程序代写代做代考 x86 go Lecture Outline

Lecture Outline
n Notion of binding time
n Object lifetime and storage management
n An aside: Stack Smashing 101 n Slides courtesy of RPISEC/MBE
n Scoping
n Static scoping
n Dynamic scoping
Programming Languages CSCI 4430, A. Milanova 1

Stack Frames
– In x86-64 RBP is fp and RSP is sp. Define
the stack frame for the currently executing
function
– local variables
– pointer to previous frame
– return address
void foo() {
long long x = 0x1337;
char str[16];
strcpy(str, “ABCDEFGH0123456”);
}
note: for 64bit, each ‘slot’ is 8 bytes
<- local var <- local var 0x1337 "ABCDEFGH 0123456\0" 0x7fff10203040 0x400134 RSP ->
RBP ->
<- caller frame RBP <- return address RPISEC - 1/23/2019 09/09/2019 MBE - Overview 2 What is corruption? • So what happens if a programer makes a simple mistake: char foo[64]; int money = 0; gets(foo); RPISEC - 02/6/2019 09/09/2019 Memory 3 gets()? – DO NOT EVER USE ∘ scanf("%s", ...) as well • So what happens if we give this program a bunch of A’s? With gets we can give as many A’s as we want! RPISEC - 02/6/2019 09/09/2019 Memory 4 Stack Smashing 101 Lower Memory main() has a stack frame - Contains local variables - Pointer to previous frame - Return address - - - - - - - End of foo RPISEC - 02/6/2019 09/09/2019 Not supposed to touch Higher Memory - 0x00 Start of char foo[64] money = 0 0x7fff01020304 Base pointer 0x40051f RETURN ADDRESS Memory 5 Stack Smashing 101 Lower Memory As gets() continues to read input, we fill up the 64 bytes allocated for buffer foo 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 End of foo RPISEC - 02/6/2019 09/09/2019 Not supposed to touch Higher Memory 0x4141414141414141 0x00 Start of char foo[64] money = 0 0x7fff01020304 Base pointer 0x40051f RETURN ADDRESS Memory 6 Stack Smashing 101 Lower Memory As gets() continues to read input, we fill up the 64 bytes allocated for foo Go far enough, it corrupts important data! 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 End of foo RPISEC - 02/6/2019 09/09/2019 Not supposed to touch Higher Memory 0x4141414141414141 0x41 Start of char foo[64] money = 0 0x7fff01020304 Base pointer 0x40051f RETURN ADDRESS Memory 7 Stack Smashing 101 • We can give ourselves money • If we want to set money to 0x1337beef we need to know: – Most x86 machines are little endian (little byte goes first) – Meaning the byte order for numbers is "backwards" in memory – 0x01020304 would be 0x04 0x03 0x02 0x01 RPISEC - 02/6/2019 09/09/2019 Memory 8 Stack Smashing 201 • What else can we corrupt? • What happens if you corrupt further? When does it segfault? - What was that about a return address? RPISEC - 02/6/2019 09/09/2019 Memory 9 Stack Smashing 201 int func() { puts("Hello World"); return 17; } int main() { int res = func(); return 0; } When func() is called, runtime stores the return address on the stack (i.e., the address of the instruction that immediately follows call func in main) RPISEC - 02/6/2019 09/09/2019 Memory 10 Stack Smashing 201 Before the call: RPISEC - 02/6/2019 09/09/2019 Memory 11 Stack Smashing 201 Before the call: After the call: RPISEC - 02/6/2019 09/09/2019 Return address points back to where it left off in main Memory 12 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip About to return: RPISEC - 02/6/2019 09/09/2019 Memory 13 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip About to return: Returned back to main: RPISEC - 02/6/2019 09/09/2019 Memory 14 Stack Smashing 201 Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip What if we change this??? About to return: Returned back to main: RPISEC - 02/6/2019 09/09/2019 ?!?!?!? Memory 15 Stack Smashing 201 Without corruption: Lower Memory – At the end of the function, it returns – 0x40051f is popped off the stack and stored in rip – Control goes to that address We want to change this 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 End of foo 0x00 money = 0 0x7fff01020304 Base pointer RPISEC - 02/6/2019 09/09/2019 Higher Memory 0x4141414141414141 0x40051f Start of char foo[64] 0x4141414141414141 RETURN ADDRESS Memory 16 Stack Smashing 201 Corrupted: Lower Memory – At the end of the function, it returns – 0x4141414141414141 is popped off the stack and stored in rip – Control goes to that address – but it's invalid memory... 0x4141414141414141 0x4141414141414141 0x4141414141414141 Segmentation fault 0x4141414141414141 0x4141414141414141 0x4141414141414141 0x4141414141414141 End of foo 0x4141414141414141 money = 0 0x4141414141414141 Base pointer RPISEC - 02/6/2019 09/09/2019 Higher Memory 0x4141414141414141 0x4141414141414141 Start of char foo[64] RETURN ADDRESS Memory 17