machine level programming v advanced topics
play

Machine-Level Programming V: Advanced Topics CS140 - Assembly - PowerPoint PPT Presentation

Nov 10, 2023 •452 likes •930 views

Carnegie Mellon Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. OHallaron 1 Bryant and OHallaron, Computer Systems: A

  1. Carnegie Mellon Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. O’Hallaron 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  2. Carnegie Mellon Today  Memory Layout  Buffer Overflow  Vulnerability  Protection  Unions 2 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  3. Carnegie Mellon not drawn to scale x86-64 Linux Memory Layout 00007FFFFFFFFFFF Stack  Stack 8MB  Runtime stack (8MB limit)  E. g., local variables  Heap  Dynamically allocated as needed  When call malloc(), calloc(), new()  Data Shared Libraries  Statically allocated data  E.g., global vars, static vars, string constants  Text / Shared Libraries Heap  Executable machine instructions  Read-only Data Text Hex Address 400000 000000 3 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  4. Carnegie Mellon not drawn to scale Memory Allocation Example Stack char big_array[1L<<24]; /* 16 MB */ char huge_array[1L<<31]; /* 2 GB */ int global = 0; int useless() { return 0; } int main () { Shared void *p1, *p2, *p3, *p4; Libraries int local = 0; p1 = malloc(1L << 28); /* 256 MB */ p2 = malloc(1L << 8); /* 256 B */ p3 = malloc(1L << 32); /* 4 GB */ Heap p4 = malloc(1L << 8); /* 256 B */ /* Some print statements ... */ Data } Text Where does everything go? 4 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  5. Carnegie Mellon not drawn to scale x86-64 Example Addresses 00007F Stack address range ~2 47 Heap local 0x00007ffe4d3be87c p1 0x00007f7262a1e010 p3 0x00007f7162a1d010 p4 0x000000008359d120 p2 0x000000008359d010 big_array 0x0000000080601060 huge_array 0x0000000000601060 main() 0x000000000040060c useless() 0x0000000000400590 Heap Data Text 000000 5 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  6. Carnegie Mellon Today  Memory Layout  Buffer Overflow  Vulnerability  Protection  Unions 6 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  7. Carnegie Mellon Recall: Memory Referencing Bug Example typedef struct { int a[2]; double d; } struct_t; double fun(int i) { volatile struct_t s; s.d = 3.14; s.a[i] = 1073741824; /* Possibly out of bounds */ return s.d; } fun(0)  3.14 fun(1)  3.14 fun(2)  3.1399998664856 fun(3)  2.00000061035156 fun(4)  3.14 fun(6)  Segmentation fault  Result is system specific 7 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  8. Carnegie Mellon Memory Referencing Bug Example fun(0)  typedef struct { 3.14 fun(1)  int a[2]; 3.14 double d; fun(2)  3.1399998664856 } struct_t; fun(3)  2.00000061035156 fun(4)  3.14  Segmentation fault fun(6) Explanation: Critical State 6 ? 5 ? 4 Location accessed by 3 d7 ... d4 fun(i) 2 d3 ... d0 struct_t 1 a[1] 0 a[0] 8 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  9. Carnegie Mellon Such problems are a BIG deal  Generally called a “buffer overflow”  when exceeding the memory size allocated for an array  Why a big deal?  It’s the #1 technical cause of security vulnerabilities  #1 overall cause is social engineering / user ignorance  Most common form  Unchecked lengths on string inputs  Particularly for bounded character arrays on the stack  sometimes referred to as stack smashing 9 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  10. Carnegie Mellon String Library Code  Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; }  No way to specify limit on number of characters to read  Similar problems with other library functions  strcpy , strcat : Copy strings of arbitrary length  scanf , fscanf , sscanf , when given %s conversion specification 10 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  11. Carnegie Mellon Vulnerable Buffer Code /* Echo Line */ void echo() {  btw, how big char buf[4]; /* Way too small! */ gets(buf); is big enough? puts(buf); } void call_echo() { echo(); } unix> ./bufdemo-nsp Type a string: 012345678901234567890123 012345678901234567890123 unix>./bufdemo-nsp Type a string: 0123456789012345678901234 Segmentation Fault 11 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  12. Carnegie Mellon Buffer Overflow Disassembly echo: 00000000004006cf <echo>: 4006cf: 48 83 ec 18 sub $0x18,%rsp 4006d3: 48 89 e7 mov %rsp,%rdi 4006d6: e8 a5 ff ff ff callq 400680 <gets> 4006db: 48 89 e7 mov %rsp,%rdi 4006de: e8 3d fe ff ff callq 400520 <puts@plt> 4006e3: 48 83 c4 18 add $0x18,%rsp 4006e7: c3 retq call_echo: 4006e8: 48 83 ec 08 sub $0x8,%rsp 4006ec: b8 00 00 00 00 mov $0x0,%eax 4006f1: e8 d9 ff ff ff callq 4006cf <echo> 4006f6: 48 83 c4 08 add $0x8,%rsp 4006fa: c3 retq 12 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  13. Carnegie Mellon Buffer Overflow Stack Before call to gets Stack Frame for call_echo /* Echo Line */ Return Address void echo() (8 bytes) { char buf[4]; /* Way too small! */ gets(buf); puts(buf); 20 bytes unused } [3] [2] [1] [0] buf %rsp echo: subq $24, %rsp movq %rsp, %rdi call gets . . . 13 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  14. Carnegie Mellon Buffer Overflow Stack Example Before call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 f6 call_echo: . . . 20 bytes unused 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp . . . [3] [2] [1] [0] buf %rsp 14 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  15. Carnegie Mellon Buffer Overflow Stack Example #1 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 f6 call_echo: 00 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 01234567890123456789012 01234567890123456789012 Overflowed buffer, but did not corrupt state 15 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  16. Carnegie Mellon Buffer Overflow Stack Example #2 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address 00 40 00 34 (8 bytes) call_echo: 33 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 0123456789012345678901234 Segmentation Fault Overflowed buffer and corrupted return pointer 16 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  17. Carnegie Mellon Buffer Overflow Stack Example #3 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 00 call_echo: 33 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 012345678901234567890123 012345678901234567890123 Overflowed buffer, corrupted return pointer, but program seems to work! 17 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  18. Carnegie Mellon Buffer Overflow Stack Example #3 Explained After call to gets Stack Frame register_tm_clones: for call_echo . . . 400600: mov %rsp,%rbp 400603: mov %rax,%rdx 00 00 00 00 Return Address 400606: shr $0x3f,%rdx (8 bytes) 00 40 06 00 40060a: add %rdx,%rax 33 32 31 30 40060d: sar %rax 39 38 37 36 400610: jne 400614 35 34 33 32 20 bytes unused 400612: pop %rbp 31 30 39 38 400613: retq 37 36 35 34 33 32 31 30 buf %rsp “Returns” to unrelated code Lots of things happen, without modifying critical state Eventually executes retq back to main 18 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &amp;

738 views • 53 slides
1 Union Allocation Using Union to Access Bit Patterns Allocate according to largest element

1 Union Allocation Using Union to Access Bit Patterns Allocate according to largest element

Today Memory Layout Machine-Level Programming V: Unions Buffer Overflow Advanced Topics Vulnerability Protection CSci 2021: Machine Architecture and Organization March 6th, 2020 Your instructor: Stephen McCamant Based on

754 views • 8 slides
1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Machine-Level Programming I: Basics Assembly Basics: Registers, operands, move Arithmetic &amp; logical operations CSci

320 views • 8 slides
Machine-Level Programming I: Basics 15-213/18-213:

Machine-Level Programming I: Basics 15-213/18-213:

Carnegie Mellon Machine-Level Programming I: Basics 15-213/18-213: Introducon to Computer Systems 5 th Lecture, Sep. 15, 2015 Instructors: Randal

721 views • 44 slides
CSSE132 Introduc0on to Computer Systems 13 : Machine level

CSSE132 Introduc0on to Computer Systems 13 : Machine level

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 13 : Machine level programming March 25, 2013 1 Today: Machine Level Programming Review

449 views • 41 slides
Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides adapted from Bryant &amp; OHallarons slides 1 Today: Machine Programming I: Basics History of Intel processors and

606 views • 45 slides
Machine-Level Programming IV: Data 15-213: Introduc;on to

Machine-Level Programming IV: Data 15-213: Introduc;on to

Carnegie Mellon Machine-Level Programming IV: Data 15-213: Introduc;on to Computer Systems 8 th Lecture, Sep. 24, 2015 Instructors: Randal E. Bryant and

607 views • 46 slides
Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional

Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional

Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional (nested) Multi-level Structures CSci 2021: Machine Architecture and Organization Allocation March 2nd-4th, 2020 Access Your instructor:

224 views • 6 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks ACE Programming Model and SDK 11/13/03 Tilman Wolf 1 Overview Overview Programming Model Active Computing Element (ACE)

558 views • 32 slides
COMP 204: Python programming for life sciences Introduction to machine learning Mathieu

COMP 204: Python programming for life sciences Introduction to machine learning Mathieu

COMP 204: Python programming for life sciences Introduction to machine learning Mathieu Blanchette, based on material from Yue Li, Christopher Cameron, and Carlos Gonzales 1 / 22 Remaining of this course: Advanced topics The rest of the

741 views • 22 slides
Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides adapted from Bryant &amp; OHallarons slides 1 Today Control: Condition codes Conditional branches Loops

1.01k views • 49 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics Bayes Nets: Inference Marginals, MPE, MAP Variable Elimination Readings: KF 9.1,9.2; Barber 5.1 Dhruv Batra Virginia Tech

667 views • 22 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks Microengine Programming I 11/18/03 Tilman Wolf 1 Overview Overview Lab 2: IP forwarding on IXP1200 Any problems with Part I?

791 views • 24 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics Bayes Nets (Finish) Structure Learning Readings: KF 18.4; Barber 9.5, 10.4 Dhruv Batra Virginia Tech Administrativia HW1

596 views • 30 slides
CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming language Awk uses syntax based on grep and sed for handling numbers and text awk provides field level addressability. And within a field (word)

662 views • 40 slides
Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C

Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C

Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C code maps to machine instructions very efficientlyits What is C? lightweight and has wide applications Originally developed in 10973 at

772 views • 20 slides
Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the

Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the

Su ffi x trees Ben Langmead You are free to use these slides. If you do, please sign the guestbook (www.langmead-lab.org/teaching-materials), or email me (ben.langmead@gmail.com) and tell me brie fl y how youre using them. For original

545 views • 26 slides
Network Application Performance Carey Williamson Department of Computer Science University of

Network Application Performance Carey Williamson Department of Computer Science University of

Things That Go Bump in the Net: The Many Challenges of Debugging Network Application Performance Carey Williamson Department of Computer Science University of Calgary Introduction Network traffic measurement requires hardware or software

886 views • 73 slides
Page 1 Example: Branch Stall Impact Example: Calculating CPI bottom up Run benchmark and collect

Page 1 Example: Branch Stall Impact Example: Calculating CPI bottom up Run benchmark and collect

Review, #1 CS252 Technology is changing rapidly: Graduate Computer Architecture Capacity Speed Lecture 2 Logic 2x in 3 years 2x in 3 years DRAM 4x in 3 years 2x in 10 years Review of Instruction Sets, Pipelines, and Disk 4x

496 views • 13 slides
How to Write a 6.033 Design Report Mya Poe 1 and Keith Winstein 2 1 MIT Program in Writing and

How to Write a 6.033 Design Report Mya Poe 1 and Keith Winstein 2 1 MIT Program in Writing and

How to Write a 6.033 Design Report Mya Poe 1 and Keith Winstein 2 1 MIT Program in Writing and Humanistic Studies 2 CSAIL March 2006 Why are you here today? Proposal report 1. Show you how a computer designer thinks 2. through a

464 views • 31 slides
and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure

and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure

The Revolution in Experimental and Observational Science The Convergence of Data-Intensive and Compute-Intensive Infrastructure Professor Tony Hey Chief Data Scientist STFC tony.hey@stfc.ac.uk The Background X-Info The evolution of

826 views • 60 slides
Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr

Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr

Gr obner Bases a short introduction Elena Dimitrova AIMS, 2019 Elena Dimitrova Gr obner Bases a short introduction AIMS, 2019 1 / 11 Polynomial rings Let k be a field. Let R be the set of all polynomials in variables x 1 , . . .

355 views • 11 slides
Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . . O UTLINE B ACKGROUND 1 S ECURITY M

566 views • 42 slides
Using R for time series analysis and spatial-temporal distribution of global burnt surface

Using R for time series analysis and spatial-temporal distribution of global burnt surface

Outline Problem R vs GIS Methods Further works Using R for time series analysis and spatial-temporal distribution of global burnt surface multi-year product Jedrzej Bojanowski* C esar Carmona-Moreno European Commission - Joint Research

682 views • 29 slides

More recommend