Lecture13 - CIS 450 Computer Architecture and Organization Lecture 13 Buffer Overflow Mitch Neilsen Mitch Neilsen [email protected] [email protected]

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CIS 450 Computer Architecture and Organization Lecture 13: Buffer Overflow Mitch Neilsen Mitch Neilsen [email protected] [email protected] 219D Nichols Hall 219D Nichols Hall – 2 – Topics Topics Structured Data Structured Data ¡ Structs ¡ Unions ¡ Alignment Data/Control Data/Control ¡ Buffer overflow ¡ Exploits – 3 – struct rec { int i; int a[3]; int *p; }; IA32 Assembly # %eax = val # %edx = r movl %eax,(%edx) # Mem[r] = val void set_i(struct rec *r, int val) { r->i = val; } Structures Structures Concept Concept ¡ Contiguously-allocated region of memory ¡ Refer to members within structure by names ¡ Members may be of different types Accessing Structure Member Accessing Structure Member Memory Layout i a p 4 1 6 20 – 4 – struct rec { int i; int a[3]; int *p; }; # %ecx = idx # %edx = r leal 0(,%ecx,4),%eax # 4*idx leal 4(%eax,%edx),%eax # r+4*idx+4 int * find_a (struct rec *r, int idx) { return &r->a[idx]; } Generating Pointer to Struct. Member Generating Pointer to Struct. Member Generating Pointer to Generating Pointer to Array Element Array Element ¡ Offset of each structure member determined at compile time i a p 4 1 6 r + 4 + 4*idx r – 5 – struct rec { int i; int a[3]; int *p; }; # %edx = r movl (%edx),%ecx # r->i leal 0(,%ecx,4),%eax # 4*(r->i) leal 4(%edx,%eax),%eax # r+4+4*(r->i) movl %eax,16(%edx) # Update r->p void set_p(struct rec *r) { r->p = &r->a[r->i]; } Structure Referencing (Cont.) Structure Referencing (Cont.) C Code C Code i a 4 1 6 Element i i a p 4 1 6 – 6 – Alignment Alignment Aligned Data Aligned Data ¡ Primitive data type requires K bytes ¡ Address must be multiple of K ¡ Required on some machines; advised on IA32 z treated differently by IA32 Linux, x86-64 Linux, and Windows! Motivation for Aligning Data Motivation for Aligning Data ¡ Memory accessed by (aligned) chunks of 4 or 8 bytes (system dependent) z Inefficient to load or store datum that spans quad word boundaries z Virtual memory very tricky when datum spans 2 pages Compiler Compiler ¡ Inserts gaps in structure to ensure correct alignment of fields – 7 – Specific Cases of Alignment (IA32) Specific Cases of Alignment (IA32) Size of Primitive Data Type: Size of Primitive Data Type: ¡ 1 byte (e.g., char) z no restrictions on address ¡ 2 bytes (e.g., short ) z lowest 1 bit of address must be 0 2 ¡ 4 bytes (e.g., int , float , char * , etc.) z lowest 2 bits of address must be 00 2 ¡ 8 bytes (e.g., double ) z Windows (and most other OS’s & instruction sets): » lowest 3 bits of address must be 000 2 z Linux: » lowest 2 bits of address must be 00 2 » i.e., treated the same as a 4-byte primitive data type ¡ 12 bytes ( long double ) z Windows, Linux: » lowest 2 bits of address must be 00 2 » i.e., treated the same as a 4-byte primitive data type – 8 – Specific Cases of Alignment (x86-64) Specific Cases of Alignment (x86-64) Size of Primitive Data Type: Size of Primitive Data Type: ¡ 1 byte (e.g., char) z no restrictions on address...
View Full Document

This note was uploaded on 04/09/2008 for the course CIS 450 taught by Professor Neilsen,mitch during the Spring '08 term at Kansas State University.

Page1 / 52

Lecture13 - CIS 450 Computer Architecture and Organization Lecture 13 Buffer Overflow Mitch Neilsen Mitch Neilsen [email protected] [email protected]

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online