Presentation is loading. Please wait.

Presentation is loading. Please wait.

C++ [ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04]

Published byCecil Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "C++ [ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04]"— Presentation transcript:

1

2

3

4

5

6

7

8 C++

9

10

11

12

13

14

15

16

17

18

19

20 [ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04] Local 1 // w [ebp -08] Local 2 // x [ebp -0C] Local 3 // z or y

21 Stack Packing ?Bind_DeterminePinned@CBase@@UAEXXZ: 638643E0: 8B FF mov edi,edi 638643E2: 53 push ebx 638643E3: 56 push esi 638643E4: 8B F1 mov esi,ecx 638643E6: 8B 5E 18 mov ebx,dword ptr[esi+18h] 638643E9: 8B 46 04 mov eax,dword ptr [esi+4] 638643EC: F6 C3 01 test bl,1 638643EF: 74 08 je 638643F9 638643F1: 3B 46 08 cmp eax,dword ptr [esi+8] 638643F4: 76 1E jbe 63864414 638643F6: 5E pop esi 638643F7: 5B pop ebx 638643F8: C3 ret MORE COLD CODE No Stack Packing (R1 – R5 reasons for bad code) ?Bind_DeterminePinned@CBase@@UAEXXZ: 639E2840: 8B FF mov edi,edi 639E2842: 55 push ebp  #R1 639E2843: 8B EC mov ebp,esp 639E2845: 51 push ecx  #R2 639E2846: 53 push ebx 639E2847: 56 push esi 639E2848: 8B F1 mov esi,ecx 639E284A: 57 push edi  #R3 639E284B: 8B 5E 18 mov ebx,dword ptr [esi+18h] 639E284E: 8B 46 04 mov eax,dword ptr [esi+4] 639E2851: F6 C3 01 test bl,1 639E2854: 74 0C je 639E2862 639E2856: 3B 46 08 cmp eax,dword ptr [esi+8] 639E2859: 76 3F jbe 639E289A 639E285B: 5F pop edi  #R4 639E285C: 5E pop esi 639E285D: 5B pop ebx 639E285E: 8B E5 mov esp,ebp  #R5 639E2860: 5D pop ebp 639E2861: C3 ret MORE COLD CODE

22

23

24

25

26

27

28

29 Vector - all loads before all stores B[0] B[1] B[2] B[3] A[0] A[1] A[2] A[3] A[0] + B[0] A[1] + B[1] A[2] + B[2] A[3] + B[3] xmm0 “addps xmm1, xmm0 “ xmm1 +

30 for (i = 0; i < 1000/4; i++){ movps xmm0, [ecx] movps xmm1, [eax] addps xmm0, xmm1 movps [edx], xmm0 } for (i = 0; i < 1000; i++) A[i] = B[i] + C[i]; Compiler looks across loop iterations !

31

32 A(3) = ?

33 ALL loads before ALL stores A (2:5) = A (1:4) + A (3:7) VR1 = LOAD(A(1:5)) VR2 = LOAD(A(3:7)) VR3 = VR1 + VR2 // A(3) = F (A(2) A(4)) STORE(A(2:5)) = VR3

34 Instead - load store load store... Instead - load store load store... FOR ( j = 2; j <= 257; j++) A( j ) = A( j-1 ) + A( j+1 ) A(2) = A(1) + A(3) A(3) = A(2) + A(4) // A(3) = F ( A(1)A(2)A(3)A(4) ) A(4) = A(3) + A(5) A(5) = A(4) + A(6) … …

35 A ( a1 * I + c1 ) ?= A ( a2 * I’ + c2)

36 Complex C++ Not just arrays!

37 void foo(int n, float *a, float *b, float *c) { for (int j=0; j<n; j++) { *a++ = *b++ + *c++; } Legal ? Where’s the base of the array?

38 void transform1(int * first1, int * last1, int * first2, int * result) { while (first1 != last1) { *result++ = *first1++ + *first2++; } …and where’s the IV? A ( a1 * I + c1 ) ?= A ( a2 * I’ + c2)

39

40 int synthetic_i; int synthetic_upper = (last1 – first1 + 4)/4; for (synthetic_i = 0; synthetic_i < synthetic_upper; synthetic_i++) { result[synthetic_i] = first1[synthetic_i] + first2[sythetic_i]; } while (first1 != last1) { *result++ = *first1++ + *first2++; }

41

42

43

44

45

46 HRESULT CDocManager::IsValidWMToolsStream(bool* pfValid) { long cbSize; if(FAILED(hr = ExtractDataSize(strPath, &cbSize))) return S_OK; CSmartPtr pBuffer = new BYTE[cbSize]; ExtractData(strPath, pBuffer, cbSize); long dwCheckSum = DwChecksumFromLpvCb(0, pBuffer, cbSize); long dwStreamCnt = GetStreamCount(m_pVisitedTree); if(FAILED(hr = ExtractDataSize(kszCheckSumStream, &cbSize))) { return S_OK; } //ExtractData(kszCheckSumStream, pBuffer, cbSize); for(int i=0; i<cbSize; i++) { *pBuffer++ = *kszCheckSumStream++; } HRESULT CDocManager::IsValidWMToolsStream(bool* pfValid) { long cbSize; if(FAILED(hr = ExtractDataSize(strPath, &cbSize))) return S_OK; CSmartPtr pBuffer = new BYTE[cbSize]; ExtractData(strPath, pBuffer, cbSize); long dwCheckSum = DwChecksumFromLpvCb(0, pBuffer, cbSize); long dwStreamCnt = GetStreamCount(m_pVisitedTree); if(FAILED(hr = ExtractDataSize(kszCheckSumStream, &cbSize))) { return S_OK; } //ExtractData(kszCheckSumStream, pBuffer, cbSize); for(int i=0; i<cbSize; i++) { *pBuffer++ = *kszCheckSumStream++; } 1. cbSize assigned 4470 2. allocate buffer with 4470 bytes 3. cbSize re- assigned 4496 Heap Overflow! Leads to Hijack

47 var e1; function f1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp").innerHTML = ""; window.setInterval(f2, 50); } function f2(){ var t = e1.srcElement; } var e1; function f1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp").innerHTML = ""; window.setInterval(f2, 50); } function f2(){ var t = e1.srcElement; } 1. Pass onload event (evt) to f1 2. Copy evt, but fail to AddRef on CTreeNode! 3. Destroy img tag in span leading to a free when evt falls out of scope 4. Call f2 async so evt goes out of scope Hijack! Vtable call via freed CTreeNode Red is C++ called from javascript

48 pointer heap vtable function_1 function_2 Vulnerability: “use after free” attack code attack data

49 Example for : Hardware + Language + Compiler co-design

50

51

52 for (k=1;k<=nn;k++){ if (yy[k] > y) { xx[k] > x ? ++na : ++nb; } else{ xx[k] > x ? ++nd : ++nc; }

53

54

55 G[0:3] = bit_mask(a[i] == b[i] ) 27 13 2029 55 27 125 7 55 0xffffffff 0x00000000 0xffffffff xmm0 “pcmpeq xmm1, xmm0 “ xmm1 ==

56 (Lhs[0:3] & ! G[0:3]) 0xffffffff 0x00000000 0xffffffff Lhs[0] Lhs[1] Lhs[2] Lhs[3] 0x0000000 Lhs[1] Lhs[2] 0x0000000 xmm0 “pandn xmm1, xmm0 “ xmm1 &!

57 (Rhs[0:3] & G[0:3]) 0xffffffff 0x00000000 0xffffffff Rhs[0] Rhs[1] Rhs[2] Rhs[3] Rhs[0] 0x0000000 Rhs[3] xmm2 “pandn xmm1, xmm0 “ xmm3 &

58 = (Lhs[0:3] & ! G[0:3]) | (Rhs[0:3] & G[0:3]) Rhs[0] 0x00000000 Rhs[2] 0x00000000 Lhs[1] Lhs[2] 0x00000000 Rhs[0] Lhs[1] Lhs[2] Rhs[3] xmm1 “por xmm1, xmm3 “ xmm3 or

59 STORE Rhs[0] Lhs[1] Lhs[2] Rhs[3] “movups [esi], xmm3 “ xmm3

60 New Fact of Life The system must never invent a write to a variable that wouldn’t be written to in an SC execution. Q: Why? If you the programmer can’t see all the variables that get written to, you can’t possibly know what locks to take.

61

62

63

64

65

66

67

68 *x = new Base

69 // Need alias “q is now made type-of (r)” / / De-virtualizing this call depends on type-of (q)

70

71

72

73 32nm 22nm 22nm 14nm 10nm 256 bit AVX(2)256 bit AVX 128 bit SSE You are here (3D tri-state transistors)

74

Download ppt "C++ [ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04]"

Similar presentations

C++  PPL  AMP When NO branches between a micro-op and retiring to the visible architectural state – its no longer speculative.

C++  PPL  AMP When NO branches between a micro-op and retiring to the visible architectural state – its no longer speculative.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Copyright © 2000, Daniel W. Lewis. All Rights Reserved. CHAPTER 5 MIXING C AND ASSEMBLY.

Copyright © 2000, Daniel W. Lewis. All Rights Reserved. CHAPTER 5 MIXING C AND ASSEMBLY.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Conditional Loop Instructions LOOPZ and LOOPE LOOPNZ.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Conditional Loop Instructions LOOPZ and LOOPE LOOPNZ.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
Chapter 12: High-Level Language Interface. Chapter Overview Introduction Inline Assembly Code C calls assembly procedures Assembly calls C procedures.

Chapter 12: High-Level Language Interface. Chapter Overview Introduction Inline Assembly Code C calls assembly procedures Assembly calls C procedures.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.

Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
Implementing a FIR-filter algorithm using MMX instructions by Lars Persson.

Implementing a FIR-filter algorithm using MMX instructions by Lars Persson.
ESP int f(int x) {.... } int g(int y) { …. f(2); …. } int main() { …. g(1); …. } EIP 100: 200: 250: 300: 350:

ESP int f(int x) {.... } int g(int y) { …. f(2); …. } int main() { …. g(1); …. } EIP 100: 200: 250: 300: 350:
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Y86 Processor State Program Registers

Y86 Processor State Program Registers
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Similar presentations

Ads by Google