MachineLevel Programming Advanced Topics n Linux Memory Layout
- Slides: 27
Machine-Level Programming Advanced Topics n Linux Memory Layout Understanding Pointers n Buffer Overflow n
Memory Allocation Example char big_array[1 << 24]; /* 16 MB */ char huge_array[1 << 28]; /* 256 MB */ int beyond; char *p 1, *p 2, *p 3, *p 4; int useless() { int { p 1 p 2 p 3 p 4 /* } – 2– return 0; } main() = malloc(1 Some print << 28); /* 256 MB << 8); /* 256 B statements. . . */ */ */ CMSC 313, F’ 09
IA 32 Example Addresses FF $esp p 3 p 1 p 4 p 2 beyond big_array huge_array main() useless() 0 xffffbcd 0 0 x 65586008 0 x 55585008 0 x 1904 a 110 0 x 1904 a 008 0 x 08049744 0 x 18049780 0 x 08049760 0 x 080483 c 6 0 x 08049744 address range ~232 &p 2 – 3– Stack 80 Heap 08 00 Data Text 0 x 18049760 CMSC 313, F’ 09
C operators Operators Associativity () [] ->. ! ~ ++ -- + - * & (type) sizeof * / % + << >> < <= > >= == != & ^ | && || ? : = += -= *= /= %= &= ^= != <<= >>= , left to right to left to right left to right left to right to left right to left to right n n n – 4– -> has very high precedence () has very high precedence monadic * just below CMSC 313, F’ 09
C pointer declarations int *p p is a pointer to int *p[13] p is an array[13] of pointer to int *(p[13]) p is an array[13] of pointer to int **p p is a pointer to an int (*p)[13] p is a pointer to an array[13] of int *f() f is a function returning a pointer to int (*f)() f is a pointer to a function returning int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints CMSC 313, F’ 09 – 5–
Avoiding Complex Declarations Something simpler Use typedef to build up the declaration Instead of int (*(*x[3])())[5] : typedef int fiveints[5]; typedef fiveints* p 5 i; typedef p 5 i (*f_of_p 5 is)(); f_of_p 5 is x[3]; x is an array of 3 elements, each of which is a pointer to a function returning an array of 5 ints. – 6– CMSC 313, F’ 09
Internet Worm and IM War November, 1988 n Internet Worm attacks thousands of Internet hosts. n How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). n Messenger clients can access popular AOL Instant Messaging Service (AIM) servers n AIM client MSN server – 7– MSN client AIM server AIM client CMSC 313, F’ 09
Internet Worm and IM War (cont. ) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. n Microsoft and AOL begin the IM war: n l AOL changes server to disallow Messenger clients l Microsoft makes changes to clients to defeat AOL changes. l At least 13 such skirmishes. n How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! l many Unix functions do not check argument sizes. l allows target buffers to overflow. – 8– CMSC 313, F’ 09
String Library Code n Implementation of Unix function gets() l No way to specify limit on number of characters to read /* gets() - Get a string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '