Programming Languages CSCI 4430 & CSCI 6969
Programming Languages CSCI 4430, A. Milanova
1
Lecture Outline
Notion of binding time
Object lifetime and storage management
An aside: Stack Smashing 101
Slides courtesy of RPISEC/MBE
Scoping
Static scoping
Dynamic scoping
Stack Frames
In x86-64 RBP is fp and RSP is sp. Define the stack frame for the currently executing function
local variables
pointer to previous frame
return address
2
0x1337
“ABCDEFGH
0123456\0”
0x7fff10203040
0x400134
RSP ->
<- local var
RBP ->
<- local var
<- caller frame RBP
<- return address
void foo() {
long long x = 0x1337;
char str[16];
strcpy(str, "ABCDEFGH0123456");
}
note: for 64bit, each 'slot' is 8 bytes
09/09/2019
RPISEC - 1/23/2019
MBE - Overview
What is corruption?
So what happens if a programer makes a simple mistake:
char foo[64];
int money = 0;
gets(foo);
3
RPISEC - 02/6/2019
Memory
09/09/2019
3
gets()?
4
DO NOT EVER USE
scanf("%s", ...) as well
So what happens if we give this program a bunch of A’s? With gets we can give as many A’s as we want!
RPISEC - 02/6/2019
Memory
09/09/2019
4
main() has a
stack frame
- Contains local variables
- Pointer to previous frame
- Return address
Lower Memory
Higher Memory
Stack Smashing 101
5
-
-
-
-
-
-
-
-
0x00
0x7fff01020304
0x40051f
Start of
char foo[64]
Not supposed to touch
End of foo
money = 0
Base pointer
RETURN ADDRESS
RPISEC - 02/6/2019
Memory
09/09/2019
5
Stack Smashing 101
As gets() continues to read input, we fill up the 64 bytes allocated for buffer foo
6
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x00
0x7fff01020304
0x40051f
Lower Memory
Higher Memory
Not supposed to touch
Start of
char foo[64]
End of foo
money = 0
Base pointer
RETURN ADDRESS
RPISEC - 02/6/2019
Memory
09/09/2019
6
Stack Smashing 101
7
Lower Memory
Higher Memory
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x41
0x7fff01020304
0x40051f
Not supposed to touch
As gets() continues to read input, we fill up the 64 bytes allocated for foo
Go far enough, it corrupts important data!
Start of
char foo[64]
End of foo
money = 0
Base pointer
RETURN ADDRESS
RPISEC - 02/6/2019
Memory
09/09/2019
7
We can give ourselves money
If we want to set money to 0x1337beef we need to know:
Most x86 machines are little endian (little byte goes first)
Meaning the byte order for numbers is "backwards" in memory
0x01020304 would be
Stack Smashing 101
8
0x04 0x03 0x02 0x01
RPISEC - 02/6/2019
Memory
09/09/2019
8
Stack Smashing 201
What else can we corrupt?
What happens if you corrupt further? When does it segfault?
What was that about a return address?
9
RPISEC - 02/6/2019
Memory
09/09/2019
9
Stack Smashing 201
When func() is called, runtime stores the return address on the stack (i.e., the address of the instruction that immediately follows call func in main)
10
int func() {
puts("Hello World");
return 17;
}
int main() {
int res = func();
return 0;
}
RPISEC - 02/6/2019
Memory
09/09/2019
10
Stack Smashing 201
Before the call:
11
RPISEC - 02/6/2019
Memory
09/09/2019
11
Stack Smashing 201
Before the call: After the call:
12
Return address points back to where it left off in main
RPISEC - 02/6/2019
Memory
09/09/2019
12
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
About to return:
13
RPISEC - 02/6/2019
Memory
09/09/2019
13
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
About to return: Returned back to main:
14
RPISEC - 02/6/2019
Memory
09/09/2019
14
Stack Smashing 201
Returning just takes whatever is on the top of the stack, and jumps there, equivalently: pop rip
About to return: Returned back to main:
15
What if we change this???
?!?!?!?
RPISEC - 02/6/2019
Memory
09/09/2019
15
Stack Smashing 201
Without corruption:
At the end of the function, it returns
0x40051f is popped off the stack and stored in rip
Control goes to that address
We want to change this
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x00
0x7fff01020304
0x40051f
16
Lower Memory
Higher Memory
Start of
char foo[64]
End of foo
money = 0
Base pointer
RETURN ADDRESS
RPISEC - 02/6/2019
Memory
09/09/2019
16
Stack Smashing 201
Corrupted:
At the end of the function, it returns
0x4141414141414141 is popped off the stack and stored in rip
Control goes to that address
but it's invalid memory...
Segmentation fault
17
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
0x4141414141414141
Lower Memory
Higher Memory
Start of
char foo[64]
End of foo
money = 0
Base pointer
RETURN ADDRESS
RPISEC - 02/6/2019
Memory
09/09/2019
17
/docProps/thumbnail.jpeg