Lecture Outline
n Notion of binding time
n Object lifetime and storage management
n An aside: Stack Smashing 101 n Slides courtesy of RPISEC/MBE
n Scoping
n Static scoping
n Dynamic scoping
Programming Languages CSCI 4430, A. Milanova 1
Stack Frames
– In x86-64 RBP is fp and RSP is sp. Define
the stack frame for the currently executing
function
– local variables
– pointer to previous frame
– return address
void foo() {
long long x = 0x1337;
char str[16];
strcpy(str, “ABCDEFGH0123456”);
}
note: for 64bit, each ‘slot’ is 8 bytes
<- local var
<- local var
0x1337
"ABCDEFGH
0123456\0"
0x7fff10203040
0x400134
RSP ->
RBP ->
<- caller frame RBP
<- return
address
RPISEC - 1/23/2019 09/09/2019
MBE - Overview 2
What is corruption?
• So what happens if a programer makes a simple mistake:
char foo[64]; int money = 0; gets(foo);
RPISEC - 02/6/2019 09/09/2019
Memory 3
gets()?
– DO NOT EVER USE
∘ scanf("%s", ...) as well
• So what happens if we give this program a bunch of A’s? With gets we can give as many A’s as we want!
RPISEC - 02/6/2019 09/09/2019
Memory 4
Stack Smashing 101
Lower Memory
main() has a
stack frame
- Contains local variables
- Pointer to previous frame - Return address
-
-
-
-
-
-
-
End of foo
RPISEC - 02/6/2019 09/09/2019
Not supposed to touch
Higher Memory
-
0x00
Start of char foo[64]
money = 0
0x7fff01020304
Base pointer
0x40051f
RETURN ADDRESS
Memory 5
Stack Smashing 101
Lower Memory
As gets() continues to read input, we fill up the 64 bytes allocated for buffer foo
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
End of foo
RPISEC - 02/6/2019 09/09/2019
Not supposed to touch
Higher Memory
0x4141414141414141
0x00
Start of char foo[64]
money = 0
0x7fff01020304
Base pointer
0x40051f
RETURN ADDRESS
Memory 6
Stack Smashing 101
Lower Memory
As gets() continues to read input, we fill up the 64 bytes allocated for foo
Go far enough, it corrupts important data!
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
End of foo
RPISEC - 02/6/2019 09/09/2019
Not supposed to touch
Higher Memory
0x4141414141414141
0x41
Start of char foo[64]
money = 0
0x7fff01020304
Base pointer
0x40051f
RETURN ADDRESS
Memory 7
Stack Smashing 101
• We can give ourselves money
• If we want to set money to 0x1337beef we need to
know:
– Most x86 machines are little endian (little byte goes first)
– Meaning the byte order for numbers is "backwards" in memory
– 0x01020304 would be
0x04
0x03
0x02
0x01
RPISEC - 02/6/2019 09/09/2019
Memory 8
Stack Smashing 201
• What else can we corrupt?
• What happens if you corrupt further? When does it segfault?
- What was that about a return address?
RPISEC - 02/6/2019 09/09/2019
Memory 9
Stack Smashing 201
int func() {
puts("Hello World");
return 17; }
int main() {
int res = func();
return 0; }
When func() is called, runtime stores the return address on the stack (i.e., the address of the instruction that immediately follows call func in main)
RPISEC - 02/6/2019 09/09/2019
Memory 10
Stack Smashing 201
Before the call:
RPISEC - 02/6/2019 09/09/2019
Memory 11
Stack Smashing 201
Before the call: After the call:
RPISEC - 02/6/2019 09/09/2019
Return address points back to where it left off in main
Memory 12
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
About to return:
RPISEC - 02/6/2019 09/09/2019
Memory 13
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
About to return: Returned back to main:
RPISEC - 02/6/2019 09/09/2019
Memory 14
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
What if we change this???
About to return:
Returned back to main:
RPISEC - 02/6/2019 09/09/2019
?!?!?!?
Memory
15
Stack Smashing 201
Without corruption:
Lower Memory
– At the end of the function, it returns
– 0x40051f is popped off the stack and stored in rip
– Control goes to that address We want to change this
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
End of foo
0x00
money = 0
0x7fff01020304
Base pointer
RPISEC - 02/6/2019 09/09/2019
Higher Memory
0x4141414141414141
0x40051f
Start of char foo[64]
0x4141414141414141
RETURN ADDRESS
Memory 16
Stack Smashing 201
Corrupted:
Lower Memory
– At the end of the function, it returns
– 0x4141414141414141 is popped off the stack and stored in rip
– Control goes to that address
– but it's invalid memory...
0x4141414141414141
0x4141414141414141
0x4141414141414141
Segmentation fault
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
End of foo
0x4141414141414141
money = 0
0x4141414141414141
Base pointer
RPISEC - 02/6/2019 09/09/2019
Higher Memory
0x4141414141414141
0x4141414141414141
Start of char foo[64]
RETURN ADDRESS
Memory 17