Скачать презентацию Alignment Aligned Data n Primitive data type requires Скачать презентацию Alignment Aligned Data n Primitive data type requires

28802c5060336d4fd7e82f6e12267938.ppt

  • Количество слайдов: 38

Alignment Aligned Data n Primitive data type requires K bytes n Address must be Alignment Aligned Data n Primitive data type requires K bytes n Address must be multiple of K Required on some machines; advised on IA 32 n l treated differently by Linux and Windows! Motivation for Aligning Data n Memory accessed by (aligned) double or quad-words l Inefficient to load or store datum that spans quad word boundaries l Virtual memory very tricky when datum spans 2 pages Compiler n – 1 – Inserts gaps in structure to ensure correct alignment of fields EECS 213, S’ 08

Specific Cases of Alignment Size of Primitive Data Type: n 1 byte (e. g. Specific Cases of Alignment Size of Primitive Data Type: n 1 byte (e. g. , char) l no restrictions on address n 2 bytes (e. g. , short) l lowest 1 bit of address must be 02 n 4 bytes (e. g. , int, float, char *, etc. ) l lowest 2 bits of address must be 002 n 8 bytes (e. g. , double) l Windows (and most other OS’s & instruction sets): » lowest 3 bits of address must be 0002 l Linux: » lowest 2 bits of address must be 002 » i. e. , treated the same as a 4 -byte primitive data type n 12 bytes (long double) l Linux: » lowest 2 bits of address must be 002 » i. e. , treated the same as a 4 -byte primitive data type – 2 – EECS 213, S’ 08

Satisfying Alignment with Structures Offsets Within Structure n Must satisfy element’s alignment requirement Overall Satisfying Alignment with Structures Offsets Within Structure n Must satisfy element’s alignment requirement Overall Structure Placement n Each structure has alignment requirement K l Largest alignment of any element n struct S 1 { char c; int i[2]; double v; } *p; Initial address & structure length must be multiples of K Example (under Windows): n K = 8, due to double element c p+0 i[0] p+4 Multiple of 8 – 3 – i[1] p+8 v p+16 p+24 Multiple of 8 EECS 213, S’ 08

Linux vs. Windows struct S 1 { char c; int i[2]; double v; } Linux vs. Windows struct S 1 { char c; int i[2]; double v; } *p; Windows: n K = 8, due to double element c p+0 i[0] p+4 i[1] v p+8 p+16 Multiple of 4 Multiple of 8 p+24 Multiple of 8 Linux: n K = 4; double treated like a 4 -byte data type c p+0 – 4 – i[0] p+4 Multiple of 4 i[1] p+8 v p+12 Multiple of 4 p+20 Multiple of 4 EECS 213, S’ 08

Overall Alignment Requirement struct S 2 { double x; int i[2]; char c; } Overall Alignment Requirement struct S 2 { double x; int i[2]; char c; } *p; p must be multiple of: 8 for Windows 4 for Linux x i[0] p+0 p+8 struct S 3 { float x[2]; int i[2]; char c; } *p; x[0] p+0 – 5 – p+12 c p+16 Windows: p+24 Linux: p+20 p must be multiple of 4 (in either OS) x[1] p+4 i[1] i[0] p+8 i[1] p+12 c p+16 p+20 EECS 213, S’ 08

Ordering Elements Within Structure struct S 4 { char c 1; double v; char Ordering Elements Within Structure struct S 4 { char c 1; double v; char c 2; int i; } *p; 10 bytes wasted space in Windows c 1 v p+0 p+8 struct S 5 { double v; char c 1; char c 2; int i; } *p; v p+0 – 6 – c 2 p+16 i p+20 p+24 2 bytes wasted space c 1 c 2 p+8 i p+12 p+16 EECS 213, S’ 08

Arrays of Structures Principle n n Allocated by repeating allocation for array type In Arrays of Structures Principle n n Allocated by repeating allocation for array type In general, may nest arrays & structures to arbitrary depth a[1]. i a[1]. v a+12 a+16 a[0] a+0 – 7 – a[1]. j a+20 a[1] a+12 struct S 6 { short i; float v; short j; } a[10]; a+24 • • • a[2] a+24 a+36 EECS 213, S’ 08

Accessing Element within Array n Compute offset to start of structure l Compute 12*i Accessing Element within Array n Compute offset to start of structure l Compute 12*i as 4*(i+2 i) n struct S 6 { short i; float v; short j; } a[10]; Access element according to its offset within structure l Offset by 8 l Assembler gives displacement as a + 8 » Linker must set actual value short get_j(int idx) { return a[idx]. j; } a[0] a+0 a[i]. i a+12 i – 8 – # %eax = idx leal (%eax, 2), %eax # 3*idx movswl a+8(, %eax, 4), %eax • • • a[i] • • • a+12 i a[i]. v a[i]. j a+12 i+8 EECS 213, S’ 08

Satisfying Alignment within Structure Achieving Alignment n Starting address of structure array must be Satisfying Alignment within Structure Achieving Alignment n Starting address of structure array must be multiple of worst-case alignment for any element l a must be multiple of 4 n Offset of element within structure must be multiple of element’s alignment requirement l v’s offset of 4 is a multiple of 4 n Overall size of structure must be multiple of worst-case alignment for any element struct S 6 { short i; float v; short j; } a[10]; l Structure padded with unused space to be 12 bytes a[0] • • • a[i] a+12 i a+0 Multiple of 4 – 9 – a[1]. i a+12 i • • • a[1]. v a[1]. j a+12 i+4 Multiple of 4 EECS 213, S’ 08

Alignment Quiz For each struct, give the offset of each field, total size, and Alignment Quiz For each struct, give the offset of each field, total size, and struct alignment (1, 2 or 4 byte) required in Linux. struct P 1 {int i; char c; int j; char d; }; i: _1_ c: _2_ j: _3_ d: _4_ total: _5_ alignment: _6_ struct P 2 {int i; char c; char d; int j; }; i: _7_ c: _8_ d: _9_ j: _10_ total: _11_ alignment: _12_ struct P 3 {struct P 1 a[2]; struct P 2 *p; }; a: _13_ p: _14_ total: _15_ alignment: _16_ – 10 – EECS 213, S’ 08

Union Allocation Principles n Overlay union elements n Allocate according to largest element Can Union Allocation Principles n Overlay union elements n Allocate according to largest element Can only use one field at a time n struct S 1 { char c; int i[2]; double v; } *sp; c sp+0 – 11 – sp+4 union U 1 { char c; int i[2]; double v; } *up; c i[0] up+0 i[1] v up+4 up+8 (Windows alignment) i[0] sp+8 i[1] v sp+16 sp+24 EECS 213, S’ 08

Using Union to Access Bit Patterns typedef union { float f; unsigned u; } Using Union to Access Bit Patterns typedef union { float f; unsigned u; } bit_float_t; u f 0 n n 4 Get direct access to bit representation of float bit 2 float generates float with given bit pattern float bit 2 float(unsigned u) { bit_float_t arg; arg. u = u; return arg. f; } unsigned float 2 bit(float f) { bit_float_t arg; arg. f = f; return arg. u; } l NOT the same as (float) u n float 2 bit generates bit pattern from float l NOT the same as (unsigned) f – 12 – EECS 213, S’ 08

Byte Ordering Revisited Idea n n n Short/long/quad words stored in memory as 2/4/8 Byte Ordering Revisited Idea n n n Short/long/quad words stored in memory as 2/4/8 consecutive bytes Which is most (least) significant? Can cause problems when exchanging binary data between machines Big Endian n n Most significant byte has lowest address Power. PC, Sparc Little Endian n n – 13 – Least significant byte has lowest address Intel x 86, Alpha EECS 213, S’ 08

Byte Ordering Example union { unsigned char c[8]; unsigned short s[4]; unsigned int i[2]; Byte Ordering Example union { unsigned char c[8]; unsigned short s[4]; unsigned int i[2]; unsigned long l[1]; } dw; c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] s[0] s[1] s[2] s[3] i[0] i[1] l[0] – 14 – EECS 213, S’ 08

Byte Ordering Example (Cont). int j; for (j = 0; j < 8; j++) Byte Ordering Example (Cont). int j; for (j = 0; j < 8; j++) dw. c[j] = 0 xf 0 + j; printf("Characters 0 -7 == [0 x%x, 0 x%x, 0 x%x]n", dw. c[0], dw. c[1], dw. c[2], dw. c[3], dw. c[4], dw. c[5], dw. c[6], dw. c[7]); printf("Shorts 0 -3 == [0 x%x, 0 x%x]n", dw. s[0], dw. s[1], dw. s[2], dw. s[3]); printf("Ints 0 -1 == [0 x%x, 0 x%x]n", dw. i[0], dw. i[1]); printf("Long 0 == [0 x%lx]n", dw. l[0]); – 15 – EECS 213, S’ 08

Byte Ordering on x 86 Little Endian (least significant byte has lowest address) f Byte Ordering on x 86 Little Endian (least significant byte has lowest address) f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] LSB MSB LSB s[0] MSB LSB s[1] LSB s[2] MSB s[3] LSB i[0] LSB MSB i[1] MSB l[0] Print Output on Pentium: Characters 0 -7 == [0 xf 0, 0 xf 1, 0 xf 2, 0 xf 3, 0 xf 4, 0 xf 5, 0 xf 6, 0 xf 7] Shorts 0 -3 == [0 xf 1 f 0, 0 xf 3 f 2, 0 xf 5 f 4, 0 xf 7 f 6] Ints 0 -1 == [0 xf 3 f 2 f 1 f 0, 0 xf 7 f 6 f 5 f 4] Long 0 == [f 3 f 2 f 1 f 0] – 16 – EECS 213, S’ 08

Byte Ordering on Sun Big Endian (most significant byte has lowest address) f 0 Byte Ordering on Sun Big Endian (most significant byte has lowest address) f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] MSB LSB MSB s[0] LSB MSB s[1] MSB s[2] LSB s[3] MSB i[0] MSB LSB i[1] LSB l[0] Print Output on Sun: Characters 0 -7 == [0 xf 0, 0 xf 1, 0 xf 2, 0 xf 3, 0 xf 4, 0 xf 5, 0 xf 6, 0 xf 7] Shorts 0 -3 == [0 xf 0 f 1, 0 xf 2 f 3, 0 xf 4 f 5, 0 xf 6 f 7] Ints 0 -1 == [0 xf 0 f 1 f 2 f 3, 0 xf 4 f 5 f 6 f 7] Long 0 == [0 xf 0 f 1 f 2 f 3] – 17 – EECS 213, S’ 08

Byte Ordering on Alpha Little Endian f 0 f 1 f 2 f 3 Byte Ordering on Alpha Little Endian f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 c[0] c[1] c[2] c[3] c[4] c[5] c[6] c[7] LSB MSB LSB s[0] MSB LSB s[1] LSB MSB LSB s[2] MSB s[3] LSB i[0] MSB i[1] LSB MSB l[0] Print Output on Alpha: Characters 0 -7 == [0 xf 0, 0 xf 1, 0 xf 2, 0 xf 3, 0 xf 4, 0 xf 5, 0 xf 6, 0 xf 7] Shorts 0 -3 == [0 xf 1 f 0, 0 xf 3 f 2, 0 xf 5 f 4, 0 xf 7 f 6] Ints 0 -1 == [0 xf 3 f 2 f 1 f 0, 0 xf 7 f 6 f 5 f 4] Long 0 == [0 xf 7 f 6 f 5 f 4 f 3 f 2 f 1 f 0] – 18 – EECS 213, S’ 08

Summary Arrays in C n Contiguous allocation of memory n Pointer to first element Summary Arrays in C n Contiguous allocation of memory n Pointer to first element No bounds checking n Compiler Optimizations n Compiler often turns array code into pointer code (zd 2 int) n Uses addressing modes to scale array indices Lots of tricks to improve array indexing in loops n Structures n n Allocate bytes in order declared Pad in middle and at end to satisfy alignment Unions n – 19 – Overlay declarations EECS 213, S’ 08

EECS 213 Machine-Level Programming V: Miscellaneous Topics Apr 28, 2008 Topics n Buffer Overflow EECS 213 Machine-Level Programming V: Miscellaneous Topics Apr 28, 2008 Topics n Buffer Overflow n Floating Point Code

Internet Worm and IM War November, 1998 n Internet Worm attacks thousands of Internet Internet Worm and IM War November, 1998 n Internet Worm attacks thousands of Internet hosts. n How did it happen? July, 1999 n n Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM client MSN server – 21 – MSN client AIM server AIM client EECS 213, S’ 08

Internet Worm and IM War (cont. ) August 1999 n n Mysteriously, Messenger clients Internet Worm and IM War (cont. ) August 1999 n n Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: l AOL changes server to disallow Messenger clients l Microsoft makes changes to clients to defeat AOL changes. l At least 13 such skirmishes. n How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! l many Unix functions do not check argument sizes. l allows target buffers to overflow. – 22 – EECS 213, S’ 08

String Library Code n Implementation of Unix function gets l No way to specify String Library Code n Implementation of Unix function gets l No way to specify limit on number of characters to read /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getc(); } *p = ''; return dest; } n Similar problems with other Unix functions l strcpy: Copies string of arbitrary length l scanf, fscanf, sscanf, when given %s conversion specification – 23 – EECS 213, S’ 08

Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } int main() { printf("Type a string: "); echo(); return 0; } – 24 – EECS 213, S’ 08

Buffer Overflow Executions unix>. /bufdemo Type a string: 12345 Segmentation Fault unix>. /bufdemo Type Buffer Overflow Executions unix>. /bufdemo Type a string: 12345 Segmentation Fault unix>. /bufdemo Type a string: 12345678 Segmentation Fault – 25 – EECS 213, S’ 08

Buffer Overflow Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame Buffer Overflow Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame for echo – 26 – /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } echo: pushl %ebp movl %esp, %ebp subl $20, %esp pushl %ebx addl $-12, %esp leal -4(%ebp), %ebx pushl %ebx call gets. . . # Save %ebp on stack # Allocate space on stack # Save %ebx # Allocate space on stack # Compute buf as %ebp-4 # Push buf on stack # Call gets EECS 213, S’ 08

Buffer Overflow Stack Example Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Buffer Overflow Stack Example Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame for echo unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0 x 8048583 (gdb) run Breakpoint 1, 0 x 8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0 xbffff 8 f 8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0 x 804864 d Stack Frame for main Before call to gets 08 04 86 4 d Return Address bf ff f 8 0 xbffff 8 d 8 Saved %ebp xx xx [3][2][1][0] buf Stack Frame for echo 8048648: call 804857 c 804864 d: mov 0 xffffffe 8(%ebp), %ebx # Return Point – 27 – EECS 213, S’ 08

Buffer Overflow Example #1 Before Call to gets Stack Frame for main Return Address Buffer Overflow Example #1 Before Call to gets Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame for echo Input = “ 123” Stack Frame for main 08 04 86 4 d Return Address bf ff f 8 0 xbffff 8 d 8 Saved %ebp 00 33 32 31 [3][2][1][0] buf Stack Frame for echo No Problem – 28 – EECS 213, S’ 08

Buffer Overflow Stack Example #2 Stack Frame for main Return Address Saved %ebp [3][2][1][0] Buffer Overflow Stack Example #2 Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame for echo 8048592: 8048593: 8048598: 804859 b: 804859 d: 804859 e: – 29 – 08 04 86 4 d Return Address bf ff 00 35 0 xbffff 8 d 8 Saved %ebp [3][2][1][0] buf 34 33 32 31 Stack Frame for echo code: Input = “ 12345” Saved value of %ebp set to 0 xbfff 0035 Bad news when later attempt to restore %ebp push %ebx call 80483 e 4 <_init+0 x 50> # gets mov 0 xffffffe 8(%ebp), %ebx mov %ebp, %esp pop %ebp # %ebp gets set to invalid value ret EECS 213, S’ 08

Buffer Overflow Stack Example #3 Stack Frame for main Return Address Saved %ebp [3][2][1][0] Buffer Overflow Stack Example #3 Stack Frame for main Return Address Saved %ebp [3][2][1][0] buf Stack Frame for echo Stack Frame for main Input = “ 12345678” 08 04 86 00 Return Address 38 37 36 35 0 xbffff 8 d 8 Saved %ebp 34 33 32 31 [3][2][1][0] buf Stack Frame for echo %ebp and return address corrupted Invalid address No longer pointing to desired return point 8048648: call 804857 c 804864 d: mov 0 xffffffe 8(%ebp), %ebx # Return Point – 30 – EECS 213, S’ 08

Malicious Use of Buffer Overflow Stack after call to gets() return address A void Malicious Use of Buffer Overflow Stack after call to gets() return address A void foo(){ bar(); . . . } void bar() { char buf[64]; gets(buf); . . . } n n n – 31 – foo stack frame data written by gets() B B pad exploit code bar stack frame Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code EECS 213, S’ 08

Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. Internet worm n Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: l finger [email protected] cmu. edu n Worm attacked fingerd server by sending phony argument: l finger “exploit-code padding new-return-address” l exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker. – 32 – EECS 213, S’ 08

Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. IM War n n n – 33 – AOL exploited existing buffer overflow bug in AIM clients exploit code: returned 4 -byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location. EECS 213, S’ 08

Date: Wed, 11 Aug 1999 11: 30: 57 -0700 (PDT) From: Phil Bucking <philbucking@yahoo. Date: Wed, 11 Aug 1999 11: 30: 57 -0700 (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: [email protected] com Mr. Smith, I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response. I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year. . It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now *exploiting their own buffer overrun bug* to help in its efforts to block MS Instant Messenger. . . Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security. Sincerely, Phil Bucking Founder, Bucking Consulting [email protected] com – 34 – It was later determined that this email originated from within Microsoft! EECS 213, S’ 08

Code Red Worm History n n n June 18, 2001. Microsoft announces buffer overflow Code Red Worm History n n n June 18, 2001. Microsoft announces buffer overflow vulnerability in IIS Internet server July 19, 2001. over 250, 000 machines infected by new virus in 9 hours White house must change its IP address. Pentagon shut down public WWW servers for day When We Set Up CS: APP Web Site n Received strings of form GET /default. ida? NNNNNNNNNNNNNNNNNNNN. . NNNNNNNNNNNNNNNNNNN%u 9090%u 6858%ucbd 3%u 780 1%u 9090%u 6858%ucbd 3%u 7801%u 9090%u 909 0%u 8190%u 00 c 3%u 0003%u 8 b 00%u 531 b%u 53 ff%u 0078%u 0000%u 00=a HTTP/1. 0" 400 325 "-" – 35 – EECS 213, S’ 08

Code Red Exploit Code n n Starts 100 threads running Spread self l Generate Code Red Exploit Code n n Starts 100 threads running Spread self l Generate random IP addresses & send attack string l Between 1 st & 19 th of month n Attack www. whitehouse. gov l Send 98, 304 packets; sleep for 4 -1/2 hours; repeat » Denial of service attack l Between 21 st & 27 th of month n Deface server’s home page l After waiting 2 hours – 36 – EECS 213, S’ 08

Code Red Effects Later Version Even More Malicious n Code Red II n As Code Red Effects Later Version Even More Malicious n Code Red II n As of April, 2002, over 18, 000 machines infected Still spreading n Paved Way for NIMDA n n – 37 – Variety of propagation methods One was to exploit vulnerabilities left behind by Code Red II EECS 213, S’ 08

Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } Use Library Routines that Limit String Lengths n n n – 38 – fgets instead of gets strncpy instead of strcpy Don’t use scanf with %s conversion specification l Use fgets to read the string EECS 213, S’ 08