Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 22, 2014 Pengju (Jimmy) Jin Section E

Published byAugustus Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "September 22, 2014 Pengju (Jimmy) Jin Section E"— Presentation transcript:

1 September 22, 2014 Pengju (Jimmy) Jin Section E
15/ Recitation 5 September 22, 2014 Pengju (Jimmy) Jin Section E

2 Agenda Bomb lab reminder Machine Programming Procedures Demo
Stack Frames Function calls in x86(IA32) and x86-64 (briefly) Demo Buffer lab Preview

3 Reminder In case you didn’t know, bomb lab is due tomorrow.
If you haven’t started it yet, good luck. Buflab comes out tomorrow night.

4 Register Recap Caller saved: %eax, %ecx, %edx
Must be saved before a function call (by the caller) if needed. Callee saved: %ebx, %edi, %esi Must save these (by the callee) before any work if needed in the child function. Base pointer: %ebp (IA32) Stack pointer: %esp Instruction pointer: %eip

5 IA32 Stack “Upside down” stack
Grows downward => new things are pushed to a lower memory address %esp holds the ADDRESS of top of the stack %esp has the lowest address Stack “bottom” 0xffffffff %esp Stack growth Stack “top”

6 Stack Operation - Push pushl src  subl $4, %esp movl src, (%esp)
Frist move the stack pointer to a lower (empty) address Then move the value into the empty address. ... 0x110 0x10c 0x108 0x123 0x104 0x213 ... 0x110 0x10c 0x108 0x123 %esp %esp

7 Stack Operation - pop popl dest  movl (%esp), dest addl $4, %esp
Move the value stored at the top of the stack to dest. The address now becomes empty, move the stack pointer up. ... 0x110 0x10c 0x108 0x123 0x104 0x213 ... 0x110 0x10c 0x108 0x123 0x104 0x213 %esp %esp

8 Stack frames Every function call is given a new stack frame.
Stack frames are in the stack memory region growing down. Things included in the frame: Local variables (scalars, arrays, structs) Scalars: if the compiler couldn’t allocate enough registers Space to save callee saved registers Space to put computations A way to give arguments and call other functions A way to grab arguments %ebp Old %ebp Saved registers + local variables Argument build for function call %esp

9 Function Calls - setup Shifting the stack frame when a function is called. Creating a new stack frame: Parent function: call label (ex: call <add>) Push the return address (the address of next instruction after the call) Child function: push %ebp, move $esp to %ebp, decrease $esp Save the old $ebp to the stack Move the $esp to $ebp, $ebp now points at the $ebp of the parent function. Decrease $esp, creating space for new function.

10 Visualization 804854e: e8 3d 06 00 00 call 8048b90 <main>
: pushl %eax call <main> ... 0x110 0x10c 0x108 0x123 ... 0x110 0x10c 0x108 0x123 0x104 0x %esp %eip 0x804854e %esp 0x108 %eip 0x8048b90 %esp 0x104

11 Function Calls - Return
Child function calls leave then ret leave – two machine operation combined into one move the $ebp to $esp (esp now points at the base of the stack) pops the stack into $ebp (ebp is restored back to the ebp of parent function) ret – pop return address into $eip, the function call is over.

12 Returning 8048591: c3 ret ret ... 0x110 0x10c 0x108 0x123 0x104
%esp %eip 0x %esp 0x104 %eip 0x %esp 0x108

13 Function calls and stack frames
Arguments Return addr Suppose you have sum grabs arguments by reaching up the caller’s stack frame! If we scale up this example, we see that arguments should be pushed in reverse order main int main(void) { int x = 3; return sum(x, 0); } %ebp Old %ebp Saved registers + local variables Argument build %esp sum

14 Demo

15 X86-64 If you understand 32bit machines, 64 bit is easy.
No more frame pointers (%ebp is now a free register) Many arguments are passed in registers Less stack manipulation, more use of registers Overall a lot less stack usage Good for performance You are expected to know how the stack works for 64 bits

16 Buffer lab Overview Hacking the IA32 function call procedure.
Overflows the stack frame memory space and over-writes some important information (return address). A thorough understanding of procedure call is needed.

17 Details on Buffer Lab Disassembling your code using objdump USE GDB
Find out how long to make your inputs. Write exploits to divert program execution

18 Buffer Lab Tricks Canaries NOP sleds Detect overrun buffers
Sit at the end of the buffer If the array overflows, hopefully we can detect this with a change in the canary value NOP sleds The nop instruction means “no operation” Used to “pad” instructions (or exploits)

19 Buffer Lab Tools ./makecookie andrewID ./hex2raw ./bufbomb –t andrewID
Makes a unique “cookie” based on your AndrewID ./hex2raw Use the hex generated from assembly to pass raw strings into bufbomb Use with –n in the last stage ./bufbomb –t andrewID The actual program to attack Always pass in with your AndrewID so you will be graded on autolab

20 How to Input Answer Put your byte code exploit into a text file
Then feed it through hex2raw Later stages: write(corruption) assembly Compiling Gcc –m32 –c example.s Get the byte codes Objdump –d example.o > outfile Feed it thrught hex2raw

21 Read every line of the handout. Good luck have fun
Buffer Lab Hint Read every line of the handout. Good luck have fun

Download ppt "September 22, 2014 Pengju (Jimmy) Jin Section E"

Similar presentations

Machine-Level Programming III: Procedures Feb. 8, 2000 Topics IA32 stack Stack-based languages Stack frames Register saving conventions Creating pointers.

Machine-Level Programming III: Procedures Feb. 8, 2000 Topics IA32 stack Stack-based languages Stack frames Register saving conventions Creating pointers.
Calling sequence ESP.

Calling sequence ESP.
15/18-213: Introduction to Computer Systems

15/18-213: Introduction to Computer Systems
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.

RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Machine-Level Programming III: Procedures Apr. 17, 2006 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables CS213.

Machine-Level Programming III: Procedures Apr. 17, 2006 Topics IA32 stack discipline Register saving conventions Creating pointers to local variables CS213.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Machine-Level Programming III: Procedures Sept. 17, 2007 IA32 stack discipline Register saving conventions Creating pointers to local variablesx86-64 Argument.

Machine-Level Programming III: Procedures Sept. 17, 2007 IA32 stack discipline Register saving conventions Creating pointers to local variablesx86-64 Argument.
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Machine-Level Programming III: Procedures Jan 30, 2003

Machine-Level Programming III: Procedures Jan 30, 2003
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Machine-Level Programming III: Procedures Sept. 15, 2006 IA32 stack discipline Register saving conventions Creating pointers to local variablesx86-64 Argument.

Machine-Level Programming III: Procedures Sept. 15, 2006 IA32 stack discipline Register saving conventions Creating pointers to local variablesx86-64 Argument.
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.

Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Similar presentations

Ads by Google