程序代写代做代考 x86 Programming Languages CSCI 4430 & CSCI 6969

Programming Languages CSCI 4430 & CSCI 6969

Programming Languages CSCI 4430, A. Milanova
1
Lecture Outline
Notion of binding time
Object lifetime and storage management

An aside: Stack Smashing 101
Slides courtesy of RPISEC/MBE
Scoping
Static scoping
Dynamic scoping

Stack Frames
In x86-64 RBP is fp and RSP is sp. Define the stack frame for the currently executing function
local variables
pointer to previous frame
return address

2
0x1337
“ABCDEFGH
0123456\0”
0x7fff10203040
0x400134

RSP ->
<- local var RBP ->
<- local var <- caller frame RBP <- return address void foo() { long long x = 0x1337; char str[16]; strcpy(str, "ABCDEFGH0123456"); } note: for 64bit, each 'slot' is 8 bytes 09/09/2019 RPISEC - 1/23/2019 MBE - Overview What is corruption? So what happens if a programer makes a simple mistake: char foo[64]; int money = 0; gets(foo); 3 RPISEC - 02/6/2019 Memory 09/09/2019 3 gets()? 4 DO NOT EVER USE scanf("%s", ...) as well So what happens if we give this program a bunch of A’s? With gets we can give as many A’s as we want! RPISEC - 02/6/2019 Memory 09/09/2019 4 main() has a stack frame - Contains local variables - Pointer to previous frame - Return address Lower Memory Higher Memory Stack Smashing 101 5 - - - - - - - - 0x00 0x7fff01020304 0x40051f Start of char foo[64] Not supposed to touch End of foo money = 0 Base pointer RETURN ADDRESS RPISEC - 02/6/2019 Memory 09/09/2019 5 Stack Smashing 101 As gets() continues to read input, we fill up the 64 bytes allocated for buffer foo 6 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x00 0x7fff01020304 0x40051f Lower Memory Higher Memory Not supposed to touch Start of char foo[64] End of foo money = 0 Base pointer RETURN ADDRESS RPISEC - 02/6/2019 Memory 09/09/2019 6 Stack Smashing 101 7 Lower Memory Higher Memory 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x41 0x7fff01020304 0x40051f Not supposed to touch As gets() continues to read input, we fill up the 64 bytes allocated for foo Go far enough, it corrupts important data! Start of char foo[64] End of foo money = 0 Base pointer RETURN ADDRESS RPISEC - 02/6/2019 Memory 09/09/2019 7 We can give ourselves money If we want to set money to 0x1337beef we need to know: Most x86 machines are little endian (little byte goes first) Meaning the byte order for numbers is "backwards" in memory 0x01020304 would be Stack Smashing 101 8 0x04 0x03 0x02 0x01 RPISEC - 02/6/2019 Memory 09/09/2019 8 Stack Smashing 201 What else can we corrupt? What happens if you corrupt further? When does it segfault? What was that about a return address? 9 RPISEC - 02/6/2019 Memory 09/09/2019 9 Stack Smashing 201 When func() is called, runtime stores the return address on the stack (i.e., the address of the instruction that immediately follows call func in main) 10 int func() { puts("Hello World"); return 17; } int main() { int res = func(); return 0; } RPISEC - 02/6/2019 Memory 09/09/2019 10 Stack Smashing 201 Before the call: 11 RPISEC - 02/6/2019 Memory 09/09/2019 11 Stack Smashing 201 Before the call: After the call: 12 Return address points back to where it left off in main RPISEC - 02/6/2019 Memory 09/09/2019 12 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip About to return: 13 RPISEC - 02/6/2019 Memory 09/09/2019 13 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip About to return: Returned back to main: 14 RPISEC - 02/6/2019 Memory 09/09/2019 14 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip About to return: Returned back to main: 15 What if we change this??? ?!?!?!? RPISEC - 02/6/2019 Memory 09/09/2019 15 Stack Smashing 201 Without corruption: At the end of the function, it returns 0x40051f is popped off the stack and stored in rip Control goes to that address We want to change this 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x00 0x7fff01020304 0x40051f 16 Lower Memory Higher Memory Start of char foo[64] End of foo money = 0 Base pointer RETURN ADDRESS RPISEC - 02/6/2019 Memory 09/09/2019 16 Stack Smashing 201 Corrupted: At the end of the function, it returns 0x4141414141414141 is popped off the stack and stored in rip Control goes to that address but it's invalid memory... Segmentation fault 17 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 Lower Memory Higher Memory Start of char foo[64] End of foo money = 0 Base pointer RETURN ADDRESS RPISEC - 02/6/2019 Memory 09/09/2019 17 /docProps/thumbnail.jpeg