Part 2: Diablo Data Structures
|
|
- Arlene Jackson
- 5 years ago
- Views:
Transcription
1 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 1 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
2 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 2 Structures: Goal Easy to manipulate CFG SSA Reliable model control flow conservatively precise = not too conservative Retargetable abstract architecture specific details Extensible easy to augment basic data structures with extra data
3 Transition in small steps Input Structures Link Graph Coarse-grained graph,enables linking and unused section removal Direct Control Flow and Relocatable Address Graph Fine-grained graph, enables unreachable code and data removal Augmented Whole Program Control Flow Graph = DCFRAG + special edges Enables (flow)analysis of the program Interprocedural Control Flow Graph Makes analysis of the program more easy PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 3
4 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 4 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
5 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 5 Linker Structures: our input Most are simply an abstract representation of data used by a linker: archives (containers of relocatable objects) relocatable objects (container of sections) section (containers of data) Interesting structures for Diablo: relocs (relocation information) symbols
6 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 6 Relocatable objects Represent every entity that can need relocating have an address and a size can be used in symbols and relocs can be changed by relocs e.g. sections are relocatable objects
7 labeled address expression use the value of relocatable objects to calculate an address example: Symbols symbol offset_between_section_a_and_b_plus_10 code = R01 R00 A00 +$ section a offset in a section b offset in b 10 used during symbol resolution order > means it overwrites other symbols can create data (e.g. bss) PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 7
8 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 8 Relocations use the address of relocatable objects and symbols to compute an address put it in the desired encoding write it somewhere in a relocatable object checks if relocation was successful (no overflow)
9 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 9 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ COMPUTE ENCODE CHECK (not used)
10 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 10 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $
11 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 11 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $
12 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 12 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $
13 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 13 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $
14 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 14 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $
15 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 15 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ MARKERS
16 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ section a offset in a symbol 42 section c offset in c section b offset in b TO FROM PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 16
17 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1; v1 code = R00.text 0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 17 v2 code = R00.text 20 1
18 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1;.text code = R00.text 0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } PLDI 06 Tutorial - Binary Rewriting with Diablo - part
19 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1;.text code = R00.text 0x0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } RELOCATIONS & SYMBOLS SHOULD NOT BE RELAXED PLDI 06 Tutorial - Binary Rewriting with Diablo - part
20 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 20 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
21 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 21 Object file b Object files Code Symbol _start: Symbol a: order 0 to undefined to sym aptr S00\l*w\s000$ Symbol b: from data to sym a S00\l*w\s000$ Symbol aptr:
22 Graph representation Object file b to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Symbol b: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 22
23 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 23 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
24 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 24 Reading information Entry EXE MAP
25 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 25 Reading information Entry.text 0x x5e4d40 EXE.text 0x x24 /usr/lib/crt1.o 0x _start.text 0x x22 /usr/lib/crti.o *fill* 0x text 0x xc4 /usr/lib/crtbegint.o *fill* 0x text 0x x56f app_procs.o 0x app_run 0x80482a0 app_abort 0x80482e0 app_exit 0x app_libs_init *fill* 0x80487af.text 0x80487b0 0xf33 main.o 0x80487b0 main MAP
26 Reading information Entry Object file b to sym aptr S00\l*w\s000$ EXE Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Object file a Code to sym array S00\l*w\s000$ MAP Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 26
27 Reading information Entry Object file b to sym aptr S00\l*w\s000$ EXE Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Object file a Code to sym array S00\l*w\s000$ MAP Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 27
28 Reading information Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 28
29 Symbol Resolution Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 29
30 Symbol Resolution Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 30
31 Linkgraph Entry Symbol _start: Symbol aptr: from data Code Code Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 31
32 Linkgraph Entry Symbol _start: from data Code Code Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 32
33 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 33 Uses of the linkgraph Linking (placing sections, relocating) Apply linker optimizations (remove unused sections) fine-grained transformations Need for a more fine-grained graph: DCFRAG Direct Control Flow and Relocatable Addresses
34 Linkgraph Entry Symbol _start: from data Code Code Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 34
35 Disassembler Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 35
36 Disassembler Disassemble Instruction Architecture independent - instruction type (jump, cmp,...) - conditional? - register lists (used, defined) Architecture dependent - backend decides - opcode - regs Architecture independent analyses and optimizations work on architecture independent part or use callbacks PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 36
37 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 37 Detect basic blocks Disassemble Split sections into basic blocks Basic Block Linked list of instructions Type (for special block)
38 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 38
39 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 39
40 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 40
41 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 41
42 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 42
43 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 43
44 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 44 Add edges Disassemble Split sections into basic blocks Targets direct jumps + successors conditional jumps To's of relocs analyze switches (computed) to find switch targets Add direct control flow edges and switch edges Edge Connector for two basic blocks Type (jump, ft, call, return,...)
45 Add edges Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 45
46 Add edges: direct jumps Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 46
47 Add edges: fall-through paths Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 47
48 Add edges: system calls Entry Symbol _start: from data Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 48
49 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 49 Partition the code into functions Function - Name - list of basic blocks - register lists (used, defined,...)
50 Partition the code into functions Entry Symbol _start: from data Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 50
51 Partition the code into functions Function program_entry Entry Function _start Symbol _start: Function a from data Function b Return Return Function syscall hell Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 51
52 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 52 Function Calls Function caller Function callee Return Return
53 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 53 Interprocedural Goto's Function caller Function callee Return Return
54 DCFRAG Function program_entry Entry Function _start Symbol _start: Function a from data Function b Return Return Function syscall hell Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 54
55 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 55 DCFRAG Function program_entry Entry Function _start Function a from data Function b Return Return Function syscall hell Sys
56 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 56 Uses of the DCFRAG Fine grained removal of unused code and data flow We need a graph for data flow analyses (ICFG)
57 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 57 DCFRAG Function program_entry Entry Function _start Function a from data Function b Return Return Function syscall hell Sys
58 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 58 Augmented Whole-Program CFG Function program_entry Entry Function _start Function hell Hell Return Function a from data Function b Return Return Function syscall hell Sys
59 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 59 ICFG Function program_entry Entry Function _start Function hell Hell Return Function a Function b Return Return Function syscall hell Sys
60 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 60 Uses of the ICFG Good for analysis and transformations Bad for writing out the program Use the combined ICFG + DCFRAG = AWPCFG
61 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 61 AWPCFG Function program_entry Entry Function _start Function hell Hell Return Function a from data Function b Return Return Function syscall hell Sys
62 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 62 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
63 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 63 Concrete Structures t_reloc_table t_reloc t_reloc_ref t_i386_ins t_ppc_ins t_arm_ins t_relocatable t_object t_symbol_table t_symbol t_symbol_ref t_ins t_bbl t_function t_cfg_edge t_section t_cfg
64 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 64 Accessing fields With getters and setters t_bbl * head = CFG_EDGE_HEAD(cfg_edge) ARM_INS_SET_REGA(arm_ins, reg) Reason: Dynamic Members
65 Iterating the ICFG t_cfg * cfg; t_function * fun; t_bbl * bbl; t_ins * ins; t_cfg_edge * edge; CFG_FOREACH_FUNCTION(cfg, fun) FUNCTION_FOREACH_BBL(fun, bbl) CFG_FOREACH_BBL(cfg, bbl) BBL_FOREACH_INS(bbl, ins) BBL_FOREACH_SUCC_EDGE(bbl, edge) BBL_FOREACH_PRED_EDGE(bbl, edge) PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 65
66 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 66 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
67 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 67 Primitive Transformations Relocations Add: RelocTableAddRelocToRelocatable Remove: RelocTableRemoveReloc Modify: RelocSetFrom, RelocSetToRelocatable Sections Create: SectionCreateForObject Functions Create: FunctionMake Remove: FunctionKill
68 Primitive Transformations Basic blocks Create: New Remove: Kill Duplicate: Dup Split: SplitBlock ICFG edges Create: CfgEdgeCreate Remove: CfgEdgeKill Instructions Create: InsNewFor Remove: InsKill PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 68
69 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 69 On the DCFRAG SECTION_REFED_BY(sec) SECTION_REFERS_TO(sec) BBL_REFED_BY(bbl) BBL_REFED_BY_SYM(bbl) INS_REFERS_TO(ins)
70 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 70 Consistency of the AWPCFG Manipulate one view, what happens on other? Diablo tries to keep things consistent Kill reloc, and its ICFG-edge is also killed Kill ins, and to-relocs are also killed Remove a section, and all to-relocs are also killed Makes sure that you do the proper thing Try to kill an object with refers_to relocs, and it fatals
71 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 71 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members
72 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 72 Dynamic Members Diablo needs to be extensible Many analyses compute different kinds of information on very large data sets We cannot include all of them in the main libraries, or even store all information together Dynamic members augment basic data structures with members that can be allocated on the fly
73 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 73 Dynamic Members Example: member for reachability t_bool BBL_REACHABLE(t_bbl) BBL_SET_REACHABLE(t_bbl, t_bool) InitReachable(t_cfg *) Allocates space for this field and calls init callback for each bbl FiniReachable(t_cfg *) Calls fini callback and deallocates space
74 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 74 To instantiate the member: Dynamic Members DYNAMIC_MEMBER( bbl, /* data structure to extend */ t_cfg *, /* manager type */ bbl_reachable_array, /* array to hold members */ t_bool, /* the type of the member */ reachable, /* lowercase name */ REACHABLE, /* UPPERCASE name */ Reachable, /* CamelCase name*/ CFG_FOREACH_BBL, /* iterator */ ReachableInitCb, /* init callback*/ ReachableFiniCb, /* fini callback */ ReachableDupCb, /* dup callback */ );
DIABLO: a reliable, retargetable and extensible link-time rewriting framework
DIABLO: a reliable, retargetable and extensible link-time rewriting framework (Invited Paper) Ludo Van Put, Dominique Chanet, Bruno De Bus, Bjorn De Sutter and Koen De Bosschere Ghent University Sint-Pietersnieuwstraat
More informationSystems I. Machine-Level Programming V: Procedures
Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp
More informationStack Tutorial. Young W. Lim Sat. Young W. Lim Stack Tutorial Sat 1 / 15
Stack Tutorial Young W. Lim 2016-10-15 Sat Young W. Lim Stack Tutorial 2016-10-15 Sat 1 / 15 Outline 1 Introduction References Stack Background Transferring Control Young W. Lim Stack Tutorial 2016-10-15
More informationCSC258: Computer Organization. Functions and the Compiler Tool Chain
CSC258: Computer Organization Functions and the Compiler Tool Chain 1 A Note about This Week s Quiz There were very few exercises this week, except for writing substantial pieces of code. Instead, I provided
More informationMIPS Instruction Set Architecture (2)
MIPS Instruction Set Architecture (2) Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu EEE3050: Theory on Computer Architectures, Spring 2017, Jinkyu
More informationCSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization
Spring 2013 CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization Kitty Reeves TWRF 8:00-8:55am 1 Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing,
More informationCS 33. Linkers. CS33 Intro to Computer Systems XXV 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.
CS 33 Linkers CS33 Intro to Computer Systems XXV 1 Copyright 2017 Thomas W. Doeppner. All rights reserved. gcc Steps 1) Compile to start here, supply.c file to stop here: gcc -S (produces.s file) if not
More informationLink-Time Compaction and Optimization of ARM Executables
Link-Time Compaction and Optimization of ARM Executables BJORN DE SUTTER, LUDO VAN PUT, DOMINIQUE CHANET, BRUNO DE BUS, and KOEN DE BOSSCHERE Ghent University The overhead in terms of code size, power
More informationLink-Time Optimization of ARM Binaries
Link-Time Optimization of ARM Binaries Bruno De Bus bdebus@elis.ugent.be Bjorn De Sutter brdsutte@elis.ugent.be Ludo Van Put lvanput@elis.ugent.be Dominique Chanet dchanet@elis.ugent.be Koen De Bosschere
More informationunsigned char memory[] STACK ¼ 0x xC of address space globals function KERNEL code local variables
Graded assignment 0 will be handed out in section Assignment 1 Not that bad Check your work (run it through the compiler) Factorial Program Prints out ENTERING, LEAVING, and other pointers unsigned char
More informationLinking. Explain what ELF format is. Explain what an executable is and how it got that way. With huge thanks to Steve Chong for his notes from CS61.
Linking Topics How do you transform a collection of object files into an executable? How is an executable structured? Why is an executable structured as it is? Learning Objectives: Explain what ELF format
More informationprimitive arrays v. vectors (1)
Arrays 1 primitive arrays v. vectors (1) 2 int a[10]; allocate new, 10 elements vector v(10); // or: vector v; v.resize(10); primitive arrays v. vectors (1) 2 int a[10]; allocate new, 10 elements
More informationWhen you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to.
Refresher When you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to. i.e. char *ptr1 = malloc(1); ptr1 + 1; // adds 1 to pointer
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationStack overflow exploitation
Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationVirtual Machine Tutorial
Virtual Machine Tutorial CSA2201 Compiler Techniques Gordon Mangion Virtual Machine A software implementation of a computing environment in which an operating system or program can be installed and run.
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationAn Experience Like No Other. Stack Discipline Aug. 30, 2006
15-410 An Experience Like No Other Discipline Aug. 30, 2006 Bruce Maggs Dave Eckhardt Slides originally stolen from 15-213 15-410, F 06 Synchronization Registration If you're here but not registered, please
More informationCSE 351: The Hardware/Software Interface. Section 2 Integer representations, two s complement, and bitwise operators
CSE 351: The Hardware/Software Interface Section 2 Integer representations, two s complement, and bitwise operators Integer representations In addition to decimal notation, it s important to be able to
More informationLink 7. Static Linking
Link 7. Static Linking Young W. Lim 2018-12-21 Fri Young W. Lim Link 7. Static Linking 2018-12-21 Fri 1 / 41 Outline 1 Linking - 7. Static Linking Based on Static Library Examples Linking with Static Libraries
More informationSeparate compilation. Topic 6: Runtime Environments p.1/21. CS 526 Topic 6: Runtime Environments The linkage convention
Runtime Environment The Procedure Abstraction and Separate Compilation Topics we will cover The procedure abstraction and linkage conventions Runtime storage convention Non-local data access (brief) These
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationMachine Language Instructions Introduction. Instructions Words of a language understood by machine. Instruction set Vocabulary of the machine
Machine Language Instructions Introduction Instructions Words of a language understood by machine Instruction set Vocabulary of the machine Current goal: to relate a high level language to instruction
More informationDepartment of Computer Science and Engineering Yonghong Yan
Appendix A and Chapter 2.12: Compiler, Assembler, Linker and Program Execution CSCE 212 Introduction to Computer Architecture, Spring 2019 https://passlab.github.io/csce212/ Department of Computer Science
More informationCS 241 Data Organization Binary
CS 241 Data Organization Binary Brooke Chenoweth University of New Mexico Fall 2017 Combinations and Permutations In English we use the word combination loosely, without thinking if the order of things
More informationCMPS 105 Systems Programming. Prof. Darrell Long E2.371
+ CMPS 105 Systems Programming Prof. Darrell Long E2.371 darrell@ucsc.edu + Chapter 7: The Environment of a UNIX process + Introduction + The main() fuction n int main(int argc, char* argv[]); n argc =
More informationEN164: Design of Computing Systems Lecture 11: Processor / ISA 4
EN164: Design of Computing Systems Lecture 11: Processor / ISA 4 Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering Brown University
More informationA Bad Name. CS 2210: Optimization. Register Allocation. Optimization. Reaching Definitions. Dataflow Analyses 4/10/2013
A Bad Name Optimization is the process by which we turn a program into a better one, for some definition of better. CS 2210: Optimization This is impossible in the general case. For instance, a fully optimizing
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationMachine-level Programming (3)
Machine-level Programming (3) Procedures A: call A call A return Two issues How to return to the correct position? How to pass arguments and return values between callee to caller? 2 Procedure Control
More informationPROGRAMMAZIONE I A.A. 2017/2018
PROGRAMMAZIONE I A.A. 2017/2018 FUNCTIONS INTRODUCTION AND MAIN All the instructions of a C program are contained in functions. üc is a procedural language üeach function performs a certain task A special
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationReview of Activation Frames. FP of caller Y X Return value A B C
Review of Activation Frames In general, activation frames are organized like this: HI LO Bookkeeping/preserved registers I/O parameters Locals and temps RA of caller FP of caller Y X Return value A B C
More informationOverview (1A) Young Won Lim 9/14/17
Overview (1A) Copyright (c) 2009-2017 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later
More informationStack Discipline Jan. 19, 2018
15-410 An Experience Like No Other Discipline Jan. 19, 2018 Dave Eckhardt Brian Railing Slides originally stolen from 15-213 1 15-410, S 18 Synchronization Registration The wait list will probably be done
More informationProcedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29
Procedure Calls Young W. Lim 2017-08-21 Mon Young W. Lim Procedure Calls 2017-08-21 Mon 1 / 29 Outline 1 Introduction Based on Stack Background Transferring Control Register Usage Conventions Procedure
More informationCompiling Techniques
Lecture 10: Introduction to 10 November 2015 Coursework: Block and Procedure Table of contents Introduction 1 Introduction Overview Java Virtual Machine Frames and Function Call 2 JVM Types and Mnemonics
More informationOverview (1A) Young Won Lim 9/9/17
Overview (1A) Copyright (c) 2009-2017 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later
More informationDo You Trust a Mutated Binary? Drew Bernat Correct Relocation
Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat bernat@cs.wisc.edu April 30, 2007 Correct Relocation Binary Manipulation We want to: Insert new code Modify or delete code These operations
More informationFinal Exam. 12 December 2018, 120 minutes, 26 questions, 100 points
Name: CS520 Final Exam 12 December 2018, 120 minutes, 26 questions, 100 points The exam is closed book and notes. Please keep all electronic devices turned off and out of reach. Note that a question may
More informationThe Software Stack: From Assembly Language to Machine Code
COMP 506 Rice University Spring 2018 The Software Stack: From Assembly Language to Machine Code source code IR Front End Optimizer Back End IR target code Somewhere Out Here Copyright 2018, Keith D. Cooper
More information11/10/2016. Review the Problem to Be Solved. ECE 120: Introduction to Computing. What Shall We Keep in the Registers? Where Are the Pieces in Memory?
University of Illinois at Urbana-Champaign Dept. of Electrical and Computer Engineering ECE 120: Introduction to Computing Letter Frequency Coding Review the Problem to Be Solved The task: given an ASCII
More informationQ1: /20 Q2: /30 Q3: /24 Q4: /26. Total: /100
ECE 2035(B) Programming for Hardware/Software Systems Fall 2013 Exam Two October 22 nd 2013 Name: Q1: /20 Q2: /30 Q3: /24 Q4: /26 Total: /100 1/6 For functional call related questions, let s assume the
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCSCI565 Compiler Design
CSCI565 Compiler Design Spring 2011 Homework 4 Solution Due Date: April 6, 2011 in class Problem 1: Activation Records and Stack Layout [50 points] Consider the following C source program shown below.
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationOverview (1A) Young Won Lim 9/25/17
Overview (1A) Copyright (c) 2009-2017 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later
More informationTHEORY OF COMPILATION
Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical
More informationWin API hooking by using DBI: log me, baby!
2009 ZARAGOZA Win API hooking by using DBI: log me, baby! Ricardo J. Rodríguez rjrodriguez@unizar.es All wrongs reversed CENTRO UNIVERSITARIO DE LA DEFENSA DOCENDI DISCENDI ANIMVS NOSVNIT NcN 2017 NoConName
More informationArchitecture II. Computer Systems Laboratory Sungkyunkwan University
MIPS Instruction ti Set Architecture II Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Making Decisions (1) Conditional operations Branch to a
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Professors Weatherspoon, Bala, Bracy, McKee, and Sirer. See P&H 2.8 and 2.12, and
More informationCS C Primer. Tyler Szepesi. January 16, 2013
January 16, 2013 Topics 1 Why C? 2 Data Types 3 Memory 4 Files 5 Endianness 6 Resources Why C? C is exteremely flexible and gives control to the programmer Allows users to break rigid rules, which are
More informationThe Beast We Call A3. CS 161: Lecture 10 3/7/17
The Beast We Call A3 CS 161: Lecture 10 3/7/17 But first... Unconfusing Three Confusions Where does the kernel live? Does every kind of processor use a twolevel page table? Does everything have an address?
More informationTDDB68 Concurrent Programming and Operating Systems. Lecture 2: Introduction to C programming
TDDB68 Concurrent Programming and Operating Systems Lecture 2: Introduction to C programming Mikael Asplund, Senior Lecturer Real-time Systems Laboratory Department of Computer and Information Science
More informationAbstract Data Types. Lecture 05 Summary. Abstract Data Types Structures in C 1/26/2009. Slides by Mark Hancock (adapted from notes by Craig Schock)
Abstract Data Types 1 Lecture 05 Summary Abstract Data Types Structures in C 2 1 By the end of this lecture, you will be able to describe the main components of an abstract data type. You will also be
More informationComputer Architecture and System Software Lecture 06: Assembly Language Programming
Computer Architecture and System Software Lecture 06: Assembly Language Programming Instructor: Rob Bergen Applied Computer Science University of Winnipeg Announcements Assignment 3 due thursday Midterm
More informationComputer Architecture I: Outline and Instruction Set Architecture. CENG331 - Computer Organization. Murat Manguoglu
Computer Architecture I: Outline and Instruction Set Architecture CENG331 - Computer Organization Murat Manguoglu Adapted from slides of the textbook: http://csapp.cs.cmu.edu/ Outline Background Instruction
More informationCommon Misunderstandings from Exam 1 Material
Common Misunderstandings from Exam 1 Material Kyle Dewey Stack and Heap Allocation with Pointers char c = c ; char* p1 = malloc(sizeof(char)); char** p2 = &p1; Where is c allocated? Where is p1 itself
More informationC programming for beginners
C programming for beginners Lesson 2 December 10, 2008 (Medical Physics Group, UNED) C basics Lesson 2 1 / 11 Main task What are the values of c that hold bounded? x n+1 = x n2 + c (x ; c C) (Medical Physics
More informationCS213. Machine-Level Programming III: Procedures
CS213 Machine-Level Programming III: Procedures Topics IA32 stack discipline Register saving conventions Creating pointers to local variables IA32 Region of memory managed with stack discipline Grows toward
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationENGN1640: Design of Computing Systems Topic 03: Instruction Set Architecture Design
ENGN1640: Design of Computing Systems Topic 03: Instruction Set Architecture Design Professor Sherief Reda http://scale.engin.brown.edu School of Engineering Brown University Spring 2014 Sources: Computer
More information[07] SEGMENTATION 1. 1
[07] SEGMENTATION 1. 1 OUTLINE Segmentation An Alternative to Paging Implementing Segments Segment Table Lookup Algorithm Protection and Sharing Sharing Subtleties External Fragmentation Segmentation vs
More informationECE 473 Computer Architecture and Organization Lab 4: MIPS Assembly Programming Due: Wednesday, Oct. 19, 2011 (30 points)
ECE 473 Computer Architecture and Organization Lab 4: MIPS Assembly Programming Due: Wednesday, Oct. 19, 2011 (30 points) Objectives: Get familiar with MIPS instructions Assemble, execute and debug MIPS
More informationCS 223: Data Structures and Programming Techniques. Exam 2
CS 223: Data Structures and Programming Techniques. Exam 2 Instructor: Jim Aspnes Work alone. Do not use any notes or books. You have approximately 75 minutes to complete this exam. Please write your answers
More informationLink 3. Symbols. Young W. Lim Mon. Young W. Lim Link 3. Symbols Mon 1 / 42
Link 3. Symbols Young W. Lim 2017-09-11 Mon Young W. Lim Link 3. Symbols 2017-09-11 Mon 1 / 42 Outline 1 Linking - 3. Symbols Based on Symbols Symbol Tables Symbol Table Examples main.o s symbol table
More informationSystems Programming and Computer Architecture ( )
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 1 4: Pointers Computer Architecture and Systems Programming
More informationLink Edits and Relocatable Code
Link Edits and Relocatable Code Computer Systems Chapter 7.4-7.7 gcc g o ttt ttt.c ttt.c gcc ttt Pre-Processor Linker Compiler Assembler ttt.s ttt.o gcc g o ttt ttt.c main.c gcc cmd util.c Pre-Processor
More informationMIPS Functions and Instruction Formats
MIPS Functions and Instruction Formats 1 The Contract: The MIPS Calling Convention You write functions, your compiler writes functions, other compilers write functions And all your functions call other
More informationMidterm Exam Review Slides
Midterm Exam Review Slides Original slides from Gregory Byrd, North Carolina State University Modified slides by Chris Wilcox, Colorado State University Review Topics Number Representation Base Conversion
More informationBranch Addressing. Jump Addressing. Target Addressing Example. The University of Adelaide, School of Computer Science 28 September 2015
Branch Addressing Branch instructions specify Opcode, two registers, target address Most branch targets are near branch Forward or backward op rs rt constant or address 6 bits 5 bits 5 bits 16 bits PC-relative
More informationResearch opportuni/es with me
Research opportuni/es with me Independent study for credit - Build PL tools (parsers, editors) e.g., JDial - Build educa/on tools (e.g., Automata Tutor) - Automata theory problems e.g., AutomatArk - Research
More informationGDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32
GDB Tutorial Young W. Lim 2017-02-14 Tue Young W. Lim GDB Tutorial 2017-02-14 Tue 1 / 32 Outline 1 Introduction Young W. Lim GDB Tutorial 2017-02-14 Tue 2 / 32 Based on "Self-service Linux: Mastering the
More informationWawrzynek & Weaver CS 61C. Sp 2018 Great Ideas in Computer Architecture MT 1. Print your name:,
Wawrzynek & Weaver CS 61C Sp 2018 Great Ideas in Computer Architecture MT 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic
More informationsecubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
More informationSoftware Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014
Software Protection: How to Crack Programs, and Defend Against Cracking Lecture 3: Program Analysis Moscow State University, Spring 2014 Christian Collberg University of Arizona www.cs.arizona.edu/ collberg
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationCS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G
CS 33: Week 3 Discussion x86 Assembly (v1.0) Section 1G Announcements - HW2 due Sunday - MT1 this Thursday! - Lab2 out Info Name: Eric Kim (Section 1G, 2-4 PM, BH 5419) Office Hours (Boelter 2432) - Wed
More informationECE264 Fall 2013 Exam 1, September 24, 2013
ECE264 Fall 2013 Exam 1, September 24, 2013 In signing this statement, I hereby certify that the work on this exam is my own and that I have not copied the work of any other student while completing it.
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationWawrzynek & Weaver CS 61C. Sp 2018 Great Ideas in Computer Architecture MT 1. Print your name:,
Wawrzynek & Weaver CS 61C Sp 2018 Great Ideas in Computer Architecture MT 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationECE260: Fundamentals of Computer Engineering
Accessing and Addressing Memory James Moscola Dept. of Engineering & Computer Science York College of Pennsylvania Based on Computer Organization and Design, 5th Edition by Patterson & Hennessy American
More informationComputer System Architecture Midterm Examination Spring 2002
Computer System Architecture 6.823 Midterm Examination Spring 2002 Name: This is an open book, open notes exam. 110 Minutes 1 Pages Notes: Not all questions are of equal difficulty, so look over the entire
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationASSEMBLY III: PROCEDURES. Jo, Heeseung
ASSEMBLY III: PROCEDURES Jo, Heeseung IA-32 STACK (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationCS61, Fall 2012 Section 2 Notes
CS61, Fall 2012 Section 2 Notes (Week of 9/24-9/28) 0. Get source code for section [optional] 1: Variable Duration 2: Memory Errors Common Errors with memory and pointers Valgrind + GDB Common Memory Errors
More informationAssembly III: Procedures. Jo, Heeseung
Assembly III: Procedures Jo, Heeseung IA-32 Stack (1) Characteristics Region of memory managed with stack discipline Grows toward lower addresses Register indicates lowest stack address - address of top
More informationSample slides and handout
www.securecodingacademy.com Join the Secure Coding Academy group on LinkedIn and stay informed about our courses! [FOOTER] Sample slides and handout 2016 SCADEMY Secure Coding Academy Confidential. These
More informationLecture V Toy Hardware and Operating System
2. THE Machine Lecture V Page 1 Lecture V Toy Hardware and Operating System 1. Introduction For use in our OS projects, we introduce THE Machine where THE is an acronym 1 for Toy HardwarE. We also introduce
More informationLowering and Backend in libfirm
1 Lowering and Backend in libfirm Saarland University 20. Januar 2012 2 Necessary Preparations for the Backend No unreachable code No Bad nodes Create vtables Lower Sels to address calculations/vtable
More informationTI2725-C, C programming lab, course
Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy
More informationWe can express this in dataflow equations using gen and kill sets, where the sets are now sets of expressions.
Available expressions Suppose we want to do common-subexpression elimination; that is, given a program that computes x y more than once, can we eliminate one of the duplicate computations? To find places
More informationGenerating Programs and Linking. Professor Rick Han Department of Computer Science University of Colorado at Boulder
Generating Programs and Linking Professor Rick Han Department of Computer Science University of Colorado at Boulder CSCI 3753 Announcements Moodle - posted last Thursday s lecture Programming shell assignment
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationCOMPSCI 313 S Computer Organization. 7 MIPS Instruction Set
COMPSCI 313 S2 2018 Computer Organization 7 MIPS Instruction Set Agenda & Reading MIPS instruction set MIPS I-format instructions MIPS R-format instructions 2 7.1 MIPS Instruction Set MIPS Instruction
More information