Monday, March 13, 2017

Transcription

1 Monday, March 13, 2017 Topics for today Arrays and Indexed Addressing Global arrays Local arrays Buffer exploit attacks Arrays and indexed addressing (section 6.4) So far we have looked at scalars (int, char, bool) but no composite types. We look next at arrays and see why there is a need for some of the addressing modes we have not yet seen. The table on page 336 is a useful summary of all 8 of the addressing modes in Pep/9. So far we have seen Immediate Direct Stack-relative Stack-relative deferred. We will introduce the other 4 modes as needed Global arrays Declarations: translations of global array declarations are not complicated; we just need to determine how many bytes the array occupies and possibly initialize memory locations. Here are some examples. High-level Language Pep/9 int A[4]; A:.block 8 char B[12]; B:.block 12 int C[]={2,4,1} C:.word 2.word 4.word 1 Accessing elements: In order to access elements of global arrays we need to use a new addressing mode Indexed addressing,x Comp 162 Notes Page 1 of 11 March 13, 2017

2 Consider the following loop that uses one of the example arrays above. High-level language for (i=0; i<12; i++) input(b[i]); // read 12 characters into array Pep/9 ldwx 0,i ; index is initially zero top: cpwx 12,i ; more to read? brge next ; branch if no more ldba charin,d ; get next character stba B,x ; mode specifies a base address (B) and byte offset addx 1,i ; increment index br top next: In index mode (,x) the operand is memory[operand + Register X] (This is why register A and register X, otherwise interchangeable, are not equivalent.) In the code above we read characters into locations B, B+1, B+2 and so on When we are dealing with arrays in which each element is one byte long (as in the char array B) the byte-offset of an array element (its distance from the beginning of the array in memory) is the same as the index of the element. So B[5] is 5 bytes from the beginning of the array, B[11] is 11 bytes from the beginning of the array and so on. However, if each element of the array is larger than one byte then we have to distinguish between the array index (the high-level language view) and the byte-offset (used in calculating the address at the machine level). Generally if each element occupies k bytes then the offset for array element i is k*i bytes from the beginning of the array. In the case of arrays of integers where we allocate 2 bytes for each element (see example arrays A and C) we have to double the index to get the appropriate byte offset. Compare the following diagrams of arrays B and A. Comp 162 Notes Page 2 of 11 March 13, 2017

3 B[0] B[1] B[2] B[3] B[4] B[5] B A[0] A[1] A[2] C B[6] B[7] B[8] B[9] B[10] B[12} A[3] The following example shows the consequences of this in coding a loop to read integers into array A. High-level language for (j=0; j<4; j++) input(a[j]) // read 4 integers into array Pep/9 (version 1) ldwx 0,i top: cpwx 4,i ; more to read? brge done ; branch if no more aslx ; turn index into byte offset double it deci A,x ; for use in accessing the array asrx ; and then back into index halve it addx 1,i br top done: Comp 162 Notes Page 3 of 11 March 13, 2017

4 Here is another way we could translate the same loop Pep/9 (version 2) Ldwx 0,i top: cpwx 8,i ; Reg x will contain byte offset 0,2,4,6 brge done ; so if 8 or greater, we are finished deci A,x ; access the array addx 2,i ; offset is incremented by 2 br top Another self-modifying program Before indexing and index registers were invented, self modifying programs were one way to process an array. Consider the following self-modifying program to output the contents of a 5- element array, ldwx 5,i top: deco table,d subx 1,i breq done ldwa 4,d adda 2,i stwa 4,d br top done: stop table:.word 2.word 3.word 5.word 7.word 11 ; count of array elements is in register X ; branch if no more to output ; this three instruction ; sequence modifies bytes 4 and 5 which contain the ; operand of deco There is no need for such tricks with indexing. Our two examples illustrated sequential processing through an array. Random access to an array is also accomplished using indexing. In the following, a user selects elements of array vector to output. input(j) while (j >= 0) { output(vector[j]) input(j) } Comp 162 Notes Page 4 of 11 March 13, 2017

5 In Pep/9 this could be deci j,d brlt quit top: ldwx j,d aslx deco vector,x deci j,d brge top quit: ; index entered by user ; turned into byte offset ; access array ; get another j value ; repeat if not negative Processing order in a loop Sometimes it might be faster to process an array from the last element back to the first. Consider the following two loops each of which sums in register A the contents of the 36-element integer array T. The byte offset of the last element is 70. The one on the left sums T[35]+T[34]+ +T[0], the one on the right sums T[0]+T[1]+...+T[35]. ldwa 0,i ldwa 0,i ldwx 70,i ldwx 0,i L: adda T,x L: cpwx 70,i subx 2,i brge L end: brgt end adda T,x addx 2,i br L Because we have a built-in way to check when a register reaches zero, the loop on the left is shorter. Local arrays Consider function example with local array table. int example(int A, char B) { int counter; int table[3];.. } If this function is called as in T = example(v,'*'); Comp 162 Notes Page 5 of 11 March 13, 2017

6 then after the subprogram allocates the 8 bytes of local space (2 for counter and 6 for table), the stack might be depicted as follows counter (2 bytes) table (6 bytes) The asterisk Return Address * V (2 bytes) Space for returned value (2 bytes) How do we access the elements of table? Suppose the complete example function is int example(int A, char B) { int counter; int table[3]; } /* fill table from input */ for (counter=0; counter<3; counter++) input(table[counter]); A Pep/9 translation of example is: example: subsp 8,i ; for locals ldwx 0,i stwx 0,s ; counter=0 loop: cpwx 3,i ; counter < 3? brge done ; branch if input loop finished aslx ; make counter into byte offset deci 2,sx ; new mode - stack indexing ldwx 0,s addx 1,i stwx 0,s ; increment the loop variable br loop done: addsp 8,i ; deallocate locals ret Comp 162 Notes Page 6 of 11 March 13, 2017

7 The new mode (,sx) is stack-relative indexing. The operand is memory[operand + SP + register X] This is a natural combination of the,s and,x modes we have already seen. Thus, in the case of deci 2,sx we are accessing the array that starts 2 bytes down from the top of the stack and using register X to select a particular element within the array, that is memory[2 + SP + register X] A buffer exploit in Pep/9 We can exploit the lack of array bound checking to cause Pep/9 to execute arbitrary code. One way to do this is to overflow a local array on the stack and overwrite the return address. On returning from the subroutine, control can be transferred to a section of memory above the SP that still contains our input. Source Code call x ; first call: regular input call x ; second call: to demonstrate exploit stop ; ; ; Subroutine x reads a zero-terminated sequence of integers into ; a local array then outputs them in reverse order ; ; because there is no bound checking, the number sequence can overwrite ; the return address which is next to it on the stack. ; Our input can be executable instructions stored in ; the array. We overwrite the return address with the address of the start of ; sequence so that when the RETn instruction executes, control is ; transferred to the instruction sequence we input. ; ; x: subsp 12,i ; for local temp and 5-element array AR ldwx 0,i loop: deci 0,s breq output ; see if number input into temp is terminator ldwa 0,s stwa 2,sx ; non-terminator stored in array addx 2,i br loop output: subx 2,i ; outputting array in reverse order loop2: deco 2,sx ldba '\n',i ; newline stba charout,d ; is output after each number subx 2,i brge loop2 ; branch if more to output addsp 12,i ret.end Comp 162 Notes Page 7 of 11 March 13, 2017

8 Program run Where does the 777 come from?? The stack during a call of X can be depicted temp AR Return address Comp 162 Notes Page 8 of 11 March 13, 2017

9 Stack during first call of X Stack during second call of X temp AR ?? 38???? 07?? Return FB Address 83 In the second call of X, the numbers input by the user is the translation of deco 7,i ; deco 7,i ; deco 7,i ; stop ; <value of SP+2> ; FB83 0 ; terminator for input We overwrite the return address with the address of our exploit code on the stack Now we have seen 6 of the 8 addressing modes: i, d, x, s, sf, sx. Only two more to go! Reading Global and local arrays are discussed on pages 336 through 344. Comp 162 Notes Page 9 of 11 March 13, 2017

10 Review Questions 1. How many bytes does the Pep/9 version of int M[8][8] occupy? 2. Translate the following into Pep/9 assembly code char days [7][4] = { Sat, Sun, Mon, Tue, Wed, Thu, Fri }; 3. The Pep/9 equivalent of int RAIN [365] contains the rainfall in Camarillo for each day in (a) Write assembly code that processes the array forwards and leaves the total rainfall in total. (b) Write assembly code that processes the array backwards and leaves the total rainfall in total. (c) Determine for each of your answers to (a) and (b), the number of bytes the code occupies and the number of instructions executed when it runs 4. Consider the two local variables in function X below Void X() { Int one[5], int two[5] } Assuming that these are the only local variables in X, write code that copies the values in one to the corresponding elements in two. 5. A global character array S (30 bytes) contains a null-terminated string. The string may be shorter than 30 characters but will contain at least one non-null character. Function Y has a local character array void Y() { char copy[30]; } Write code for Y that copies the string in S (including the null byte) to local variable copy. 6. An array can be added from first element to last or from last element to first. Is it possible for one to fail and the other succeed? Comp 162 Notes Page 10 of 11 March 13, 2017

11 Review Answers bytes 8*8*2 2. days:.ascii Sat\x.ascii Sun\x.ascii Mon\x.ascii Tue\x.ascii Wed\x.ascii Thu\x.ascii Fri\x 3. (a) ldwa 0,i 1 ldwx 0,i 1 loop: adda RAIN,x 365 cpwx 728,I 365 breq done 365 addx 2,i 364 br loop 364 done: sta total,d 1 Space: 24 bytes Instructions: 1825 (b) ldwa 0,i 1 ldwx 728,i 1 loop: adda RAIN,x 365 subx 2,I 365 brge loop 365 stwa total,d 1 Space 18 bytes Instructions: ldwx 8,i loop: ldwa 2,sx stwa 12,sx subx 2,i brge loop 5. ldwa 0,i ldwx 0,i loop: ldba S,x stba 2,sx breq done addx 1,i br loop done: ; read from the global ; write to the local ; finished if just copied the null byte 6. Yes. Suppose contents are { 3, 3, -3 } one overflows, the other doesn t. Comp 162 Notes Page 11 of 11 March 13, 2017