Instructions:
Andrew login ID: Full Name:
Recitation Section:
CS 15-213 / ECE 18-243, Spring 2010 Exam 1
Copyright By PowCoder代写 加微信 powcoder
Version 1100101 Tuesday, March 2nd, 2010
• Make sure that your exam is not missing any sheets, then write your full name, Andrew login ID, and recitation section (A–J) on the front. Read all instructions and sign the statement below.
• Write your answers in the space provided for the problem. If you make a mess, clearly indicate your final answer.
• The exam has a maximum score of 100 points.
• The problems are of varying difficulty. The point value of each problem is indicated (instructors reserve the right to change these values). Pile up the easy points quickly and then come back to the harder problems.
• You may not use any books or notes on this exam. Reference material is located at the end of this exam. No calculators or other electronic devices are allowed.
• Good luck!
I understand the CMU policy on cheating applies in full to this exam.
Page 1 of 14
1- Multiple Choice (14):
2- Peephole (16):
3- Floating Point (14):
4- Structs (14):
5- Stacks (15):
6- Buffer Overflow (17):
7- Assembly (10):
TOTAL (100):
Page 2 of 14
Problem 1. (14 points):
1. Which of the following lines of C code performs the same operation as the assembly statement lea 0xffffffff(%esi),%eax.
(a) *(esi-1) = eax
(b) esi = eax + 0xffffffff (c) eax = esi – 1
(d) eax = *(esi -1)
2. test %eax, %eax
jne 3d
Which of the following values of %eax would cause the jump to be taken?
(c) Any value of %eax
(d) No value of %eax would cause the jump to be taken.
3. Which of the following are legitimate advantages of x86 64 over IA32? (Circle 0-3)
(a) x86 64 is able to make use of a larger address space than IA32 (b) x86 64 is able to make use of more registers than IA32
(c) x86 64 is able to make use of larger registers than IA32
4. T/F: Any sequence of IA32 instructions can be executed on an x86 64 processor?
(a) True (b) False
5. What sequence of operations does the leave instruction execute?
(a) mov %ebp,%esp
(b) pop %ebp
mov %ebp,%esp
(c) pop %esp
mov %ebp,%esp
(d) push %ebp
mov %esp,%ebp
Page 3 of 14
6. What is the difference between the %rbx and the %ebx register on an x86 64 machine?
(a) nothing, they are the same register
(b) %ebx refers to only the low order 32 bits of the %rbx register (c) they are totally different registers
(d) %ebx refers to only the high order 32 bits of the %rbx register
7. On IA32 systems, where is the value of old %ebp saved in relation to the current value of %ebp?
(a) there is no relation between where the current base pointer and old base pointer are saved. (b) old %ebp is stored at (%ebp – 4)
(c) old %ebp is stored at (%ebp + 4)
(d) old %ebp is stored at (%ebp)
Page 4 of 14
Problem 2. (16 points):
Consider the following assembly code:
08048334
8048334: 55
8048335: 89 e5
8048337: 83 ec 0c
804833a: 8b 45 08
804833d: c7 45 fc 00 00 00 00 movl
8048344: 3b 45 fc cmp 0xfffffffc(%ebp),%eax
8048347: 75 09 jne 8048352
8048349: c7 45 f8 00 00 00 00 movl
8048350: eb 12
8048352: 8b 45 08
8048355: 48
8048356: 89 04 24
8048359: e8 d6 ff ff ff
804835e: 03 45 08
8048361: 89 45 f8
8048364: 8b 45 f8
8048367: c9 leave
8048368: c3 ret
1. Fill in the blanks of the corresponding C function:
int mystery(int i)
if (______________) return ______________________;
return _____________________;
push %ebp
mov %esp,%ebp
sub $0xc,%esp
mov 0x8(%ebp),%eax
$0x0,0xfffffffc(%ebp)
$0x0,0xfffffff8(%ebp)
jmp 8048364
mov 0x8(%ebp),%eax
dec %eax
mov %eax,(%esp)
call 8048334
add 0x8(%ebp),%eax
mov %eax,0xfffffff8(%ebp)
mov 0xfffffff8(%ebp),%eax
Page 5 of 14
2. Peepholeoptimizationsareakindofoptimizationwhichlooksatasmallnumberofassemblyinstruc- tions and tries to optimize those instructions. Care must be taken to not affect the behavior of the rest of the program. Write an optimized version of the assembly instructions at addresses 0x804833d and 0x8048344.
3. If we look at the addresses 0x8048361 and 0x8048364 it seems like we can can eliminate both instructions or replace the instructions with nops. Explain why we can’t implement this peephole optimization without affecting the behavior of the rest of the function.
Page 6 of 14
Problem 3. (14 points):
Your friend, . Bovik, encounters a function named mystery when runnning gdb on a 32-bit binary that was compiled on the fish machines. Use the gdb output below and the function prototype for mystery to complete this question.
int mystery(float arg1, float arg2, float arg3, float arg4);
Breakpoint 1, 0x08048366 in mystery ()
(gdb) x/20 $esp
0xf7f3e204
0x3de00000
0xffd3d220
0x080483f0
0xffd3d2a4
1. What is on the stack where %ebp is pointing (in hex)?
2. What is the return address of the function mystery?
0xffd3d208
0x7f800010
0xffd3d278
0xffd3d278
0xffd3d2ac
0x080483cd
0x00000001
0xf7e13e9c
0xf7e13e9c
0xf7f60810
0xffd3d1e0:
0xffd3d1f0:
0xffd3d200:
0xffd3d210:
0xffd3d220:
(gdb) print $ebp
$1 = (void *) 0xffd3d1e8
0xf7f3fff4
0x41700000
0x7f7fffff
0xf7f5fca0
0x00000001
Fill in the below table. Hexadecimal may be used in the address column. The value column may not contain any binary. Instead of calculating large powers of two you may use exponentials in the value column but your answer must fit within the table boundaries.
arg1 arg2 arg3 arg4
Page 7 of 14
Problem 4. (14 points):
Take the struct below compiled on Linux 32-bit:
struct my_struct {
char c[5];
long long a;
1. Pleaselayoutthestructinmemorybelow(eachcellis1byte).Pleaseshadeinboxesusedforpadding.
+—-+—-+—-+—-+—-+—-+—-+—-+ ||||||||| +—-+—-+—-+—-+—-+—-+—-+—-+ +—-+—-+—-+—-+—-+—-+—-+—-+ ||||||||| +—-+—-+—-+—-+—-+—-+—-+—-+ +—-+—-+—-+—-+—-+—-+—-+—-+ ||||||||| +—-+—-+—-+—-+—-+—-+—-+—-+ +—-+—-+—-+—-+—-+—-+—-+—-+ ||||||||| +—-+—-+—-+—-+—-+—-+—-+—-+ +—-+—-+—-+—-+—-+—-+—-+—-+ ||||||||| +—-+—-+—-+—-+—-+—-+—-+—-+
Page 8 of 14
Given the following gdb interaction (where ms is a struct my struct).
(gdb) x/40b &ms
0xffffcde0: 0xbb 0x00 0x86 0x47 0xf9 0xd9 0x01 0x00
0xffffcde8: 0x6d 0x3b 0xff 0xff 0xbe 0xba 0xef 0xbe
0xffffcdf0: 0x68 0x6c 0x70 0x6d 0x65 0x00 0x00 0x00
0xffffcdf8: 0x1e 0xab 0xdf 0x1e 0xff 0xe1 0xaf 0xde
0xffffce00: 0x21 0x00 0x00 0x00 0xf4 0x7f 0x86 0x47
2. Label the fields above and fill in the values below. • ms.b=0x
•ms.c= , , , , • ms.a=0x
3. Define a struct with the same elements that has a total size of less than 30 bytes.
struct my_compressed_struct {
4. What is the size of my compressed struct that you wrote above?
Page 9 of 14
Problem 5. (15 points):
Below is the C code and assembly code for a simple function.
000000af
int doSomething(int a, int b, int c){
if (a == 0){ return 1;} d=a/2;
c = doSomething(d,a,c); return c;
af: push
bd: test
d9: call
0x8(%ebp),%ecx
de
$0x1f,%edx
(%ecx,%edx,1),%edx
0x10(%ebp),%eax
%eax,0x8(%esp)
%ecx,0x4(%esp)
%edx,(%esp)
da
Please draw a detailed stack diagram for this function in Figure 1 on the next page, starting with a function that calls this function and continuing for 2 recursive calls of this function. (That is, at least two stack frames that belong to this function). Please label everything you can.
Page 10 of 14
Page 11 of 14
Problem 6. (17 points):
As a security engineer for a software company it is your job to perform attacks against your company’s software and try to break it. One of your developers, . Bovik, has written a password validator that he thinks is unbreakable! Below is the front-end to his system:
int main(){
char buffer[20];
printf(“Enter your password >”);
scanf(“%s”,buffer);
if(validate(buffer)){
getOnTheBoat();
exit(0); }
printf(“Sorry, you do not have access :(\n”);
return 0; }
Step 0: Briefly explain how you could attack this program with a buffer overflow. (25 words or less).
Harry then mentions that you actually cannot perform that attack because he runs this on a special system where the stack is not-executable. This means that it is impossible to execute any code on the stack, making the typical attack you performed in buffer-lab now impossible.
You can still do this though! You are going to perform a RETURN TO LIBC attack! This attack relies on pre-existing code in the program that will allow you to execute arbitrary instructions. There are a few important things you need to know about first:
The C function system(char * command) will execute the string command as if you had typed it into a shell prompt.
Using GDB you discover:
(gdb) print system
$1 = {
In every program executable, your environment variables are loaded at runtime. And part of your environ- ment variables is your current SHELL:
(gdb) print (char *) 0xff89d957
$2 = 0xff89d957 “SHELL=/bin/bash”
Page 12 of 14
Using this information, you can successfully launch a shell from Harry’s program, proving that you can execute arbitrary code with his program’s privelage level!
• What is the address of the system() function?
• What is the address of the string ”/bin/bash”?
Step 2: Design your exploit string (keep in mind where arguments go for IA32 ). We’re looking for an drawing of what you can pass as input to this program causing it to launch a shell. Don’t worry about exact sizes/lengths.
Step 3: Explain how your exploit string will allow you to execute a shell on Harry’s program. This combined with your answer to Step 2 should be enough to prove Harry wrong. (This will be graded independently of your Step 2).
Page 13 of 14
Problem 7. (10 points):
Use the x86 64 assembly to fill in the C function below
0x0000000000400498
0x000000000040049a
0x000000000040049c
0x000000000040049d
0x000000000040049e
0x00000000004004a2
0x00000000004004a5
0x00000000004004a8
0x00000000004004aa
0x00000000004004ac
0x00000000004004af
0x00000000004004b4
0x00000000004004b6
0x00000000004004b9
0x00000000004004bb
0x00000000004004be
0x00000000004004c2
0x00000000004004c5
0x00000000004004c7
0x00000000004004cb
0x00000000004004cc
0x00000000004004cd
0x00000000004004cf
0x00000000004004d1
void mystery(int (*funcP)(int), int a[], int n) {
push %r13
push %r12
push %rbp
push %rbx
sub $0x8,%rsp
mov %rdi,%r13
mov %edx,%r12d
test %edx,%edx
jle 0x4004c7
mov %rsi,%rbx
mov $0x0,%ebp
mov (%rbx),%edi
mov %eax,(%rbx)
add $0x1,%ebp
add $0x4,%rbx
cmp %r12d,%ebp
jne 0x4004b4
add $0x8,%rsp
pop %rbx
pop %rbp
pop %r12
pop %r13
Page 14 of 14
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com