Machine-Level Programming Advanced Topics n Linux Memory Layout n Buffer Overflow
Memory Allocation Example char big_array[1 << 24]; /* 16 MB */ char huge_array[1 << 28]; /* 256 MB */ int beyond; char *p 1, *p 2, *p 3, *p 4; int useless() { int { p 1 p 2 p 3 p 4 /* } – 2– return 0; } main() = malloc(1 Some print << 28); /* 256 MB << 8); /* 256 B statements. . . */ */ */ CMSC 313, F’ 09
IA 32 Example Addresses FF $esp p 3 p 1 p 4 p 2 beyond big_array huge_array main() useless() malloc() 0 xffffbcd 0 0 x 65586008 0 x 55585008 0 x 1904 a 110 0 x 1904 a 008 0 x 08049744 0 x 18049780 0 x 08049760 0 x 080483 c 6 0 x 08049744 dynamically linked address range ~232 &p 2 – 3– C 0 Stack 80 Heap 08 00 Data Text 0 x 18049760 CMSC 313, F’ 09
Linux IA 32 Memory Model – 4– CMSC 313, F’ 09
Internet Worm and IM War November, 1988 n Internet Worm attacks thousands of Internet hosts. n How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). n Messenger clients can access popular AOL Instant Messaging Service (AIM) servers n AIM client MSN server – 5– MSN client AIM server AIM client CMSC 313, F’ 09
Internet Worm and IM War (cont. ) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. n Microsoft and AOL begin the IM war: n l AOL changes server to disallow Messenger clients l Microsoft makes changes to clients to defeat AOL changes. l At least 13 such skirmishes. n How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! l many Unix functions do not check argument sizes. l allows target buffers to overflow. – 6– CMSC 313, F’ 09
String Library Code n Implementation of Unix function gets() l No way to specify limit on number of characters to read /* gets() - Get a string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '