Wednesday, March 12, 2014

Transcription

1 Wednesday, March 12, 2014 Topics for today Solutions to HW #3 Arrays and Indexed Addressing Global arrays Local arrays Buffer exploit attacks Solutions to Homework #3 1. deci N,d < (a) N not defined lda N,d < (a) N not defined top: breq stop deci number,d ldx number,d anda 1,d < (b) andx 1,i brne skip < (b) breq ldx number,d addx total,d storx total < (a) storx invalid no mode br top < (b) delete this skip: suba 1,i brlt top < (b) should be brgt stop: deci total < (a) no mode (b) deco stop total:.word 0 number:.block 2.end ?? ?? Comp 162 Notes Page 1 of 11 March 12, 2014

2 3. deci base,d lda base,d anda 1,i breq stop exit if base is even lda base,d adda 1,i asra sta Height,d Height = (Base + 1) /2 suba 1,i sta Space,d Space = Height -1 lda 1,i sta Star,d Star = 1 while: lda Space,d brlt endwhile while ( Space >=0) ldx Space,d output Space spaces breq loop2 loop1: charo ' ',i subx 1,i brgt loop1 loop2: ldx Star,d output Star stars breq newline loop3: charo '*',i subx 1,i brgt loop3 newline: charo '\n',i lda Star,d adda 2,i sta Star,d Star +=2 lda Space,d suba 1,i sta Space,d Space -- br while endwhile: nop0 stop: stop base:.block 2 Height:.block 2 Space:.block 2 Star:.block 2.end Comp 162 Notes Page 2 of 11 March 12, 2014

3 4. #include <stdio.h> int main { int N, A=0, B=0, C=0 scanf( %d,&n) while (N>=0) { if (N%4==1) A++ if (N%4==2) B++ if (N%4==3) C++ } scanf( %d,&n) } printf ( %d %d %d\n,a,b,c) Arrays and indexed addressing (section 6.4) So far we have looked at scalars (int, char, bool) but no composite types. Look next at arrays and see why there is a need for some of the addressing modes we have not yet seen. The table on page 283 is a useful summary of all 8 of the addressing modes in Pep/8. We have seen Immediate Direct Stack-relative Stack-relative deferred. We will introduce the other 4 modes as needed Comp 162 Notes Page 3 of 11 March 12, 2014

4 Global arrays Translations of global array declarations are not complicated. Here are some examples. High-level Language Pep/8 int A[4] A:.block 8 char B[12] B:.block 12 int C[]={2,4,1} C:.word 2.word 4.word 1 Accessing elements of global arrays uses indexing mode (,x). Consider the following loop that uses one of the example arrays above. High-level language for (i=0 i<12 i++) input(b[i]) // read 12 characters into array Pep/8 ldx 0,i index is initially zero top: cpx 12,i more to read? brge next branch if no chari B,x mode specifies a base address (B) and byte offset addx 1,i increment index br top next: In index mode (,x) the operand is memory[operand + Register X] (This is why register A and register X, otherwise interchangeable, are not equivalent.) When we are dealing with arrays in which each element is one byte long (as in the char array B) the byte-offset of an array element (its distance from the beginning of the array in memory) is the same as the index of the element. So B[5] is 5 bytes from the beginning of the array, B[11] is 11 bytes from the beginning of the array and so on. Comp 162 Notes Page 4 of 11 March 12, 2014

5 However, if each element of the array is larger than one byte then we have to distinguish between the array index (the high-level language view) and the byte-offset (used in calculating the address at the machine level). Generally if each element occupies k bytes then the offset for array element i is k*i bytes from the beginning of the array. In the case of arrays of integers where we allocate 2 bytes for each element (see example arrays A and C) we have to double the index to get the appropriate byte offset. B[0] B[1] B[2] B[3] B[4] B[5] B A[0] A[1] A[2] C B[6] B[7] B[8] B[9] B[10] B[12} A[3] The consequences of this in programming is illustrated in the following example. High-level language for (j=0 j<4 j++) input(a[j]) // read 4 integers into array Pep/8 (version 1) ldx 0,i top: cpx 4,i more to read? brge done branch if no aslx turn index into byte offset double it deci A,x for use in accessing the array asrx and then back into index halve it addx 1,i br top Comp 162 Notes Page 5 of 11 March 12, 2014

6 Here is another way we could translate the loop Pep/8 (version 2) ldx 0,i top: cpx 8,i Reg x will contain byte offset 0,2,4,6 brge done so if 8 or greater, we are finished deci A,x access the array addx 2,i offset is incremented by 2 br top Another self-modifying program Before indexing and index registers were invented, self modifying programs were one way to process an array. Consider the following self-modifying program to output the contents of a 5- element array, ldx 5,i top: deco table,d subx 1,i breq done lda 4,d adda 2,i sta 4,d br top done: stop table:.word 2.word 3.word 5.word 7.word 11 count of array elements is in register X branch if no more to output this three instruction sequence modifies bytes 4 and 5 which is the operand of deco There is no need for such tricks with indexing. Our two examples show sequential processing through an array. Random access to an array is done in the same way. Assume some integer array "vector" exists and we let the user output selected elements of it to output as in: input(j) while (j >= 0) { output(vector[j]) input(j) } Comp 162 Notes Page 6 of 11 March 12, 2014

7 In Pep/8 this would be deci j,d brlt quit top: ldx j,d index aslx turned into byte offset deco vector,x access array deci j,d get another j value brge top quit: Local arrays Consider int example(int A, char B) { int counter int table[3].. } If this function is called as in T = example(v,'*') then after the subprogram allocates the 8 bytes of local space (2 for counter and 6 for table), the stack might be depicted as follows Comp 162 Notes Page 7 of 11 March 12, 2014

8 counter (2 bytes) table (6 bytes) The asterisk Return Address * V (2 bytes) Space for returned value (2 bytes) How do we access the elements of table? Suppose the complete example function is int example(int A, char B) { int counter int table[3] } /* fill table from input */ for (counter=0 counter<3 counter++) input(table[counter]) /* output table in reverse order */ for (counter=2 counter >=0 counter--) output(table[counter]) A Pep/8 translation of the first part of example is: example: subsp 8,i for locals ldx 0,i stx 0,s counter=0 loop: cpx 3,i brge done branch if input loop finished aslx make into byte offset deci 2,sx new mode - stack indexing ldx 0,s addx 1,i stx 0,s increment the loop variable br loop done: output loop that follows is similar Comp 162 Notes Page 8 of 11 March 12, 2014

9 The new mode (,sx) is stack-relative indexing. The operand is Thus, in the case of memory[operand + SP + register X] deci 2,sx We are accessing the array that starts 2 bytes down from the top of the stack and using register X to select a particular element within the array, that is memory[2 + SP + register X] A buffer exploit in Pep/8 We can exploit the lack of array bound checking to cause Pep/8 to execute arbitrary code. We overflow a local array on the stack and overwrite the return address. On returning from the subroutine, control is transferred to a section of memory above the SP that still contains our input. Source Code call x for regular input call x to show exploit stop Subroutine x reads a zero-terminated sequence of integers into a local array then outputs them in reverse order because there is no bound checking, the number sequence can overwrite the return address which is next to it on the stack. Our input can be executable instructions stored in the array. We overwrite the return address with the address of the start of sequence so that when the RETn instruction executes, control is transferred to the instruction sequence we input. x: subsp 12,i for local temp and 5-element array AR ldx 0,i loop: deci 0,s breq output see if number input into temp is terminator lda 0,s sta 2,sx non-terminator stored in array addx 2,i br loop output: subx 2,i outputting array in reverse order loop2: deco 2,sx charo '\n',i newline after each number subx 2,i brge loop2 branch if more to output addsp 12,i ret0.end Comp 162 Notes Page 9 of 11 March 12, 2014

10 Program run Hi! Where does the Hi! come from?? The stack during a call of X can be depicted temp AR Return address Comp 162 Notes Page 10 of 11 March 12, 2014

11 Stack during first call of X Stack during second call of X temp AR ?? 50???? 21?? Return FB Address C3 In the second call of X, the input is the translation of charo H,I chari i,i charo!, stop <value of SP+2> FBC3 0 terminator for input We overwrite the return address with the address of our exploit code on the stack Now we have seen 6 of the 8 addressing modes: i, d, x, s, sf, sx. Only two more to go! Reading We are up to about p. 291 in the book and will follow the book order for a while so you can read ahead if you wish. Comp 162 Notes Page 11 of 11 March 12, 2014