x86 assembly CS449 Fall 2017

Similar documents
x86 assembly CS449 Spring 2016

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Compiler Construction D7011E

CMSC 313 Lecture 12 [draft] How C functions pass parameters

Process Layout and Function Calls

W4118: PC Hardware and x86. Junfeng Yang

CS241 Computer Organization Spring 2015 IA

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

Assembly Language: Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Program Exploitation Intro

Assembly Language: Function Calls" Goals of this Lecture"

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Winter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

CS642: Computer Security

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Machine Programming 3: Procedures

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

Systems I. Machine-Level Programming V: Procedures

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Computer Architecture and Assembly Language. Practical Session 3

Buffer Overflow Attack

The x86 Architecture

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

X86 Stack Calling Function POV

x86 architecture et similia

Intel assembly language using gcc

CS429: Computer Organization and Architecture

Credits and Disclaimers

Stacks and Frames Demystified. CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han

Machine-level Programming (3)

Credits and Disclaimers

CPEG421/621 Tutorial

Digital Forensics Lecture 3 - Reverse Engineering

Assembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall

Instruction Set Architectures

Function Call Convention

Practical Malware Analysis

Reverse Engineering II: The Basics

Buffer Overflows Complete

How Software Executes

ASSEMBLY III: PROCEDURES. Jo, Heeseung

Lecture 4 CIS 341: COMPILERS

Assembly III: Procedures. Jo, Heeseung

CS213. Machine-Level Programming III: Procedures

Lab 10: Introduction to x86 Assembly

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

The course that gives CMU its Zip! Machine-Level Programming III: Procedures Sept. 17, 2002

How Software Executes

x86 Assembly Tutorial COS 318: Fall 2017

Compiler construction. x86 architecture. This lecture. Lecture 6: Code generation for x86. x86: assembly for a real machine.

Computer Systems Lecture 9

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

Assignment 11: functions, calling conventions, and the stack

Instruction Set Architecture

Instruction Set Architecture

Machine Program: Procedure. Zhaoguo Wang

Instruction Set Architecture

You may work with a partner on this quiz; both of you must submit your answers.

CS61 Section Solutions 3

Instruction Set Architectures

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

Assembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012

CPS104 Recitation: Assembly Programming

Sungkyunkwan University

Buffer Overflows Defending against arbitrary code insertion and execution

4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

Stack Discipline Jan. 19, 2018

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CSC 8400: Computer Systems. Using the Stack for Function Calls

Simple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:

IA32 Stack. Stack BoDom. Region of memory managed with stack discipline Grows toward lower addresses. Register %esp contains lowest stack address

Process Layout, Function Calls, and the Heap

Module 3 Instruction Set Architecture (ISA)

Machine and Assembly Language Principles

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

An Experience Like No Other. Stack Discipline Aug. 30, 2006

Transcription:

x86 assembly CS449 Fall 2017

x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS Relatively a few simple instructions Many registers to store intermediate values Example complex x86 instruction: F2XM1 Computes 2 x -1, where value of X must between -1.0 and +1.0. Fast compared to using a combination of simpler instructions But has few use cases and complicates overall design of CPU History has proved RISC to be superior Simple CPU design enabled making the common case fast

Why is x86 Still a CISC? Two words: backwards compatibility By the time Intel realized mistake it was too late Too many programs have already been produced Internally x86 CPUs are designed like RISC Focused on making simple instructions (+,-,*,/) fast Complex instructions supported only for compatibility Internally translated to simple instructions (called micro-ops) Nowadays x86 code looks similar to RISC code Complex instructions (e.g. F2XM1) almost never used You just need to learn a handful of simple instructions!

32-Bit General Purpose Registers EAX : Accumulator EBX : Base ECX : Counter EDX : Data ESI : String Source EDI : String Destination

Other 32-Bit Registers EIP : Instruction Pointer (a.k.a. Program Counter) Keeps track of where in code we are executing ESP : Stack Pointer Points to top of current frame (top of stack) EBP : Base or Frame Pointer Points to base of current frame EFLAGS Flag register Stores flags describing current state of CPU State can be many things. E.g. Result of last comparison instruction (true or false) Whether last add instruction overflowed And more

Register Subfields EAX AH AL AX

Hello World.file.LC0: "asm.c".section.rodata.string "hello world!".text.globl main.type main, @function main: pushl %ebp movl %esp, %ebp subl $8, %esp andl $-16, %esp ;1111 1111 1111 0000 subl $16, %esp movl $.LC0, (%esp) call puts movl $0, %eax leave ret.size main,.-main.section.note.gnu-stack,"",@progbits.ident "GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-8)"

AT&T Syntax gcc and gas use AT&T syntax: Opcode appended by type b byte (8-bit) w word (16-bit) l long (32-bit) q quad (64-bit) First operand is source Second operand is destination Operand can be one of Immediate value: $8, $-16, $.LC0, Register: %ebp, %esp, %eax, Memory dereference: ( %esp ), (%eax), movl $.LC0, (%esp): Move 32-bit value $.LC0 to location pointed to by %esp (top of stack)

Intel Syntax Microsoft (MASM), Intel, NASM Type sizes are spelled out BYTE 1 byte WORD 2 bytes DWORD 4 bytes (double word) QWORD 8 bytes (quad word) First operand is destination Second operand is source Operand can be one of Immediate value: 8, -16,.LC0, Register: $ebp, $esp, $eax, Memory dereference: [ $esp ], [ $eax ],

Intel Hello World main: push $ebp mov $ebp, $esp sub $esp, 8 and $esp, -16 ;1111 1111 1111 0000 sub $esp, 16 mov DWORD PTR [$esp],.lc0 call puts mov $eax, 0 leave ret

Stacks, Frames, and Calling Conventions CS449 Fall 2017

Automatic Variables Live in Stack 0xc0000000 Stack (Automatic variables) Unused memory space brk (program break) 0 Heap (Malloc ed Memory) Data Segment (Static variables) Text Segment ( Function Code) Stack starts at 0 bytes on program launch Stack grows / shrinks as automatic variables enter / exit scope Stack grows downwards

Stack Function Call A jump to a section of code that ends with a return to the point immediately following the call (the return address) Calling Convention Standard a compiler follows to convert function calls in source code to machine code (e.g. CDECL, STDCALL, FASTCALL) Two functions compiled using different compilers can still call each other if same calling convention is followed Stack The portion of memory managed in a last-in, first-out (LIFO) fashion, to store function activation records Activation record is pushed on function call Activation record is popped on function return Structure of activation record is part of calling convention

Activation Records An object containing all the necessary data for a function call, stored on the stack Function parameters Local (automatic) variables Return value Return address (point immediately following call) Temporaries (intermediate values) Also called a Frame Compiler knows exactly how many local variables there are and how many temporaries are needed ècan automatically generate code to allocate frame

Stack Memory Management int main() { foo(); } void foo() { bar(); } void bar() { } Frame for main Frame for foo Frame for bar Stack Grows Downwards

Register Value Preservation Functions have dedicated stack space (the frame) But functions must share only one set of CPU registers: Register values must be saved / restored across function calls int main() { // Save all CPU register values to stack foo(); // foo() modifies CPU registers // Restore all CPU register values from stack } main() is called caller function, foo() is called callee function We are faced with a choice Caller saves / restores all CPU registers Callee saves / restores all CPU registers Caller does half, callee does the other half è best choice

Caller-Saved / Callee-Saved Caller-Saved Registers Set of registers saved / restored by caller function Callee-Saved Registers Set of registers saved / restored by callee function Example int main() { // Save caller-saved registers to stack foo(); // Restore caller-saved registers from stack } void foo() { // Save callee-saved registers to stack // Restore callee-saved registers from stack }

Caller-Saved / Callee-Saved Why is this a good idea? Caller can use callee-saved registers without saving / restoring Callee can use caller-saved registers without saving / restoring Gives opportunity for compiler to minimize saving / restoring Best case scenario int main() { // Use only callee-saved registers foo(); } void foo() { // Use only caller-saved registers } Compiler can get away with no saving / restoring at all!

Caller-Saved / Callee-Saved Calling convention dictates which registers are caller-saved and which registers are callee-saved Both caller and callee must follow the same calling convention Space to store registers is also considered to be part of the activation record of the function

MIPS Calling Convention First 4 arguments $a0-$a3 Remainder put on stack Return values in $v0-$v1 $t0-$t9: caller-saved $s0-$s7: callee-saved

x86 Calling Convention Arguments (usually) passed on the stack Return value in $EAX $EAX, $ECX, $EDX: generally caller-saved $EBP, $EBX, $EDI, $ESI: generally callee-saved

Hello World.file.LC0: "asm.c".section.rodata.string "hello world!".text.globl main.type main, @function main: pushl %ebp movl %esp, %ebp subl $8, %esp andl $-16, %esp ;1111 1111 1111 0000 subl $16, %esp movl $.LC0, (%esp) call puts movl $0, %eax leave ret.size main,.-main.section.note.gnu-stack,"",@progbits.ident "GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-8)"

Hello World Stack $ESP $ESP $ESP $ESP Old $EBP Pointer to string $EBP pushl %ebp ;save old ebp movl %esp, %ebp ;start frame subl $8, %esp ;space for locals andl $-16, %esp subl $16, %esp ;space for args movl $.LC0, (%esp) call puts movl $0, %eax leave leave pops current frame. It translates to two instructions: movl %ebp, %esp ;collapse frame popl %ebp ;restore old ebp

Remember this from Scoping? #include <stdio.h> int* foo() { } int x = 5; return &x; void bar() { int y = 10; } int main() { } int *p = foo(); printf("*p=%d\n", *p); bar(); printf("*p=%d\n", *p); return 0; >> gcc./main.c./main.c: In function foo :./main.c:4: warning: function returns address of local variable >>./a.out *p=5 *p=10 The activation records for foo() and bar() landed on the same stack space 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback