Midterm 2 topics (in one slide) Machine-level code representation Instructions, operands, flags Branches, conditions, and loops Procedures and calling conventions Arrays, structs, unions CSci 2021: Review Lecture 2 Buffer overflow attacks Stephen McCamant CPU architecture University of Minnesota, Computer Science & Engineering Y86 instructions Control logic and HCL Sequential Y86-64 Pipelined Y86-64 Outline Instructions and operands Topics in machine code Assembly language ✩ machine code Sequence of instructions, encoded in bytes Announcements break An instruction reads from or writes to operands x86: usually at most one memory operand Topics in CPU architecture AT&T: destination is last operand AT&T shows operand size with b/w/l/q suffix Review questions Addressing modes Flags and branches Flags (aka condition codes) are set based on General form: disp(base,index,scale) results of arithmetic Displacement is any constant, scale is 1, 2, 4 or 8 ZF: result is zero Base and index are registers SF: result is negative (highest bit set) Formula: mem[disp ✰ base ✰ index ✁ scale] OF: signed overflow occurred All but base are optional CF: unsigned overflow (“carry”) occurred Used for condition in: Missing displacement or index: 0 Missing scale: 1 s❡t❈❈ : store 1 or 0 Drop trailing (but not leading) commas ❝♠♦✈❈❈ : copy or don’t copy Do same computation, just put address in ❥❈❈ : jump or don’t jump register: ❧❡❛ Just for setting flags: ❝♠♣ (like s✉❜ ), t❡st (like ❛♥❞ )
Loops Stack and frames “The” stack is used for data with a function Simplest structure: conditional jump “at the lifetime bottom”, like a C ❞♦ - ✇❤✐❧❡ ✪rs♣ points at the most recent in-use element C ✇❤✐❧❡ also checks at beginning (“top”) C ❢♦r e.g. initializes a variable and updates it on Convenient instructions: ♣✉s❤ and ♣♦♣ each iteration Section for one run of a function: stack frame Assembly most like C with ❣♦t♦ Calling conventions Arrays Sequence of values of same size and type, next Function arguments go in ✪r❞✐ , ✪rs✐ , ✪r❞① , to each other ✪r❝① , ✪r✽ , and ✪r✾ Numbered starting from 0 in C Return value is in ✪r❛① To find location: start with base, add index times Handle that both caller and callee want to use size registers C’s pointer arithmetic is basically the same Caller-saved: callee might modify, caller must operation save if using Multi-dimensional array ✪r❛① , ✪r❞✐ , . . . , ✪r✶✵ , ✪r✶✶ , flags Needs more multiplying Callee-saved: caller might be using, callee must Array of pointers to arrays save before using Different, more flexible layout ✪r❜① , ✪r✶✷ , . . . , ✪r❜♣ , ( ✪rs♣ ) Each access needs more loads Structs and unions Buffer overflows Struct groups objects of different types and Local arrays stored on the stack sizes, in order C compilers usually do not check limits of array Fields often accessed using displacement from accesses a pointer Too much buffer data can overwrite a return Alignment requirements ✦ padding address Primitive values aligned to their size Changes what code will execute Pad between elements, when next needs more Various nefarious uses alignment Various partial defenses: Pad at end, to round off total size Randomize stack location Unions: “like structs where every offset is 0” Non-executable stack Used to save space if only one needed at a time Stack canary checking Can also reveal storage details
Outline Online midterm: hardware Topics in machine code You should be virtually present on Zoom while doing the test on Canvas Announcements break First choice: a computer with a webcam Second choice: a computer, and the Zoom app Topics in CPU architecture running on a smartphone If you won’t be able to do either of these, please Review questions contact me in advance Online midterm: rules Outline You need to take the midterm live, starting at 3:35pm. Topics in machine code The midterm ends at 4:25pm, even if you started late Still paper resources only Announcements break Open (paper) book, open (paper) notes, printouts No electronics, calculators, communicating with Topics in CPU architecture other students If possible, stay at your computer for the whole exam Review questions Check with the TA if you need to get up If you finish early, check with the TA after submitting but before leaving Zoom Y86-64 instructions Logic design for control Simplified subset of x86-64, simpler encoding Combinational circuits: 64-bit only, 15 registers Compute a function of bits, no memory Four kinds of moves, only one addressing mode Acyclic network of AND, OR, and NOT gates Also includes word-sized comparison, multiplexors, Add, subtract, bitwise and, bitwise xor and ALU Conditional jump and move based on equality Stateful elements: and signed comparison (Clocked) registers Random-access memory Call, return, push, pop State updates occur on rising clock edge only Halt and two fatal errors, no exceptions
Hardware design in HCL Sequential Y86-64 Whole state update function is one big Simple language for specifying control circuits combinational circuit Two types: Boolean and word Express behavior of each instruction using Comparison and logic operators (no side-effects smaller computations or “short circuiting”) Processing split into stages for organization: Core construct: sequential conditional Fetch, decode, execute, memory, write back, PC ❬ ❈ ✶ ✿ ❱ ✶ ❀ ❈ ✷ ✿ ❱ ✷ ❀ ✿ ✿ ✿ ✶ ✿ ❱ ♥ ❪ update “Else” case written ✶ Simplest, but requires long cycle time (slow) Pipelining basics Pipelining techniques Hazards : dependencies introduce danger of Split processing into stages, and work on incorrect results multiple instructions at once Branch prediction: guesses result of conditional Reduces cycle time and increases hardware jumps utilization Stalling: hold up instructions until data ready Pipeline registers hold data between stages Simple, but introduces a lot of delay Used for return instruction in Y86-64 Performance concerns: balanced stages, and Cancelling: kill incorrect instructions not too many Must happen before they have side-effects Correctness concerns: must have same final Used for branch mis-predictions behavior Forwarding: copy data to a different stage right as needed Outline Calling conventions According to the standard x86-64 calling Topics in machine code convention, which of these registers would your function need to save before modifying it? Announcements break A. ✪r❞✐ B. ✪rs✐ Topics in CPU architecture C. ✪r✶✵ D. ✪r❜① Review questions E. ✪r❛①
x86-64 instructions ❢♦r loops Which of these while loop patterns is equivalent to Which two instructions can be used to compare the loop ❢♦r ✭❆❀ ❇❀ ❈✮ ④ ❉❀ ⑥ ? ✪r❛① to zero? A. ❆❀ ✇❤✐❧❡ ✭❇ ✫✫ ❈✮ ④ ❉❀ ⑥ A. ❝♠♣ ✩✵✱ ✪r❛① and t❡st ✩✵✱ ✪r❛① B. ❇❀ ✇❤✐❧❡ ✭❆✮ ④❉❀ ❈⑥ B. ❝♠♣ ✩✵✱ ✪r❛① and t❡st ✪r❛①✱ ✪r❛① C. ❆❀ ✇❤✐❧❡ ✭❇✮ ④❈❀ ❉⑥ C. ❝♠♣ ✪r❛①✱ ✪r❛① and t❡st ✩✵✱ ✪r❛① D. ❆❀ ✇❤✐❧❡ ✭❇✮ ④❈❀ ❉❀ ❈⑥ D. ❝♠♣ ✪r❛①✱ ✪r❛① and t❡st ✪r❛①✱ ✪r❛① E. ❆❀ ✇❤✐❧❡ ✭❇✮ ④❉❀ ❈⑥ Structure padding Y86-64 instructions Which of these Y86-64 instructions is an indirect Because of padding, which of these str✉❝t s would jump? not be the same size as the others? A. call A. str✉❝t ④ s❤♦rt s❀ ❧♦♥❣ ❧❀ ⑥ B. ret B. str✉❝t ④ ❢❧♦❛t ❢❀ ❞♦✉❜❧❡ ❞❀ ⑥ C. jmp C. str✉❝t ④ ❝❤❛r ❝❀ ❧♦♥❣ ❧❀ ⑥ D. jle D. str✉❝t ④ ❧♦♥❣ ❧✶❀ ❧♦♥❣ ❧✷❀ ⑥ E. jne E. str✉❝t ④ ✐♥t ✐✶❀ ✐♥t ✐✷❀ ⑥
Recommend
More recommend
