machine level programming v advanced topics
play

Machine-Level Programming V: Advanced Topics CS140 - Assembly - PowerPoint PPT Presentation

Nov 10, 2023 •452 likes •930 views

Carnegie Mellon Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. OHallaron 1 Bryant and OHallaron, Computer Systems: A

  1. Carnegie Mellon Machine-Level Programming V: Advanced Topics CS140 - Assembly Language and Computer Organization March 29, 2016 Slides courtesy of: Randal E. Bryant and David R. O’Hallaron 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  2. Carnegie Mellon Today  Memory Layout  Buffer Overflow  Vulnerability  Protection  Unions 2 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  3. Carnegie Mellon not drawn to scale x86-64 Linux Memory Layout 00007FFFFFFFFFFF Stack  Stack 8MB  Runtime stack (8MB limit)  E. g., local variables  Heap  Dynamically allocated as needed  When call malloc(), calloc(), new()  Data Shared Libraries  Statically allocated data  E.g., global vars, static vars, string constants  Text / Shared Libraries Heap  Executable machine instructions  Read-only Data Text Hex Address 400000 000000 3 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  4. Carnegie Mellon not drawn to scale Memory Allocation Example Stack char big_array[1L<<24]; /* 16 MB */ char huge_array[1L<<31]; /* 2 GB */ int global = 0; int useless() { return 0; } int main () { Shared void *p1, *p2, *p3, *p4; Libraries int local = 0; p1 = malloc(1L << 28); /* 256 MB */ p2 = malloc(1L << 8); /* 256 B */ p3 = malloc(1L << 32); /* 4 GB */ Heap p4 = malloc(1L << 8); /* 256 B */ /* Some print statements ... */ Data } Text Where does everything go? 4 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  5. Carnegie Mellon not drawn to scale x86-64 Example Addresses 00007F Stack address range ~2 47 Heap local 0x00007ffe4d3be87c p1 0x00007f7262a1e010 p3 0x00007f7162a1d010 p4 0x000000008359d120 p2 0x000000008359d010 big_array 0x0000000080601060 huge_array 0x0000000000601060 main() 0x000000000040060c useless() 0x0000000000400590 Heap Data Text 000000 5 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  6. Carnegie Mellon Today  Memory Layout  Buffer Overflow  Vulnerability  Protection  Unions 6 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  7. Carnegie Mellon Recall: Memory Referencing Bug Example typedef struct { int a[2]; double d; } struct_t; double fun(int i) { volatile struct_t s; s.d = 3.14; s.a[i] = 1073741824; /* Possibly out of bounds */ return s.d; } fun(0)  3.14 fun(1)  3.14 fun(2)  3.1399998664856 fun(3)  2.00000061035156 fun(4)  3.14 fun(6)  Segmentation fault  Result is system specific 7 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  8. Carnegie Mellon Memory Referencing Bug Example fun(0)  typedef struct { 3.14 fun(1)  int a[2]; 3.14 double d; fun(2)  3.1399998664856 } struct_t; fun(3)  2.00000061035156 fun(4)  3.14  Segmentation fault fun(6) Explanation: Critical State 6 ? 5 ? 4 Location accessed by 3 d7 ... d4 fun(i) 2 d3 ... d0 struct_t 1 a[1] 0 a[0] 8 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  9. Carnegie Mellon Such problems are a BIG deal  Generally called a “buffer overflow”  when exceeding the memory size allocated for an array  Why a big deal?  It’s the #1 technical cause of security vulnerabilities  #1 overall cause is social engineering / user ignorance  Most common form  Unchecked lengths on string inputs  Particularly for bounded character arrays on the stack  sometimes referred to as stack smashing 9 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  10. Carnegie Mellon String Library Code  Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; }  No way to specify limit on number of characters to read  Similar problems with other library functions  strcpy , strcat : Copy strings of arbitrary length  scanf , fscanf , sscanf , when given %s conversion specification 10 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  11. Carnegie Mellon Vulnerable Buffer Code /* Echo Line */ void echo() {  btw, how big char buf[4]; /* Way too small! */ gets(buf); is big enough? puts(buf); } void call_echo() { echo(); } unix> ./bufdemo-nsp Type a string: 012345678901234567890123 012345678901234567890123 unix>./bufdemo-nsp Type a string: 0123456789012345678901234 Segmentation Fault 11 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  12. Carnegie Mellon Buffer Overflow Disassembly echo: 00000000004006cf <echo>: 4006cf: 48 83 ec 18 sub $0x18,%rsp 4006d3: 48 89 e7 mov %rsp,%rdi 4006d6: e8 a5 ff ff ff callq 400680 <gets> 4006db: 48 89 e7 mov %rsp,%rdi 4006de: e8 3d fe ff ff callq 400520 <puts@plt> 4006e3: 48 83 c4 18 add $0x18,%rsp 4006e7: c3 retq call_echo: 4006e8: 48 83 ec 08 sub $0x8,%rsp 4006ec: b8 00 00 00 00 mov $0x0,%eax 4006f1: e8 d9 ff ff ff callq 4006cf <echo> 4006f6: 48 83 c4 08 add $0x8,%rsp 4006fa: c3 retq 12 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  13. Carnegie Mellon Buffer Overflow Stack Before call to gets Stack Frame for call_echo /* Echo Line */ Return Address void echo() (8 bytes) { char buf[4]; /* Way too small! */ gets(buf); puts(buf); 20 bytes unused } [3] [2] [1] [0] buf %rsp echo: subq $24, %rsp movq %rsp, %rdi call gets . . . 13 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  14. Carnegie Mellon Buffer Overflow Stack Example Before call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 f6 call_echo: . . . 20 bytes unused 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp . . . [3] [2] [1] [0] buf %rsp 14 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  15. Carnegie Mellon Buffer Overflow Stack Example #1 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 f6 call_echo: 00 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 01234567890123456789012 01234567890123456789012 Overflowed buffer, but did not corrupt state 15 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  16. Carnegie Mellon Buffer Overflow Stack Example #2 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address 00 40 00 34 (8 bytes) call_echo: 33 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 0123456789012345678901234 Segmentation Fault Overflowed buffer and corrupted return pointer 16 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  17. Carnegie Mellon Buffer Overflow Stack Example #3 After call to gets void echo() echo: Stack Frame { subq $24, %rsp for call_echo char buf[4]; movq %rsp, %rdi gets(buf); call gets . . . . . . } 00 00 00 00 Return Address (8 bytes) 00 40 06 00 call_echo: 33 32 31 30 39 38 37 36 . . . 35 34 33 32 20 bytes unused 4006f1: callq 4006cf <echo> 31 30 39 38 4006f6: add $0x8,%rsp . . . 37 36 35 34 33 32 31 30 buf %rsp unix> ./bufdemo-nsp Type a string: 012345678901234567890123 012345678901234567890123 Overflowed buffer, corrupted return pointer, but program seems to work! 17 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

  18. Carnegie Mellon Buffer Overflow Stack Example #3 Explained After call to gets Stack Frame register_tm_clones: for call_echo . . . 400600: mov %rsp,%rbp 400603: mov %rax,%rdx 00 00 00 00 Return Address 400606: shr $0x3f,%rdx (8 bytes) 00 40 06 00 40060a: add %rdx,%rax 33 32 31 30 40060d: sar %rax 39 38 37 36 400610: jne 400614 35 34 33 32 20 bytes unused 400612: pop %rbp 31 30 39 38 400613: retq 37 36 35 34 33 32 31 30 buf %rsp “Returns” to unrelated code Lots of things happen, without modifying critical state Eventually executes retq back to main 18 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition

Recommend

Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &amp;

738 views • 53 slides
1 Union Allocation Using Union to Access Bit Patterns Allocate according to largest element

1 Union Allocation Using Union to Access Bit Patterns Allocate according to largest element

Today Memory Layout Machine-Level Programming V: Unions Buffer Overflow Advanced Topics Vulnerability Protection CSci 2021: Machine Architecture and Organization March 6th, 2020 Your instructor: Stephen McCamant Based on

754 views • 8 slides
1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

1 x86 Clones: Advanced Micro Devices Intels 64-Bit History (AMD) 2001: Intel Attempts

Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Machine-Level Programming I: Basics Assembly Basics: Registers, operands, move Arithmetic &amp; logical operations CSci

320 views • 8 slides
Machine-Level Programming I: Basics 15-213/18-213:

Machine-Level Programming I: Basics 15-213/18-213:

Carnegie Mellon Machine-Level Programming I: Basics 15-213/18-213: Introducon to Computer Systems 5 th Lecture, Sep. 15, 2015 Instructors: Randal

721 views • 44 slides
CSSE132 Introduc0on to Computer Systems 13 : Machine level

CSSE132 Introduc0on to Computer Systems 13 : Machine level

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 13 : Machine level programming March 25, 2013 1 Today: Machine Level Programming Review

449 views • 41 slides
Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming I: Basics CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides adapted from Bryant &amp; OHallarons slides 1 Today: Machine Programming I: Basics History of Intel processors and

606 views • 45 slides
Machine-Level Programming IV: Data 15-213: Introduc;on to

Machine-Level Programming IV: Data 15-213: Introduc;on to

Carnegie Mellon Machine-Level Programming IV: Data 15-213: Introduc;on to Computer Systems 8 th Lecture, Sep. 24, 2015 Instructors: Randal E. Bryant and

607 views • 46 slides
Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional

Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional

Today Arrays One-dimensional Machine-Level Programming IV: Data Multi-dimensional (nested) Multi-level Structures CSci 2021: Machine Architecture and Organization Allocation March 2nd-4th, 2020 Access Your instructor:

224 views • 6 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks ACE Programming Model and SDK 11/13/03 Tilman Wolf 1 Overview Overview Programming Model Active Computing Element (ACE)

558 views • 32 slides
COMP 204: Python programming for life sciences Introduction to machine learning Mathieu

COMP 204: Python programming for life sciences Introduction to machine learning Mathieu

COMP 204: Python programming for life sciences Introduction to machine learning Mathieu Blanchette, based on material from Yue Li, Christopher Cameron, and Carlos Gonzales 1 / 22 Remaining of this course: Advanced topics The rest of the

741 views • 22 slides
Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma

Machine-Level Programming II: Control CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGN Slides adapted from Bryant &amp; OHallarons slides 1 Today Control: Condition codes Conditional branches Loops

1.01k views • 49 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics Bayes Nets: Inference Marginals, MPE, MAP Variable Elimination Readings: KF 9.1,9.2; Barber 5.1 Dhruv Batra Virginia Tech

667 views • 22 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks Microengine Programming I 11/18/03 Tilman Wolf 1 Overview Overview Lab 2: IP forwarding on IXP1200 Any problems with Part I?

791 views • 24 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics Bayes Nets (Finish) Structure Learning Readings: KF 18.4; Barber 9.5, 10.4 Dhruv Batra Virginia Tech Administrativia HW1

596 views • 30 slides
CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming

CIS 218 Advanced UNIX (g)awk CIS 218 Advanced UNIX 1 Overview awk is a programming language Awk uses syntax based on grep and sed for handling numbers and text awk provides field level addressability. And within a field (word)

662 views • 40 slides
Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C

Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C

Welcome to C CSCI 112: Programming in C C is a high-level, imperative programming language C code maps to machine instructions very efficientlyits What is C? lightweight and has wide applications Originally developed in 10973 at

772 views • 20 slides
Concurrent and parallel programming Seminars in Advanced Topics in Computer Science Engineering

Concurrent and parallel programming Seminars in Advanced Topics in Computer Science Engineering

Concurrent and parallel programming Seminars in Advanced Topics in Computer Science Engineering 2019/2020 Romolo Marotta Trend in processor technology Concurrent and parallel programming 2 Blocking synchronization SHARED RESOURCE

1.31k views • 74 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics: Bayes Nets: Representation/Semantics v-structures Probabilistic influence, Active Trails Readings: Barber 3.3; KF

322 views • 16 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics Bayes Nets (Finish) Parameter Learning Structure Learning Readings: KF 18.1, 18.3; Barber 9.5, 10.4 Dhruv Batra Virginia

351 views • 32 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Topics: Bayes Nets: Representation/Semantics d-separation, Local Markov Assumption Markov Blanket I-equivalence, (Minimal)

569 views • 28 slides
ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale

ECE 6504: Advanced Topics in Machine Learning Probabilistic Graphical Models and Large-Scale Learning Dhruv Batra Virginia Tech What is this class about? Some of the most exciting developments in Machine Learning, AI, Statistics &amp;

925 views • 61 slides
Kernels CS678 Advanced Topics in Machine Learning Thorsten Joachims Spring

Kernels CS678 Advanced Topics in Machine Learning Thorsten Joachims Spring

Non-Linear Problems Kernels CS678 Advanced Topics in Machine Learning Thorsten Joachims Spring 2003 ==&gt; Outline: A representation of the hyperplane in terms of the

219 views • 4 slides
Machine-Level Programming Introduction Today Assembly programmers exec model

Machine-Level Programming Introduction Today Assembly programmers exec model

Machine-Level Programming Introduction Today Assembly programmers exec model Accessing information Arithmetic operations Next time More of the same Fabin E. Bustamante, Spring 2007 Monday, October 10, 2011 IA32

815 views • 40 slides
1 How gates work NOT ( ) NAND ( ) o Transistors can be made to

1 How gates work NOT ( ) NAND ( ) o Transistors can be made to

The digital logic level Bits and Gates ... The digital logic level Level 2 Conventional Machine Level Level 1 Micro Programming Level Computer Science Ground Floor Digitial Logic Level CS240 Computer Organization Department of Computer

83 views • 6 slides

More recommend