Docstoc

Introduction to Computer Systems

Document Sample
Introduction to Computer Systems Powered By Docstoc
					    Out-of-Bounds Memory
References and Buffer Overflow




                                 1
Out-of-Bounds Memory References

1 /* Implementation of library function gets() */
2 char *gets(char *s)
3 {
4     int c;
5     char *dest = s;
6     while ((c = getchar()) != ’\n’ && c != EOF)
7              *dest++ = c;
8     *dest++ = ’\0’;         /* Terminate String */
                                                    2
Out-of-Bounds Memory References

9      if (c == EOF)
10           return NULL;
11     return s;
12 }
13




                                  3
Out-of-Bounds Memory References

14 /* Read input line and write it back */
15 void echo()
16 {
17     char buf[4];     /* Way too small ! */
18     gets(buf);
19     puts(buf);
20 }

                                                4
Out-of-Bounds Memory References


           Stack frame
             for caller

          Return address
           Saved %ebp        %ebp
          [3] [2] [1] [0]    buf
           Stack frame
             for echo

                                    5
Out-of-Bounds Memory References


           Stack frame
             for caller

          Return address
          [7] [6] [5] [4]    %ebp
          [3] [2] [1] [0]    buf
           Stack frame
             for echo

                                    6
Out-of-Bounds Memory References


            Stack frame
              for caller

          [11] [10]   [9] [8]
          [7] [6] [5] [4]       %ebp
          [3] [2] [1] [0]       buf
            Stack frame
              for echo

                                       7
 Malicious Use of Buffer Overflow

                                                  Stack
            void foo(){                    after call to gets()
 return       bar();
address       ...
   A        }
                                                              foo stack frame
           void bar() {
             char buf[64];                       B
                                  data
             gets(buf);          written
             ...                   by          pad
  Robert Tappan Morris, (born November 8, 1965), is an professor at MIT.
           }                     gets()
                                                  in 1988.
  He is best known for creating the Morris Wormexploit         bar stack frame
  He is the son of Robert Morris,                  code
                                            B
  the former chief scientist at the National Computer Security Center,
  a division of the National Security Agency (NSA).
                                                                      8
Malicious Use of Buffer Overflow


• Input string contains byte representation of
  executable code
• Overwrite return address with address of
  buffer
• When bar() executes ret, will jump to exploit
  code


                                             9
Putting it Together




                      10
Outline

• Pointer
  – Declaration
  – referencing, deferencing
  – memory allocation, memory free
• Suggested reading
  – Chap 3.11




                                     11
Example

1 struct str { /* Example Structure */
2 int t;
3 char v;
4 };
5
6 union uni { /* Example Union */
7 int t;
8 char v;
9 } u;
10
11 int g = 15;
12
                                         12
   Example

13 void fun(int* xp)
14 {
15      void (*f)(int*) = fun; /* f is a function pointer */
16
17      /* Allocate structure on stack */
18      struct str s = {1,’a’}; /* Initialize structure */
19
20      /* Allocate union from heap */
21      union uni *up = (union uni *) malloc(sizeof(union uni));
22
23      /* Locally declared array */
24      int *ip[2] = {xp, &g};


                                                                   13
Example

26     up->v = s.v+1;
27
28     printf("ip = %p, *ip = %p, **ip = %d\n",
29            ip,     *ip,    **ip);
30     printf("ip+1 = %p, ip[1] = %p, *ip[1] = %d\n",
31                  ip+1,    ip[1],  *ip[1]);
32     printf ("&s.v = %p, s.v = ’%c’\n", &s.v, s.v);
33     printf ("&up->v = %p, up->v = ’%c’\n",
         &up->v,        up->v);
34     printf ("f = %p\n", f);
35     if (--(*xp) > 0)
36                f(xp); /* Recursive call of fun */
37 }
                                                        14
Example

38
39 int test()
40 {
41       int x = 2;
42       fun(&x);
43       return x;
44 }




                      15
Every pointer has a type

• If the object has type T
   – A pointer to this object has type T *
• Special void * type
   – Represents a generic pointer
• malloc returns a generic pointer

 Pointer Type       Object Type        Pointers
 int *              int                xp, ip[0], ip[1]
 union uni *        union uni          up



                                                          16
Every pointer has a value


 xp   ip[0]   ip[1]   up
 &x   &x      &g      Address in heap




                                        17
Pointers are created with the & operator

• Applied to lvalue expression
  – Lvalue expression can appear on the left side of
    assignment
  – &g, &s.v, &u->v, &x




                                                   18
Pointers are dereferenced with the operator *

• The result is a value having the type
  associated with the pointer
• *ip, **ip, *ip[1], *xp
• up->v




                                          19
Arrays and pointers are closed related

• The name of array can be viewed as a pointer
  constant
• ip[0] is equivalent to *ip




                                           20
Pointers can point to functions

•   void (*f)(int *)
•   f is a pointer to function
•   The function taken int * as argument
•   The return type of the function is void
•   Assignment makes f point to func
    – f = func




                                              21
The precedence of the operators

• void *f(int *) declares f is a function
  – (void *)   f(int *)




                                            22
   Example

1 ip = 0xbfffefa8, *ip = 0xbfffefe4, **ip = 2 ip[0] = xp. *xp = x = 2
2 ip+1 = 0xbfffefac, ip[1] = 0x804965c, *ip[1] = 15 ip[1] = &g. g = 15
3 &s.v = 0xbfffefb4, s.v = ’a’          s in stack frame
4 &up->v = 0x8049760, up->v = ’b’       up points to area in heap
5 f = 0x8048414                         f points to code for fun
6 ip = 0xbfffef68, *ip = 0xbfffefe4, **ip = 1 ip in new frame, x = 1
7 ip+1 = 0xbfffef6c, ip[1] = 0x804965c, *ip[1] = 15 ip[1] same as before
8 &s.v = 0xbfffef74, s.v = ’a’          s in new frame
9 &up->v = 0x8049770, up->v = ’b’       up points to new area in heap
10 f = 0x8048414                        f points to code for fun
                                                                    23
Pointer Declaration

•   char     **argv ;
•   int      (*daytab)[13]
•   int      (*comp)()
•   char     (*(*x())[])()
    – Function returning pointer to array[ ] of pointer
      to function returning char
• char       (*(*x[3])())[5]
    – Array[3] of pointer to function returning pointer
      to array[5] of char

                                                     24
Pointer Arithmetic

• Addition and subtraction
  – p+i , p-i (result is a pointer)
  – p-q (result is a int)
• Referencing & dereferencing
  – *p, &E
• Subscription
  – A[i], *(A+i)


                                      25
C operators

Operators                                                  Associativity
()   [] ->     . ++ --                                     left to right
!    ~ ++      -- + - *        &   (type)   sizeof         right to left
*    / %                                                   left to right
+    -                                                     left to right
<<     >>                                                  left to right
<    <= >      >=                                          left to right
==     !=                                                  left to right
&                                                          left to right
^                                                          left to right
|                                                          left to right
&&                                                         left to right
||                                                         left to right
?:                                                         right to left
=    +=   -=    *=   /=   %=    &=   ^=   !=   <<=   >>=   right to left
,                                                          left to right

Note: Unary +, -, and * have higher precedence than binary forms

                                                                           26
Parameter Passing


• Call by value
  – f(xp)

• Call by reference
  – f(&xp)




                      27

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:7/25/2013
language:English
pages:27