cs356 unit 7
play

CS356 Unit 7 Data Layout & Intermediate Stack Frames 7.2 - PowerPoint PPT Presentation

Jul 24, 2023 •265 likes •604 views

7.1 CS356 Unit 7 Data Layout & Intermediate Stack Frames 7.2 Structs CS:APP 3.9.1 Structs are just collections of heterogeneous data Each member is laid out in consecutive memory locations, with some padding inserted to ensure

  1. 7.1 CS356 Unit 7 Data Layout & Intermediate Stack Frames

  2. 7.2 Structs CS:APP 3.9.1 • Structs are just collections of heterogeneous data • Each member is laid out in consecutive memory locations, with some padding inserted to ensure alignment – Intel machines don't require alignment but perform better when it is used – Reordering can reduce size! www.catb.org/esr/structure-packing – “Each type aligned at a multiple of its size” struct Data1 { 4 0 offset: int x; x y Data1 char y; }; 2 0 offset: struct Data2 { Data2 w p (w/o padding) short w; char *p; 2 0 8 offset: }; Data2 w padding p (w/ padding) struct Data3 { struct Data1 f; 4 5 8 offset: 0 int g; Data3 f.x f.y padding g };

  3. 7.3 Structs: Offsets in assembly struct record_t { Assume 4-byte int / float , char a[2]; int b; 8-byte long / double . long c; int d[3]; Can you figure out the short e; }; offsets for %rdi ? void initialize(struct record_t *x) { x->a[1] = 1; x->b = 2; initialize: x->c = 3; movb $1, 1 (%rdi) x->d[1] = 4; movl $2, 4 (%rdi) x->e = 5; movq $3, 8 (%rdi) } movl $4, 20 (%rdi) movw $5, 28 (%rdi) ret a a b b b b c c c c c c c c d0 d0 d0 d0 d1 d1 d1 d1 d2 d2 d2 d2 e e

  4. 7.4 struct B { // this struct must start/end at a multiple of 4, because that's required by 'y' char x; // 1 byte int y; // 4 bytes (needs 3 bytes of padding before to start at a multiple of 4) char z; // 1 byte (needs 3 bytes of padding after to end at a multiple of 4) }; struct A { char a; // 1 byte struct B b; // has 4-byte alignment: 3 bytes of padding before 'b' char c; // also 3 bytes of padding before 'c', so that 'b' ends at a multiple of 4 }; void init(struct A *a) { a x a->a = 1; y y y y z a->b.x = 2; a->b.y = 3; c a->b.z = 4; a->c = 5; } $ gcc -fomit-frame-pointer -mno-red-zone -Og -S align.c; cat align.s | grep mov movb $1, (%rdi) We still want each member of the nested struct to start at a multiple of its movb $2, 4(%rdi) size, but where should the nested struct itself start? movl $3, 8(%rdi) movb $4, 12(%rdi) Its start/end should have the largest alignment required by its members. movb $5, 16(%rdi)

  5. 7.5 Unions CS:APP 3.9.2 • Unions allow you to read/write the same memory region as variables with different types – All elements start at offset 0 – The size of the union is simply the size of the biggest member – Elements must be POD (plain old data) or at least default-constructible union Data1 { int x; 0 offset: char y; x Data1 y }; union Data2 { 2 0 offset: short w; Data2 p w char *p; (w/o padding) }; 0 1 2 3 offset: int main() { Recall x86 uses 56 03 00 00 union Data1 item; item little-endian item.x = 0x356; item 61 03 00 00 item.y = 'a'; }

  6. 7.6 Unions: Revealing Endianness #include <stdio.h> • 4-byte union • union int_bytes { x reads/writes an int int x; • bytes reads/writes char bytes[4]; }; 4 consecutive char int main() { union int_bytes ib; ib.x = 256; Note that bytes are printf("%08X is %02X %02X %02X %02X\n", ib.x, ib.bytes[3], ib.bytes[2], stored in reversed order ib.bytes[1], ib.bytes[0]); } // prints: // 00000100 is 00 00 01 00

  7. 7.7 Unions: hex encoding of a float #include <stdio.h> • 4-byte union • union float_int { i reads/writes an int float f; • f reads/writes a float int i; }; int main() { Endianness not noticeable: union float_int fi; fi.f = 1.0; members have same size. printf("%.2f is %08X\n", fi.f, fi.i); } // prints: // 1.00 is 3F800000

  8. 7.8 Buffer "overrun"/"overflow" attacks EXPLOITS VIA THE STACK AND THEIR PREVENTION

  9. 7.9 Arrays Bounds: Java, Python, C class Bounds { $ javac Bounds.java public static void main (String[] args) { $ java Bounds int [] x = new int [ 10 ]; Exception in thread "main" for ( int i = 0 ; i <= x.length; i++) { java.lang.ArrayIndexOutOfBoundsException: 10 x[i] = i; at Bounds.main(Bounds.java:7) } } } x = [ 0 ] * 10 $ python3 bounds.py Traceback (most recent call last): # not pythonic! but still... File "bounds.py", line 5, in <module> for i in range(len(x) + 1 ): x[i] = i x[i] = i IndexError: list assignment index out of range #include <stdio.h> $ gcc bounds.c -o bounds int main () { $ ./bounds int x[ 10 ]; $ for ( int i = 0 ; i <= 10 ; i++) { x[i] = i; No failure! Why? } }

  10. 7.10 Arrays and Bounds Check CS:APP 3.10.3 • Many functions, especially those related to strings, may not check the bounds of an array • User or other input may overflow a fixed size array – Suppose the user types or passes "Tommy" to greet() or func1() – Note: gets() receives input from ' stdin ' until the user enters ' \n ' and places the string in the given array (no bound checks!) void greet() { void func1(char *str) { char name[10]; char copy[10]; gets (name); strcpy (copy, str); ... ... } } 0 5 0x7fffffa80: 5 0 9 0x7fffffef0: str 'T' 'o''m''m''y' 00 'T' 'o''m''m''y' 00 ... name 5 0x7fffffef0: 0 9 "Tommy" = 54 6f 6d 6d 79 00 copy 'T' 'o''m''m''y' 00 ...

  11. 7.11 Arrays and Bounds Check • Many functions, especially those related to strings, may not check the bounds of an array • User or other input may overflow a fixed size array – Suppose the user types or passes "Tommy" to greet() or func1() – Now suppose the user types or passes "Bartholomew" void greet() { void func1(char *str) { char name[10]; char copy[10]; gets (name); strcpy (copy, str); ... ... } } 0 0x7fffffa80: 11 5 0 9 0x7fffffef0: 'B''a''r''t''h' 'o' ... 'e''w' 00 str 'B' 'a''r''t''h''o' ... 'e' 'w' 00 name 0x7fffffef0: 0 9 What are we overwriting? copy ...

  12. 7.12 Buffer Overflow • Now recall these local arrays are stored on the stack where the return address is also stored • gets() will copy as much as the user types (until they enter the '\n' = 0x0a), overwriting anything on the stack Memory / RAM void greet() { ... 0xfffffffc char name[12]; "Tommy" = 54 6f 6d 6d 79 00 gets(name); 0000 0000 printf("Hello %s\n", name); Return } Address 0004 a048 0x7ffff0f8 0000 0000 0x7ffff0f4 greet: 0000 0000 0x7ffff0f0 subq $24, %rsp 0x7ffff0ec 0000 0000 movq %rsp, %rdi Processor movl $0, %eax 0x7ffff0e8 0000 0000 call gets rip 0000 0000 0004 d8c4 0000 0079 0x7ffff0e4 movl $.LC0, %esi movl $1, %edi 6d6d 6f54 0x7ffff0e0 rsp 0000 0000 7fff f0e0 movl $0, %eax name call __printf_chk rdi 0000 0000 0000 0000 addq $24, %rsp 0x0 ret

  13. 7.13 Overwriting the Return Address • An intelligent user could carefully craft a "long" input array and overwrite the return address with a desired value • How could this be exploited? Memory / RAM void greet() { ... 0xfffffffc User string: char name[12]; 54 6f 6d 6d 79 1e ac 5f 47 80 81 gets(name); 62 37 48 31 92 54 93 61 72 39 72 Overwritten 4314 9268 printf("Hello %s\n", name); 41 20 e8 73 32 3c 68 92 14 43 Return } 3c32 73e8 0x7ffff0f8 Address 2041 7239 0x7ffff0f4 greet: 7261 9354 0x7ffff0f0 subq $24, %rsp 0000 0x7ffff0ec 9231 4837 movq %rsp, %rdi Processor movl $0, %eax 0x7ffff0e8 6281 8047 call gets rip 0000 0000 0004 d8c4 5fac 1e79 0x7ffff0e4 movl $.LC0, %esi movl $1, %edi 6d6d 6f54 0x7ffff0e0 rsp 0000 0000 7fff f0e0 movl $0, %eax name call __printf_chk rdi 0000 0000 0000 0000 addq $24, %rsp 0x0 ret

  14. 7.14 Executing Code CS:APP 3.10.4 • We could determine the desired machine code for some sequence we want to execute on the machine and enter that as our string • We can then craft a return address to go to the starting location of our code Memory / RAM void greet() { ... 0xfffffffc User string: char name[12]; 54 6f 6d 6d 79 1e ac 5f 47 80 81 gets(name); Overwritten 62 37 48 31 92 54 93 61 72 39 72 0000 0000 printf("Hello %s\n", name); Return 41 20 e8 f0 ff 7f 00 00 00 00 } 7fff f0e8 0x7ffff0f8 Address 2041 7239 0x7ffff0f4 greet: 7261 9354 0x7ffff0f0 subq $24, %rsp 0000 0x7ffff0ec 9231 4837 movq %rsp, %rdi Processor movl $0, %eax 0x7ffff0e8 6281 8047 call gets rip 0000 0000 0004 d8c4 5fac 1e79 0x7ffff0e4 movl $.LC0, %esi movl $1, %edi 6d6d 6f54 0x7ffff0e0 rsp 0000 0000 7fff f0e0 movl $0, %eax name call __printf_chk rdi 0000 0000 0000 0000 addq $24, %rsp 0x0 ret

  15. 7.15 Exploits • Common code that we try to inject on the stack would start a shell so that we can now type any other commands • We can enter specific binary codes when a program prompts for a Typing: "\x54\x6f\x5d..." allows you enter the hex string by entering it in hex representation as a string using the \x prefix

  16. 7.16 Methods of Prevention • Various methods have been devised to prevent or make it harder to exploit this code – Better libraries that do not allow an overrun strcpy (char* dest, char* src) strncpy(char* dest, char* src, size_t len ) – Add a stack protector (e.g., canary values) – Address space layout randomization (ASLR) techniques – Privilege/access control bits

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS356 Unit 11 Linking 11.2 In complex C projects... We would like to: Split source into

CS356 Unit 11 Linking 11.2 In complex C projects... We would like to: Split source into

11.1 CS356 Unit 11 Linking 11.2 In complex C projects... We would like to: Split source into multiple .h / .c Should .c include .h? Before or after system libraries? Compile these .h / .c units separately as .o files But only

1k views • 51 slides
CS356 Unit 4 Intro to x86 Instruction Set 4.2 Why Learn Assembly To understand something of

CS356 Unit 4 Intro to x86 Instruction Set 4.2 Why Learn Assembly To understand something of

4.1 CS356 Unit 4 Intro to x86 Instruction Set 4.2 Why Learn Assembly To understand something of the limitation of the HW we are running on Helpful to understand performance To utilize certain HW options that high-level languages

954 views • 81 slides
CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

4.1 CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations Understand performance Use HW options that high-level languages don't allow (e.g., operating systems, utilizing special HW features, etc.)

1.11k views • 94 slides
CS356 Unit 9 Virtual Memory &amp; Address Translation 9.2 Indirection Indirection means

CS356 Unit 9 Virtual Memory &amp; Address Translation 9.2 Indirection Indirection means

9.1 CS356 Unit 9 Virtual Memory &amp; Address Translation 9.2 Indirection Indirection means using one entity to refer to another Examples: A variable name vs. it's physical memory address Phone number vs. cell tower

844 views • 53 slides
CS356 Unit 15 Review 15.2 Final Jeopardy Binary Instruction Random Riddles Memory Processor

CS356 Unit 15 Review 15.2 Final Jeopardy Binary Instruction Random Riddles Memory Processor

15.1 CS356 Unit 15 Review 15.2 Final Jeopardy Binary Instruction Random Riddles Memory Processor Programming Brainteasers Inquiry Madness Predicaments Pickles 100 100 100 100 100 100 200 200 200 200 200 200 300 300 300

468 views • 36 slides
CS356 Unit 10 Memory Allocation &amp; Heap Management 10.2 BASIC OS CONCEPTS &amp; TERMINOLOGY

CS356 Unit 10 Memory Allocation &amp; Heap Management 10.2 BASIC OS CONCEPTS &amp; TERMINOLOGY

10.1 CS356 Unit 10 Memory Allocation &amp; Heap Management 10.2 BASIC OS CONCEPTS &amp; TERMINOLOGY 10.3 User vs. Kernel Mode Kernel mode is a special processor mode for executing trusted (OS) code Certain features/privileges (such

936 views • 38 slides
CS356 Unit 10 Memory Allocation &amp; Heap Management BASIC OS CONCEPTS &amp; TERMINOLOGY 10.3

CS356 Unit 10 Memory Allocation &amp; Heap Management BASIC OS CONCEPTS &amp; TERMINOLOGY 10.3

10.1 10.2 CS356 Unit 10 Memory Allocation &amp; Heap Management BASIC OS CONCEPTS &amp; TERMINOLOGY 10.3 10.4 User vs. Kernel Mode Processes Program/Process Kernel mode is a special mode of the processor for executing __________

147 views • 10 slides
Introduction to CS356 CS356 Object-Oriented Design and Programming http://cs356.yusun.io

Introduction to CS356 CS356 Object-Oriented Design and Programming http://cs356.yusun.io

Introduction to CS356 CS356 Object-Oriented Design and Programming http://cs356.yusun.io September 26, 2014 Yu Sun, Ph.D. http://yusun.io yusun@csupomona.edu About Myself PhD in Software Engineering Ph.D. Research in Software Engineering

588 views • 30 slides
CS356 Unit 12 Processor Hardware Organization Pipelining 12.2 From combinational to sequential

CS356 Unit 12 Processor Hardware Organization Pipelining 12.2 From combinational to sequential

12.1 CS356 Unit 12 Processor Hardware Organization Pipelining 12.2 From combinational to sequential logic BASIC HW 12.3 Logic Circuits Combinational Combinational Logic Logic Outputs Inputs Performs a specific function (Usually

709 views • 57 slides
CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches

CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches

5.1 CS356 Unit 5 x86 Control Flow 5.2 JUMP/BRANCHING OVERVIEW 5.3 Concept of Jumps/Branches Assembly is executed in sequential movq addq order by default ---- Jump instruction (aka &quot;branches&quot;) ---- ---- cause execution

649 views • 32 slides
Goals Understand the terms and ideas used in a modern, high-performance processor CS356 Unit

Goals Understand the terms and ideas used in a modern, high-performance processor CS356 Unit

12b.1 12b.2 Goals Understand the terms and ideas used in a modern, high-performance processor CS356 Unit 12b Various systems have different kinds of processors and you should understand the pros and cons of each kind of processor

588 views • 16 slides
SOLID: Principles of OOD CS356 Object-Oriented Design and Programming http://cs356.yusun.io

SOLID: Principles of OOD CS356 Object-Oriented Design and Programming http://cs356.yusun.io

SOLID: Principles of OOD CS356 Object-Oriented Design and Programming http://cs356.yusun.io October 17, 2014 Yu Sun, Ph.D. http://yusun.io yusun@csupomona.edu Part of the presentation comes from Martin, Robert Cecil. Agile software

805 views • 65 slides
CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

6.1 CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer) PC/IP is used to fetch an instruction PC/IP contains the address of the next instruction The value in the PC/IP is placed on the

1.5k views • 33 slides
CS356 Unit 12a Processor Hardware Organization BASIC HW Pipelining 12a.3 12a.4 Logic Circuits

CS356 Unit 12a Processor Hardware Organization BASIC HW Pipelining 12a.3 12a.4 Logic Circuits

12a.1 12a.2 CS356 Unit 12a Processor Hardware Organization BASIC HW Pipelining 12a.3 12a.4 Logic Circuits Combinational Logic Gates Combinational ________________ logic Main Idea: Circuits called &quot;gates&quot; perform Logic

465 views • 15 slides
CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (IP register)

CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (IP register)

6.1 CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (IP register) PC/IP is used to fetch an instruction PC/IP contains the address of the next instruction The value in the PC/IP is placed on the address

580 views • 34 slides
CS356 : Discussion #4 Assembly Instructions &amp; Debugging with GDB Last week: Operand Forms

CS356 : Discussion #4 Assembly Instructions &amp; Debugging with GDB Last week: Operand Forms

CS356 : Discussion #4 Assembly Instructions &amp; Debugging with GDB Last week: Operand Forms Different ways to specify source values and output location. Immediate: $ imm to use a constant input value, e.g., $0xFF . Register: % reg to use the

302 views • 29 slides
- ~ ~ ~ ~ ~ ~ ~ ~ ~ ~~~~~D - :Z C) bj =~~~~c = c:. ._ . . . S*+ 11111111XL 2z 896

- ~ ~ ~ ~ ~ ~ ~ ~ ~ ~~~~~D - :Z C) bj =~~~~c = c:. ._ . . . S*+ 11111111XL 2z 896

tz tz s z ?- oc z t~- - &quot;t C c( --Cl C] &quot;t c H~~~~~~~~~~ 0~~~~~~~~~~~~~ 02 X n 2C)1 ZcCC ~~~t H E .-~ = D (7 X t- 0 z~~~~000 z (r~~~~~ -~~~~~~~~~~~~~~~~~~~~~C Cl - t- oc o_ r-o c 0 &lt; &gt;XX Cl2 . -SrC

474 views • 6 slides
Neutron electric dipole moment from lattice QCD with the theta term Jian Liang1, Terrence

Neutron electric dipole moment from lattice QCD with the theta term Jian Liang1, Terrence

Neutron electric dipole moment from lattice QCD with the theta term Jian Liang1, Terrence Draper1, Keh-Fei Liu1 and Yi-Bo Yang2 1 Department of Physics and Astronomy, University of Kentucky 2 Michigan State University 04/27/2017 USQCD ALL-HANDS

398 views • 11 slides
Equilibrium and Balayage A mini-tutorial A. Martnez-Finkelshtein (U. Almera) Optimal

Equilibrium and Balayage A mini-tutorial A. Martnez-Finkelshtein (U. Almera) Optimal

Equilibrium and Balayage A mini-tutorial A. Martnez-Finkelshtein (U. Almera) Optimal point configurations and orthogonal polynomials CIEM Castro Urdiales April 19, 2017 Equilibrium and Balayage A mini-tutorial A.

553 views • 34 slides
Class 37: Charging and Discharging RL Circuits Course Evaluation: 1. Starts Wednesday, ends Dec 10

Class 37: Charging and Discharging RL Circuits Course Evaluation: 1. Starts Wednesday, ends Dec 10

Class 37: Charging and Discharging RL Circuits Course Evaluation: 1. Starts Wednesday, ends Dec 10 th . 2. Go to http://pa.as.uky.edu/ 3. Click at UNDERGRADUATES in the top menu and then choose the first item: Physics &amp; Astronomy Course

221 views • 10 slides
Barry R Weingast Barry R. Weingast Stanford University (with Margaret Levi Tania Melo Frances

Barry R Weingast Barry R. Weingast Stanford University (with Margaret Levi Tania Melo Frances

Barry R Weingast Barry R. Weingast Stanford University (with Margaret Levi Tania Melo Frances Zlotnick ) Treasury Seminar 21 April, 2015 p , 0 5 1 Open access to organizations. Necessary condition for both economic and political Necessary

344 views • 33 slides
Who we are Introduction to Statistical Machine Chris = PhD student at University of

Who we are Introduction to Statistical Machine Chris = PhD student at University of

Who we are Introduction to Statistical Machine Chris = PhD student at University of Translation Edinburgh, co-founder of Linear B Ltd, a startup company that builds SMT systems ESSLLI 2005 Philipp = Lecturer at U of Edinburgh,

381 views • 14 slides
Materials for GSA Outreach October 2019 GSP Topics &amp; Project Schedule GSP Topics GSP

Materials for GSA Outreach October 2019 GSP Topics &amp; Project Schedule GSP Topics GSP

Materials for GSA Outreach October 2019 GSP Topics &amp; Project Schedule GSP Topics GSP Finalization Elements 2 Announcements &amp; Reminders Changes to Regular Meeting Schedule: The October 9 meeting has been rescheduled to Thursday,

440 views • 17 slides
Int Inter erdep epend endenc ence b e between een Fi Fiscal cal an and d Mo Monetar

Int Inter erdep epend endenc ence b e between een Fi Fiscal cal an and d Mo Monetar

Int Inter erdep epend endenc ence b e between een Fi Fiscal cal an and d Mo Monetar ary Poli licy cy: th the case se for or Costa Costa Rica Valerie Lankester Catalina Sandoval CEMLA XXV Meeting of the Central Bank

491 views • 26 slides

More recommend