | left to right && left to right || left to right ?: right to left = += -= *= /= %= &= ^= != <<= >>= right to left , left to right

Note: Unary + , - , and * have higher precedence than binary forms

11

C pointer declarations

int *p p is a pointer to int

int *p[13] p is an array[13] of pointer to int

int *(p[13]) p is an array[13] of pointer to int

int **p p is a pointer to a pointer to an int

int (*p)[13] p is a pointer to an array[13] of int

int *f() f is a function returning a pointer to int

int (*f)() f is a pointer to a function returning int

int ((f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int

int ((x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints

12

Internet Worm and IM War

November, 1988

 Internet Worm attacks thousands of Internet hosts.

 How did it happen?

July, 1999

 Microsoft launches MSN Messenger (instant messaging

system).

 Messenger clients can access popular AOL Instant

Messaging Service (AIM) servers

AIM

server

AIM

client

AIM

client

MSN

client

MSN

server

19

Buffer Overflow Example #

Before Call to gets (^) Input = “123”

No Problem

0xbffff8d

Return Address Saved %ebp [3][2][1][0] buf

Stack Frame for main

Stack Frame for echo

bf ff f8 f

08 04 86 4d

Return Address Saved %ebp [3][2][1][0] buf

%ebp

Stack Frame for main

Stack Frame for echo

20

Buffer Overflow Stack Example #

Input = “12345”

8048592: push %ebx 8048593: call 80483e4 <init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp **# %ebp gets set to invalid value_** 804859e: ret

echo code:

0xbffff8d

Return Address Saved %ebp [3][2][1][0] buf

Stack Frame for main

Stack Frame for echo

bf ff 00 35

08 04 86 4d

Return Address Saved %ebp [3][2][1][0] buf

%ebp

Stack Frame for main

Stack Frame for echo

Saved value of %ebp set to 0xbfff

Bad news when later attempt to restore %ebp

21

Buffer Overflow Stack Example #

Input = “12345678”

Return Address Saved %ebp [3][2][1][0] buf

%ebp

Stack Frame for main

Stack Frame for echo

8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

0xbffff8d

Return Address Saved %ebp [3][2][1][0] buf

Stack Frame for main

Stack Frame for echo

Invalid address

No longer pointing to desired return point

%ebp and return address corrupted

22

Malicious Use of Buffer Overflow

 Input string contains byte representation of executable code  Overwrite return address with address of buffer  When bar() executes ret , will jump to exploit code

void bar() { char buf[64]; gets(buf); ... }

void foo(){ bar(); ... }

Stack after call to gets()

B

return address A

foo stack frame

bar stack frame

B

exploit code

pad

data written by gets()

23

Exploits Based on Buffer Overflows

Buffer overflow bugs allow remote machines to execute

arbitrary code on victim machines.

Internet worm

 Early versions of the finger server (fingerd) used gets() to

read the argument sent by the client:

 finger [email protected]

 Worm attacked fingerd server by sending phony argument:

 finger “exploit-code padding new-return-address”  exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker.

24

Exploits Based on Buffer Overflows

Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines.

IM War

 AOL exploited existing buffer overflow bug in AIM clients

 exploit code: returned 4-byte signature (the bytes at some

location in the AIM client) to server.

 When Microsoft changed code to match signature, AOL

changed signature location.

25

Date: Wed, 11 Aug 1999 11:30:57 -0700 (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: [email protected]

Mr. Smith,

I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response.

I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year. ... It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now exploiting their own buffer overrun bug to help in its efforts to block MS Instant Messenger. .... Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security.

Sincerely, Phil Bucking Founder, Bucking Consulting [email protected]

It was later determined that this email originated from within Microsoft!

26

Code Red Worm

History

 June 18, 2001. Microsoft announces buffer overflow

vulnerability in IIS Internet server

 July 19, 2001. over 250,000 machines infected by new virus

in 9 hours

 White house must change its IP address. Pentagon shut

down public WWW servers for day

When We Set Up CS:APP Web Site

 Received strings of form

GET

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN....NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 325 "-" "-"

27

Code Red Exploit Code

 Starts 100 threads running

 Spread self

 Generate random IP addresses & send attack string  Between 1st & 19th of month

 Attack www.whitehouse.gov

 Send 98,304 packets; sleep for 4-1/2 hours; repeat » Denial of service attack  Between 21st & 27th of month

 Deface server’s home page

 After waiting 2 hours

28

Code Red Effects

Later Version Even More Malicious

 Code Red II

 As of April, 2002, over 18,000 machines infected

 Still spreading

Paved Way for NIMDA

 Variety of propagation methods

 One was to exploit vulnerabilities left behind by Code Red II

29

Avoiding Overflow Vulnerability

Use Library Routines that Limit String Lengths

 fgets instead of gets

 strncpy instead of strcpy

 Don’t use scanf with %s conversion specification

 Use fgets to read the string

/* Echo Line / void echo() { char buf[4]; / Way too small! */ fgets(buf, 4, stdin); puts(buf); }

30

IA32 Floating Point

History

 8086: first computer to implement IEEE FP

 separate 8087 FPU (floating point unit)

 486: merged FPU and Integer Unit onto one

chip

Summary

 Hardware to add, multiply, and divide

 Floating point data registers

 Various control & status registers

Floating Point Formats

 single precision (C float ): 32 bits

 double precision (C double ): 64 bits

 extended precision (C long double ): 80 bits

Instruction decoder and sequencer

FPU

Integer Unit

Memory