Computer Systems CEN591(502) Fall 2011

Size: px

Start display at page:

Download "Computer Systems CEN591(502) Fall 2011"

Maude Wood
5 years ago
Views:

1 Computer Systems CEN591(502) Fall 2011 Sandeep K. S. Gupta Arizona State University 9 th lecture Machine-Level Programming (4) (Slides adapted from CSAPP)

2 Announcements Potentially Makeup Classes on Sat Nov 5 and Sun Nov 13. Midterm 1 Oct 10 Midterm 2 Nov 21 (Tentative)

3 Summary of previous class Procedures and stack frame on IA-32 Recursive procedure calls Register conventions Stack frame on x86-54 Reducing stack overhead by: Using more registers to pass procedure arguments No stack frame pointer This class: Homogenous and heterogeneous data structure in machine Use arrays to reduce programs execution time! Define larger data types in structure first to save space! Buffer overflow Use gcc options to protect your code Do not use some of C library functions such as scanf, gets, use fgets and fscanf instead!

4 Agenda Array One-dimensional Multi-dimensional (nested) Multi-level Structure Alignment principal Union Buffer overflow Avoiding buffer overflow

5 Arrays One-dimensional Multi-dimensional (nested) Multi-level

6 Array Allocation Basic Principle T A[L]; Array of data type T and length L Contiguously allocated region of L * sizeof(t) bytes char string[12]; int val[5]; double a[3]; x x + 12 x x + 4 x + 8 x + 12 x + 16 x + 20 x x + 8 x + 16 x + 24 char *p[3]; IA32 x x + 4 x + 8 x + 12 x x + 8 x + 16 x + 24 x86-64

7 Array Example #define LEN 5 typedef int intarray[len]; intarray X = { 1, 5, 2, 1, 3 ; intarray X; The example array were allocated in successive 20 byte blocks Not guaranteed to happen in general due to alignment requirements as we will see later.

8 Array Accessing Example intarray X; int get_digit (intarray z, int index) { return z[index]; IA32 # %edx = z # %eax = index movl (%edx,%eax,4),%eax # z[index] %edx : array z starting addr. %eax - array index z[index] at 4*%eax + %edx Use memory reference (%edx,%eax,4)

9 Array Loop Example (IA32) void zincr(intarray z) { int i; for (i = 0; i < LEN; i++) z[i]++; # edx = z movl $0, %eax # %eax = i.l4: # loop: addl $1, (%edx,%eax,4) # z[i]++ addl $1, %eax # i++ cmpl $5, %eax # i:5 jne.l4 # if!=, goto loop

10 Multidimensional (Nested) Arrays Declaration T A[R][C]; 2D array of data type T R rows, C columns Type T element requires K bytes Array Size R * C * K bytes Arrangement Row-Major Ordering int A[R][C]; A[0][0] A[R-1][0] A[0][C-1] A[R-1][C-1] A [0] [0] A [0] [C-1] A [1] [0] A [1] [C-1] 4*R*C Bytes A [R-1] [0] A [R-1] [C-1]

11 Nested Array Example #define PCOUNT 4 intarray Y[PCOUNT] = {{1, 5, 2, 0, 6, {1, 5, 2, 1, 3, {1, 5, 2, 1, 7, {1, 5, 2, 2, 1 ; equivalent to int Y[4][5] intarray Y[4]; Each element is an array of 5 int s, allocated contiguously Row-Major ordering of all elements guaranteed

12 Nested Array Row Access Code Example int *get_array(int index) { return Y[index]; #define PCOUNT 4 intarray Y[PCOUNT] = {{1, 5, 2, 0, 6, {1, 5, 2, 1, 3, {1, 5, 2, 1, 7, {1, 5, 2, 2, 1 ; # %eax = index leal (%eax,%eax,4),%eax # 5 * index (number of elements at each row) leal Y(,%eax,4),%eax # Y + (20 * index) Row Vector Y[index] is array of 5 int s Starting address Y+20*index IA32 Code Computes and returns address Compute as Y + 4*(index+4*index)

13 Nested Array Element Access Code Example int get_digit (int index, int dig) { return Y[index][dig]; movl 8(%ebp), %eax leal (%eax,%eax,4), %eax addl 12(%ebp), %eax movl Y(,%eax,4), %eax Array Elements Y[index][dig] is int Address: Y + 20*index + 4*dig = Y + 4*(5*index + dig) # index # 5*index # 5*index+dig # offset 4*(5*index+dig) IA32 Code Computes address Y + 4*((index+4*index)+dig) dig index Return address Old ebp ebp

14 Multi-Level Array Example intarray X = { 1, 5, 2, 1, 3 ; intarray Y = { 0, 2, 1, 3, 9 ; intarray Z = { 9, 4, 7, 2, 0 ; #define UCOUNT 3 int *univ[ucount] = {X, Y, Z; Variable univ denotes array of 3 elements Each element is a pointer 4 bytes Each pointer points to array of int s univ Y Z X

15 Example: Element Access in Multi-Level Array int get_univ_digit (int index, int dig) { return univ[index][dig]; movl 8(%ebp), %eax # index movl univ(,%eax,4), %edx # p = univ[index] movl 12(%ebp), %eax # dig movl (%edx,%eax,4), %eax # p[dig] Computation (IA32) Element access Mem[Mem[univ+4*index]+4*dig] Must do two memory reads First get pointer to row array Then access element within array First memory access Second memory access ebp dig index Return address Old ebp

16 Structure Structure Array structure Union Alignment

17 Structure Allocation struct rec { int a[3]; int i; struct rec *n; ; Memory Layout a i n Offset Concept Contiguously-allocated region of memory Refer to members within structure by names Members may be of different types

18 Structure Access Example struct rec { int a[3]; int i; struct rec *n; ; r r+12 a i n Accessing Structure Member Pointer indicates first byte of structure Access elements with offsets void set_i(struct rec *r, int val) { r->i = val; IA32 Assembly # %edx = val # %eax = r movl %edx, 12(%eax) # Mem[r+12] = val

19 Example: Generating Pointer to Structure Member r r+idx*4 struct rec { int a[3]; int i; struct rec *n; ; a i n Generating Pointer to Array Element Offset of each structure member determined at compile time Arguments Mem[%ebp+8]: r Mem[%ebp+12]: idx int *get_ap (struct rec *r, int idx) { return &r->a[idx]; movl 12(%ebp), %eax # Get idx sall $2, %eax # idx*4 addl 8(%ebp), %eax # r+idx*4

20 Following Linked List example C Code struct rec { int a[3]; int i; struct rec *n; ; void set_val (struct rec *r, int val) { while (r) { int i = r->i; r->a[i] = val; r = r->n; a i n Element i Register %edx %ecx Value r val.l17: # loop: movl 12(%edx), %eax # r->i movl %ecx, (%edx,%eax,4) # r->a[i] = val movl 16(%edx), %edx # r = r->n testl %edx, %edx # Test r jne.l17 # If!= 0 goto loop

21 Union Allocation Allocate according to largest element Can only use one field at a time union U1 { char c; int i[2]; double v; *up; struct S1 { char c; int i[2]; double v; *sp; c i[0] i[1] v up+0 up+4 up+8 c 3 bytes i[0] i[1] 4 bytes v sp+0 sp+4 sp+8 sp+16 sp+24

$bit2float(unsigned u) { bit_float_t arg; arg.$ $unsigned float2bit(float f) { bit_float_t arg; arg.$

22 Using Union to Access Bit Patterns typedef union { float f; unsigned u; bit_float_t; u f 0 4 float bit2float(unsigned u) { bit_float_t arg; arg.u = u; return arg.f; Same as (float) u? No! Bit representation does not change! unsigned float2bit(float f) { bit_float_t arg; arg.f = f; return arg.u; Same as (unsigned) f?

23 Alignment Principles Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32 treated differently by IA32 Linux, x86-64 Linux, and Windows! Motivation for Aligning Data Memory accessed by (aligned) chunks of 4 or 8 bytes (system dependent) Inefficient to load or store datum that spans quad word boundaries Virtual memory very tricky when datum spans 2 pages Compiler Inserts gaps in structure to ensure correct alignment of fields

24 Structures & Alignment example Unaligned Data c i[0] i[1] v p p+1 p+5 p+9 p+17 struct S1 { char c; int i[2]; double v; *p; Aligned Data Primitive data type requires K bytes Address must be multiple of K c 3 bytes i[0] i[1] 4 bytes v p+0 p+4 p+8 p+16 p+24 Multiple of 4 Multiple of 8 Multiple of 8 Multiple of 8

25 Different Alignment Conventions x86-64 or IA32 Windows: K = 8, for double element struct S1 { char c; int i[2]; double v; *p; c 3 bytes i[0] i[1] 4 bytes v p+0 p+4 p+8 p+16 p+24 IA32 Linux K = 4; double treated like a 4-byte data type c 3 bytes i[0] i[1] v p+0 p+4 p+8 p+12 p+20

26 Alignments for Arrays of Structures Overall structure length multiple of K K: largest alignment requirement Satisfy alignment requirement for every element Ex: struct S2 a[10]; struct S2 { double v; int i[2]; char c; a[10]; a[0] a[1] a[2] a+0 a+24 a+48 a+72 v i[0] i[1] c 7 bytes a+24 a+32 a+40 a+48

27 Saving Space through changing the order of declarations Put large data types first struct S4 { char c; int i; char d; *p; struct S5 { int i; char c; char d; *p; Effect (K=4) c 3 bytes i d 3 bytes i c d 2 bytes

28 Summary of homogenous and heterogeneous data Arrays in C Contiguous allocation of memory Aligned to satisfy every element s alignment requirement Pointer to first element No bounds checking Structures Allocate bytes in order declared Pad in middle and at end to satisfy alignment Unions Overlay declarations Way to circumvent type system

29 Memory buffer overflow and protection methods

30 Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines C does not have any array bound checking Both State variables and local variables are stored on stack Example: Internet worm of November 1988 used buffer overflow

31 Understanding buffer overflow bug -String Library Code Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c!= EOF && c!= '\n') { *p++ = c; c = getchar(); *p = '\0'; return dest; // no bound checking // Terminating string No way to specify limit on number of characters to read Similar problems with other library functions strcpy, strcat: Copy strings of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification

32 Vulnerable Buffer Code Example /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); void call_echo() { echo(); unix>./bufdemo Type a string: unix>./bufdemo Type a string: abc Segmentation Fault

33 Buffer Overflow Stack example Before call to gets String length Stack Frame for main Return Address Saved %ebp Saved %ebx [3] [2] [1] [0] Stack Frame for echo 3 ( 0-3) None %ebp buf Additional Corrupted state 7 (0-7) Saved value of ebx 11 (0-11) Saved value of ebp 15 (0-15) Return address 15+ (Saved state in caller) Caller states /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); echo: pushl %ebp movl %esp, %ebp pushl %ebx subl $20, %esp leal -8(%ebp),%ebx movl %ebx, (%esp) call gets... # Save %ebp on stack # Save %ebx # Allocate stack space # Compute buf as %ebp-8 # Push buf on stack # Call gets

34 Malicious Use of Buffer Overflow Example Stack after call to gets() void foo(){ bar();... return address A B foo stack frame int bar() { char buf[64]; gets(buf);... return...; data written by gets() B pad exploit code bar stack frame Input string contains byte representation of executable code Overwrite return address A with address of buffer B When bar() executes ret, will jump to exploit code

35 Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); Use library routines that limit string lengths fgets instead of gets strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string Or use %ns where n is a suitable integer

36 System-Level Protections Randomized stack offsets At start of program, allocate random amount of space on stack Makes it difficult for hacker to predict beginning of inserted code Nonexecutable code segments In traditional x86, can mark region of memory as either read-only or writeable Can execute anything readable X86-64 added explicit execute permission

37 System-Level Protections: Stack Canaries Idea Place special value ( canary ) on stack just beyond buffer Check for corruption before exiting function GCC Implementation -fstack-protector -fstack-protector-all unix>./bufdemo-protected Type a string: unix>./bufdemo-protected Type a string:12345 *** stack smashing detected ***

38 Setting Up Canary Before call to gets Stack Frame for main Return Address Saved %ebp %ebp Saved %ebx Canary [3] [2] [1] [0] buf Stack Frame for echo /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); echo: pushl %ebp # Save %ebp on stack movl %esp, %ebp pushl %ebx # Save %ebx subl $20, %esp # Allocate stack space movl %gs:20, %eax # Get canary movl %eax, -8(%ebp) # Put on stack leal -12(%ebp),%ebx # Compute buf as %ebp-12 movl %ebx, (%esp) # Push buf on stack call gets # Call gets... gs (old inst.): the canary value is read using segmented addressing. The segment can be marked as read only

39 Checking Canary Before call to gets Stack Frame for main Before return to the caller, check whether canary is corrupted! Return Address Saved %ebp %ebp Saved %ebx Canary [3] [2] [1] [0] buf /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); Stack Frame for echo echo:... movl -8(%ebp), %eax # Retrieve from stack xorl %gs:20, %eax # Compare with Canary je.l24 # Same: skip ahead call stack_chk_fail # ERROR.L24:... # normal return

40 What is next? Quiz on Chapter 3 Next Class Memory hierarchy(read chapter 6 of CSAPP)

CSC 252: Computer Organization Spring 2018: Lecture 9

CSC 252: Computer Organization Spring 2018: Lecture 9 Instructor: Yuhao Zhu Department of Computer Science University of Rochester Action Items: Assignment 2 is due tomorrow, midnight Assignment 3 is out