Transcription
Sicurezza InformaticaLez. 2Assembler (II parte)A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Memory LayoutA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Memory LayoutA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
StackA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Where is stored msg?A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Why on the stack and not in .data?A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Executable structureA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Stack Many CPUʼs have built-in support for a stack A stack is a Last-In FirstOut (LIFO) listThe stack is an area of memory that is organized in this fashion. ThePUSH instruction adds data to the stack and the POP instructionremoves dataThe data removed is always the last data addedThe ESP register contains the address of the data that would beremoved from the stack. This data is said to be at the top of the stackThe processor references the SS register automatically for all stackoperations. Also, the CALL, RET, PUSH, POP, ENTER, and LEAVEinstructions all perform operations on the current stack.Data can only be added in double word units. That is, one can not pusha single byte on the stackA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
StackA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Runtime Stack Managed by the CPU, using two registers SS (stack segment) ESP (stack pointer) *Offset0000100000000FFC00000FF800000FF400000FF0* SP in Real-address mode00000006ESP
PUSH The PUSH instruction inserts a double word on thestack by subtracting 4 from ESP and then stores thedouble word at [ESP]! pushl src!!!!à !!subl 4,%esp!!movl src,(%esp)! The 80x86 also provides a PUSHA instruction thatpushes the values of EAX, EBX, ECX, EDX, ESI, EDIand EBP registers (not in this order)A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
PUSH Operation (1 of 2) A 32-bit push operation decrements the stack pointerby 4 and copies a value into the location pointed toby the stack F00000100000000006AFTERESPESP
PUSH Operation (2 of 2) This is the same stack, after pushing two 500000FF80000000100000FF400000002ESP00000FF0The stack grows downward. The area below ESPis always available (unless the stack hasoverflowed).
POP The POP instruction reads the double word at [ESP]and then adds 4 to ESP!popl dest!!!!à movl (%esp),dest!! addl 4,%esp! The popa instruction, recovers the original values ofthe registers saved by the pusha!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
POP Operation Copies value at stack[ESP] into a register or variable. Adds n to ESP, where n is either 2 or 4. depends on the operand receiving 0000FF0ESP
Esercizio Scrivere un programma in assembler che inverte ilcontenuto di una stringa data. Esempio: Data la stringa: Hello World! Stampa la stringa: !dlroW olleHA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Function call Calling and returning How does caller function jump to callee function? How does callee function jump back to the right place in callerfunction? Passing parameters How does caller function pass parameters to callee function? Storing local variables Where does callee function store its local variables? Handling registers How do caller and callee functions use same registers withoutinterference? Returning a value How does callee function send return value back to caller function?A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Calling and returning How does caller function jump to callee function? I.e., Jump to the address of the callee’s first instruction How does the callee function jump back to the rightplace in caller function? Jump to the instruction immediately following themost-recently-executed call instructionA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
CALL/RET The 80x86 provides two instructions that use thestack to make calling subprograms quick and easy.The CALL instruction makes an unconditional jump toa subprogram and pushes the address of the nextinstruction on the stack. The RET instruction pops off an address and jumpsto that address. When using these instructions, it is very importantthat one manage the stack correctly so that the rightnumber is popped off by the RET instructionA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Implementation of Call callsubprogram1 becomes:!pushl %eip!jmpsubprogram1 !!!!!ESPà !SavedA.A. 2013/2014EIP!Sicurezza Informatica Danilo Bruschi
Implementation of ret ret becomes:! pop%eip! ESP à !A.A. 2013/2014Saved EIP!Sicurezza Informatica Danilo Bruschi
Passing Parameters How does caller function pass parameters to calleefunction? Attempted solution: Pass parameters in registers Problem: Cannot handle nested function calls Also: How to pass parameters that are longer than 4 bytes? Caller pushes parameters before executing the callinstruction Parameters are pushed in the reverse order Push the nth parameter first Push 1 parameter lastA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
ParameterESP before à callParameter 1!Parameter !Parameter n!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
ParameterESP after à callSaved EIP!Parameter 1!Parameter !Parameter n!Callee addresses paramsrelative to ESP:Param 1 as 4(%esp)A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Parameter After returning to the caller, the caller pops theparameters from the stack! !!# Push parameterspushl 5 !pushl 4 !pushl 3 !call sub !# Pop parametersaddl 12, %esp!A.A. 2013/2014!!!!!!!!sub:!! !!movl 4(%esp),var1!!movl 8(%esp),var2!!movl 12(%esp), var3!! !!ret!Sicurezza Informatica Danilo Bruschi
%ebp As callee executes, ESP may change E.g., preparing to call another function It can be very error prone to use ESP whenreferencing parameters. To solve this problem, the80386 supplies another register to use: EBP. Thisregisterʼs only purpose is to reference data on thestack Use EBP as fixed reference point to access paramsA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Using EBP (prolog) A subprogram before overwriting ebp first save theold value of EBP on the stack and then set EBP to beequal to ESP. This allows ESP to change as data ispushed or popped off the stack without modifyingEBP!!pushl %ebp!!movl !%esp, %ebp!!(sub !Local bytes, %esp)! Regardless of ESP, the subprogram can referenceparam 1 as 8(%ebp), param 2 as 12(%ebp), etc.A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Using ebp (epilog) Before returning, callee must restore ESP and EBP totheir old values executing the epilogmovl %ebp, %esp!popl %ebp!ret!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Enter/Leave The ENTER instruction performs the prologue code and theLEAVE performs the epilogue The ENTER instruction takes two immediate operands. For the C calling convention, the second operand is always 0.The first operand is the number bytes needed by local variables.The LEAVE instruction has no operandsA.A. 2013/2014Sicurezza Informatica DaniloBruschi
EpilogoEsp à Ebp à à movl %ebp, %esppopl %ebpretOld EBP!Saved EIP!Parameter 1!Parameter !Parameter n!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
EpilogoEsp Ebp à à movl %ebp, %esppopl %ebpretOld EBP!Saved EIP!Parameter 1!Parameter !Parameter n!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Epilogomovl %ebp, %espà popl %ebpretEsp à Saved EIP!Parameter 1!Parameter !Parameter n!Ebp à A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Epilogomovl %ebp, %esppopl %ebpà retEsp à Parameter 1!Parameter !Parameter n!Ebp à A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Storing local variables Where does callee function store its local variables? Local variables: Short-lived, so don’t need a permanent location in Memory Size known in advance, so don’t need to allocate on theheap The function just uses the top of the stack Local variables of the callee are allocated on thestack by moving the stack pointer subl 8,%esp #allocate memory for 2 integers! Reference local variables as negative offsets relativeto EBP!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Registers Handling How do caller and callee functions use sameregisters without interference? Callee may use a register that the caller also is using Solution: save the registers on the stack Someone must save old register contents Someone must later restore the register contents Define a convention for who saves and restoreswhich registersA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Registers handling Caller-save registers EAX, EBX, ECX (whennecessary ) Saves on stack before call Restores from stack after call Callee-save registers EAX, EBX, ECX (whennecessary) Saves on stack after prolog Restores from stack before epilogA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Stack Frame Any active function has its own stack frame Stack frame contains: Return address (Saved EIP)Old EBPSaved register valuesLocal variablesParameters to be passed to callee function ESP points to top (low memory) of current stackframe EBP points to bottom (high memory) of current stackframeA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Esempio: stack.c#include stdio.h !int main() {!!int x foo( 10 );!!printf( "the value of x %d\n", x );!!return 0;!!}!int foo( int i ) {!!int ii i i;!!int iii bar( ii );!!int iiii iii;!!return iiii;!!}!int bar( int j ) {!!int jj j j;!!return jj;!!}!Compiliamo con il comando gcc –S stack.c - o stack.s!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Lo stack che ci aspettiamoESP à jjSaved EBPRet. Addr.foobarjiiiifooiiiiiSaved EBPRet. Addr.mainixA.A. 2013/2014mainSicurezza Informatica Danilo Bruschi
Assembler: main.file"stack.c"!.section.rodata!.LC0:!.string "the value of x %d\n"!.text!.globl main!.typemain, @function!main:!leal4(%esp), %ecx!andl -16, %esp!pushl-4(%ecx)!pushl%ebp!movl%esp, %ebp!pushl%ecx!subl 36, %esp!movl 10, (%esp)!callfoo!movl%eax, -8(%ebp)!movl-8(%ebp), %eax!movl%eax, 4(%esp)!movl .LC0, (%esp)!callprintf!movl 0, %eax!addl 36, %esp!popl%ecx!popl%ebp!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Assembler : foo.globl lmovlmovlmovlmovlleave!ret!.sizeA.A. 2013/2014foo, @function!%ebp!%esp, %ebp! 24, %esp!8(%ebp), %eax!%eax, %eax!%eax, -12(%ebp)!-12(%ebp), %eax!%eax, (%esp)!bar!%eax, -8(%ebp)!-8(%ebp), %eax!%eax, -4(%ebp)!-4(%ebp), %eax!foo, .-foo!Sicurezza Informatica Danilo Bruschi
Assembler: foo.globl et!.sizeA.A. 2013/2014bar, @function!%ebp!%esp, %ebp! 16, %esp!8(%ebp), %eax!%eax, %eax!%eax, -4(%ebp)!-4(%ebp), %eax!bar, .-bar!Sicurezza Informatica Danilo Bruschi
Compilazione ottimizzataNon Ottimizzata.globl et!.A.A. 2013/2014bar, @function!%ebp!%esp, %ebp! 16, %esp!8(%ebp), %eax!%eax, %eax!%eax, -4(%ebp)!-4(%ebp), %eax!Ottimizzata.globl ion!%ebp!%esp, %ebp!8(%ebp), %eax!%eax, %eax!%ebp!Sicurezza Informatica Danilo Bruschi
Compilazione ottimizzataNon Ottimizzata.globl lmovlmovlmovlmovlleave!ret!A.A. 2013/2014foo, @function!%ebp!%esp, %ebp! 24, %esp!8(%ebp), %eax!%eax, %eax!%eax, -12(%ebp)!-12(%ebp), %eax!%eax, (%esp)!bar!%eax, -8(%ebp)!-8(%ebp), %eax!%eax, -4(%ebp)!-4(%ebp), %eax!Ottimizzata.globl et!foo, @function!%ebp!%esp, %ebp! 4, %esp!8(%ebp), %eax!%eax, %eax!%eax, (%esp)!bar!Sicurezza Informatica Danilo Bruschi
Esercizio Risolvere i seguenti esercizi e descrivere quali sono iprincipi di funzionamento della soluzione adottataA.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Esercizio 1/* stack1-stdin.c*!* specially crafted to feed your brain by geraInsecureProgramming */!!#include stdio.h !!int main() {!!int cookie;!!char buf[80];!!!printf("buf: %08x cookie: %08x\n", &buf, &cookie);!!gets(buf);!!!if (cookie 0x41424344)!!!printf("you win!\n");!}!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Esercizio 2/* stack2-stdin.c*!* specially crafted to feed your brain by gera */!!#include stdio.h !!int main() {!!int cookie;!!char buf[80];!!!printf("buf: %08x cookie: %08x\n", &buf, &cookie);!!gets(buf);!!!if (cookie 0x01020305)!!!printf("you win!\n");!}!A.A. 2013/2014Sicurezza Informatica Danilo Bruschi
Stack Many CPUʼs have built-in support for a stack A stack is a Last-In First-Out (LIFO) list The stack is an area of memory that is organized in this fashion.
