1
play

1 Union Allocation Using Union to Access Bit Patterns Allocate - PDF document

Nov 24, 2022 •656 likes •754 views

Today Memory Layout Machine-Level Programming V: Unions Buffer Overflow Advanced Topics Vulnerability Protection CSci 2021: Machine Architecture and Organization March 6th, 2020 Your instructor: Stephen McCamant Based on

  1. Today  Memory Layout Machine-Level Programming V:  Unions  Buffer Overflow Advanced Topics  Vulnerability  Protection CSci 2021: Machine Architecture and Organization March 6th, 2020 Your instructor: Stephen McCamant Based on slides originally by: Randy Bryant, Dave O’Hallaron 1 2 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition not drawn to scale not drawn to scale x86-64 Linux Memory Layout Memory Allocation Example 00007FFFFFFFFFFF Stack Stack  Stack 8MB char big_array[1L<<24]; /* 16 MB */  Runtime stack (default 8MB soft limit) char huge_array[1L<<31]; /* 2 GB */  E. g., local variables int global = 0;  Heap int useless() { return 0; }  Dynamically allocated as needed  When you call malloc(), calloc(), C++ new int main () {  Data Shared Shared void *p1, *p2, *p3, *p4; Libraries Libraries  Statically (compiler-)allocated data int local = 0;  E.g., global vars, static vars, string constants p1 = malloc(1L << 28); /* 256 MB */ p2 = malloc(1L << 8); /* 256 B */  Text / Shared Libraries p3 = malloc(1L << 32); /* 4 GB */  Executable machine instructions Heap Heap p4 = malloc(1L << 8); /* 256 B */ /* Some print statements ... */  Read-only Data Data } Text Text Hex Address 400000 Where does everything go? 000000 3 4 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition not drawn to scale x86-64 Example Addresses Today 00007F Stack address range ~2 47  Memory Layout Heap  Unions local 0x00007ffe4d3be87c  Buffer Overflow p1 0x00007f7262a1e010 p3 0x00007f7162a1d010  Vulnerability p4 0x000000008359d120  Protection p2 0x000000008359d010 big_array 0x0000000080601060 huge_array 0x0000000000601060 main() 0x000000000040060c useless() 0x0000000000400590 Heap Data Text 000000 5 6 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 1

  2. Union Allocation Using Union to Access Bit Patterns  Allocate according to largest element typedef union { u  Can only use one field at a time float f; f unsigned u; union U1 { 0 4 } bit_float_t; char c; c int i[2]; double v; i[0] i[1] float bit2float(unsigned u) unsigned float2bit(float f) } *up; v { { up+0 up+4 up+8 bit_float_t arg; bit_float_t arg; struct S1 { arg.u = u; arg.f = f; char c; return arg.f; return arg.u; int i[2]; } } double v; } *sp; Same as (float) u ? Same as (unsigned) f ? c i[0] i[1] v 3 bytes 4 bytes sp+0 sp+4 sp+8 sp+16 sp+24 7 8 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Byte Ordering Revisited Byte Ordering Example union { unsigned char c[8];  Idea unsigned short s[4];  Short/long/quad words stored in memory as 2/4/8 consecutive bytes unsigned int i[2];  Which byte is most (least) significant? unsigned long l[1]; } dw;  Can cause problems when exchanging binary data between machines  Big Endian  Most significant byte has lowest address c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] 32-bit  Sparc s[0] s[1] s[2] s[3]  Little Endian i[0] i[1]  Least significant byte has lowest address l[0]  Intel x86, ARM Android and IOS c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] 64-bit  Bi Endian s[0] s[1] s[2] s[3]  Can be configured either way i[0] i[1]  ARM l[0] 9 10 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Byte Ordering on IA32 Byte Ordering Example (Cont). int j; Little Endian for (j = 0; j < 8; j++) dw.c[j] = 0xf0 + j; f0 f1 f2 f3 f4 f5 f6 f7 printf("Characters 0-7 == c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] [0x%x,0x%x,0x%x,0x%x,0x%x,0x%x,0x%x,0x%x]\n", dw.c[0], dw.c[1], dw.c[2], dw.c[3], s[0] s[1] s[2] s[3] dw.c[4], dw.c[5], dw.c[6], dw.c[7]); i[0] i[1] l[0] printf("Shorts 0-3 == [0x%x,0x%x,0x%x,0x%x]\n", dw.s[0], dw.s[1], dw.s[2], dw.s[3]); LSB MSB LSB MSB Print printf("Ints 0-1 == [0x%x,0x%x]\n", Output: dw.i[0], dw.i[1]); Characters 0-7 == [0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7] printf("Long 0 == [0x%lx]\n", Shorts 0-3 == [0xf1f0,0xf3f2,0xf5f4,0xf7f6] dw.l[0]); Ints 0-1 == [0xf3f2f1f0,0xf7f6f5f4] Long 0 == [0xf3f2f1f0] 11 12 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 2

  3. Byte Ordering on Sun Byte Ordering on x86-64 Little Endian Big Endian f0 f1 f2 f3 f4 f5 f6 f7 f0 f1 f2 f3 f4 f5 f6 f7 c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] s[0] s[1] s[2] s[3] s[0] s[1] s[2] s[3] i[0] i[1] i[0] i[1] l[0] l[0] MSB LSB MSB LSB LSB MSB Print Print Output on x86-64: Output on Sun: Characters 0-7 == [0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7] Characters 0-7 == [0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7] Shorts 0-3 == [0xf1f0,0xf3f2,0xf5f4,0xf7f6] Shorts 0-3 == [0xf0f1,0xf2f3,0xf4f5,0xf6f7] Ints 0-1 == [0xf3f2f1f0,0xf7f6f5f4] Ints 0-1 == [0xf0f1f2f3,0xf4f5f6f7] Long 0 == [0xf7f6f5f4f3f2f1f0] Long 0 == [0xf0f1f2f3] 13 14 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Summary of Compound Types in C Today  Arrays  Memory Layout  Contiguous allocation of memory  Unions  Aligned to satisfy every element’s alignment requirement  Buffer Overflow  Pointer to first element  Vulnerability  No bounds checking  Protection  Structures  Allocate bytes in order declared  Pad in middle and at end to satisfy alignment  Unions  Overlay declarations  Way to circumvent type system 15 16 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Recall: Memory Referencing Bug Example Memory Referencing Bug Example typedef struct { typedef struct { fun(0) → 3.14 int a[2]; int a[2]; fun(1) → 3.14 double d; double d; fun(2) → 3.1399998664856 } struct_t; } struct_t; fun(3) → 2.00000061035156 fun(4) → 3.14 double fun(int i) { fun(6) → Segmentation fault volatile struct_t s; s.d = 3.14; Explanation: s.a[i] = 1073741824; /* Possibly out of bounds */ return s.d; } Critical State 6 ? 5 fun(0) → 3.14 fun(1) → 3.14 ? 4 fun(2) → 3.1399998664856 Location accessed by d7 ... d4 3 fun(3) → 2.00000061035156 fun(i) d3 ... d0 2 fun(4) → 3.14 struct_t fun(6) → Segmentation fault a[1] 1 a[0]  0 Result is system specific 17 18 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 3

Recommend

More recommend