Carnegie Mellon Bryant and OHallaron Computer Systems A
Carnegie Mellon Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 1
Carnegie Mellon Machine-Level Programming V: Advanced Topics 15 -213: Introduction to Computer Systems 9 th Lecture, September 26, 2017 Instructor: Randy Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 2
Carnegie Mellon Today ¢ ¢ Memory Layout Buffer Overflow § Vulnerability § Protection ¢ Unions Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 3
Carnegie Mellon x 86 -64 Linux Memory Layout 00007 FFFFFF ¢ Stack § Runtime stack (8 MB limit) § E. g. , local variables ¢ 00007 FFFF 0000000 not drawn to scale Shared Libraries Stack 8 MB Heap § Dynamically allocated as needed § When call malloc(), calloc(), new() ¢ Data § Statically allocated data § E. g. , global vars, static vars, string constants ¢ Text / Shared Libraries Heap § Executable machine instructions § Read-only Hex Address Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 4000000 Data Text 4
Carnegie Mellon Memory Allocation Example 00007 FFFFFF char big_array[1 L<<24]; /* 16 MB */ char huge_array[1 L<<31]; /* 2 GB */ not drawn to scale Shared Libraries Stack int global = 0; int useless() { return 0; } int main () { void *p 1, *p 2, *p 3, *p 4; int local = 0; p 1 = malloc(1 L << 28); /* p 2 = malloc(1 L << 8); /* p 3 = malloc(1 L << 32); /* p 4 = malloc(1 L << 8); /* /* Some print statements. . . } Where does everything go? Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 256 MB */ 256 B */ 4 GB */ 256 B */ */ Heap Data Text 5
Carnegie Mellon not drawn to scale x 86 -64 Example Addresses Shared Libraries address range ~247 local p 1 p 3 p 4 p 2 big_array huge_array main() useless() Stack 0 x 00007 ffe 4 d 3 be 87 c 0 x 00007 f 7262 a 1 e 010 0 x 00007 f 7162 a 1 d 010 0 x 00008359 d 120 0 x 00008359 d 010 0 x 000080601060 0 x 000000000040060 c 0 x 00000400590 Heap Data Text 000000 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 6
Carnegie Mellon not drawn to scale Runaway Stack Example 00007 FFFFFF int recurse(int x} ( int a[2<<15]; /* 2~17 = 128 Ki. B/* printf("x = %d. a at %pn", x, a ; ( a[0] = (2<<13)-1; a[a[0]] = x-1; if (a[a[0]] == 0( return -1; return recurse(a[a[0]]) - 1; { ¢ ¢ Functions store local data on in stack frame Recursive functions cause deep nesting of frames Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Shared Libraries Stack 8 MB . /runaway 48 x = 48. a at 0 x 7 fffd 43 e 45 d 0 x = 47. a at 0 x 7 fffd 43 a 45 c 0 x = 46. a at 0 x 7 fffd 43645 b 0 x = 45. a at 0 x 7 fffd 43245 a 0. . . x = 4. a at 0 x 7 fffd 38 e 4310 x = 3. a at 0 x 7 fffd 38 a 4300 x = 2. a at 0 x 7 fffd 38642 f 0 Segmentation fault 7
Carnegie Mellon Today ¢ ¢ Memory Layout Buffer Overflow § Vulnerability § Protection ¢ Unions Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 8
Carnegie Mellon Recall: Memory Referencing Bug Example typedef struct { int a[2]; double d; } struct_t; double fun(int i) { volatile struct_t s; s. d = 3. 14; s. a[i] = 1073741824; /* Possibly out of bounds */ return s. d; } fun(0) fun(1) fun(2) fun(3) fun(4) fun(8) -> -> -> 3. 1400000000 3. 1399998665 2. 0000006104 Segmentation fault 3. 140000 § Result is system specific Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 9
Carnegie Mellon Memory Referencing Bug Example typedef struct { int a[2]; double d; } struct_t; Explanation: struct_t fun(0) fun(1) fun(2) fun(3) fun(4) fun(8) ? ? ? 8 Critical State 7 Critical State 6 Critical State 5 Critical State 4 d 7. . . d 4 3 d 3. . . d 0 2 a[1] 1 a[0] 0 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition -> -> -> 3. 1400000000 3. 1399998665 2. 0000006104 Segmentation fault 3. 140000 Location accessed by fun(i) 10
Carnegie Mellon Such problems are a BIG deal ¢ Generally called a “buffer overflow” § when exceeding the memory size allocated for an array ¢ Why a big deal? § It’s the #1 technical cause of security vulnerabilities § ¢ #1 overall cause is social engineering / user ignorance Most common form § Unchecked lengths on string inputs § Particularly for bounded character arrays on the stack § sometimes referred to as stack smashing Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition 11
Carnegie Mellon String Library Code ¢ Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '