



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Material Type: Notes; Class: Computer Organization; Subject: Computer Science and Engineering ; University: University of Nebraska - Lincoln; Term: Unknown 2000;
Typology: Study notes
1 / 6
This page cannot be seen from the preview
Don't miss anything!




2
3
4
Runtime stack (8MB limit)
Dynamically allocated storage When call malloc , calloc , new
Dynamically Linked Libraries Library routines (e.g., printf , malloc ) Linked into object code when first executed
Statically allocated data E.g., arrays & strings declared in code
Executable machine instructions Read-only
Upper 2 hex digits of address
Red Hat v. 6. ~1920MB memory limit
5
Stack
DLLs
Text
Data 08
Stack
DLLs
Text
Data
Heap
Stack
DLLs
Text
Data
Heap
Heap
Stack
Text
Data
08
6
Stack
Text
Data 08
7
Dynamic Linking Example
Initially
Final
Linked BF
Stack
DLLs
Text
Data 08
8
Memory Allocation Example
char big_array[1<<24]; /* 16 MB / char huge_array[1<<28]; / 256 MB */
int beyond; char *p1, *p2, *p3, *p4;
int useless() { return 0; }
int main() { p1 = malloc(1 <<28); /* 256 MB / p2 = malloc(1 << 8); / 256 B / p3 = malloc(1 <<28); / 256 MB / p4 = malloc(1 << 8); / 256 B / / Some print statements ... */ }
9
Example Addresses
$esp 0xbffffc p3 0x500b p1 0x400b Final malloc 0x p4 0x1904a p2 0x1904a beyond 0x1904a big_array 0x1804a huge_array 0x0804a main() 0x0804856f useless() 0x Initial malloc 0x
Stack
DLLs
Text
Data
Heap
Heap
10
C operators
Operators Associativity () [] ->. left to right ! ~ ++ -- + - * & (type) sizeof right to left
11
C pointer declarations
int *p p is a pointer to int
int *p[13] p is an array[13] of pointer to int
int *(p[13]) p is an array[13] of pointer to int
int **p p is a pointer to a pointer to an int
int (*p)[13] p is a pointer to an array[13] of int
int *f() f is a function returning a pointer to int
int (*f)() f is a pointer to a function returning int
int ((f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int
int ((x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints
12
Internet Worm and IM War
November, 1988
July, 1999
server
client
client
client
server
19
Buffer Overflow Example #
Before Call to gets (^) Input = “123”
No Problem
0xbffff8d
Return Address Saved %ebp [3][2][1][0] buf
Stack Frame for main
Stack Frame for echo
bf ff f8 f
08 04 86 4d
Return Address Saved %ebp [3][2][1][0] buf
%ebp
Stack Frame for main
Stack Frame for echo
20
Buffer Overflow Stack Example #
Input = “12345”
8048592: push %ebx 8048593: call 80483e4 <init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp **# %ebp gets set to invalid value_** 804859e: ret
echo code:
0xbffff8d
Return Address Saved %ebp [3][2][1][0] buf
Stack Frame for main
Stack Frame for echo
bf ff 00 35
08 04 86 4d
Return Address Saved %ebp [3][2][1][0] buf
%ebp
Stack Frame for main
Stack Frame for echo
Saved value of %ebp set to 0xbfff
Bad news when later attempt to restore %ebp
21
Buffer Overflow Stack Example #
Input = “12345678”
Return Address Saved %ebp [3][2][1][0] buf
%ebp
Stack Frame for main
Stack Frame for echo
8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
0xbffff8d
Return Address Saved %ebp [3][2][1][0] buf
Stack Frame for main
Stack Frame for echo
Invalid address
No longer pointing to desired return point
%ebp and return address corrupted
22
Malicious Use of Buffer Overflow
Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret , will jump to exploit code
void bar() { char buf[64]; gets(buf); ... }
void foo(){ bar(); ... }
Stack after call to gets()
return address A
foo stack frame
bar stack frame
B
exploit code
pad
data written by gets()
23
Exploits Based on Buffer Overflows
Buffer overflow bugs allow remote machines to execute
arbitrary code on victim machines.
Internet worm
finger [email protected]
finger “exploit-code padding new-return-address” exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker.
24
Exploits Based on Buffer Overflows
Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines.
IM War
25
Date: Wed, 11 Aug 1999 11:30:57 -0700 (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: [email protected]
Mr. Smith,
I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response.
I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year. ... It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now exploiting their own buffer overrun bug to help in its efforts to block MS Instant Messenger. .... Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security.
Sincerely, Phil Bucking Founder, Bucking Consulting [email protected]
It was later determined that this email originated from within Microsoft!
26
Code Red Worm
History
When We Set Up CS:APP Web Site
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN....NNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 325 "-" "-"
27
Code Red Exploit Code
Generate random IP addresses & send attack string Between 1st & 19th of month
Send 98,304 packets; sleep for 4-1/2 hours; repeat » Denial of service attack Between 21st & 27th of month
After waiting 2 hours
28
Code Red Effects
Later Version Even More Malicious
Paved Way for NIMDA
29
Avoiding Overflow Vulnerability
Use Library Routines that Limit String Lengths
/* Echo Line / void echo() { char buf[4]; / Way too small! */ fgets(buf, 4, stdin); puts(buf); }
30
IA32 Floating Point
History
separate 8087 FPU (floating point unit)
Summary
Floating Point Formats
Instruction decoder and sequencer
Integer Unit
Memory