Post on 12-Jan-2016
description
1
Practice: Week6
2
Problem 1
3
Byte Ordering
Implement a function is_little_endian(), which returns 1 if it is running on little-endian machine and 0 if it is running on big-endian machine. (This function should be able to run on any machine regardless of difference of word size.)
4
Byte Ordering
Implement a function is_little_endian(), which returns 1 if it is running on little-endian machine and 0 if it is running on big-endian machine. (This function should be able to run on any machine regardless of difference of word size.)
int is_little_endian()
{
int x=1;
return (int)(*(char *)&x);
}
5
Problem 2
Conversions Between Signed and UnsignedWe are running programs on a machine where values of type int are 32 bits. They are represented in two’s complement, and they are right shifted arithmetically. Values of type unsigned are also 32 bits.
We generate arbitrary values x and y, and convert them to unsigned values as follows:
/* Create some arbitrary values */
int x = random();
int y = random();
/* Convert to unsigned */
unsigned ux = (unsigned)x;
unsigned uy = (unsigned)y;
Conversions Between Signed and UnsignedFor each of the following C expressions, you are to indicate whether or not the expression always yields 1. If it always yields 1, describe the underlying mathematical principles. Otherwise, give an example of arguments that make it yield 0.
A. (x>y) == (-x<-y)
B. ((x+y)<<5) + x-y == 31*y+33*x
C. ~x + ~y == ~(x+y)
D. (int) (ux-uy) == -(y-x)
E. ((x >> 1) << 1) <= x
Conversions Between Signed and UnsignedA. (x>y) == (-x<-y). No
Let x = TMin32, y = 0.
Conversions Between Signed and UnsignedA. (x>y) == (-x<-y). No
Let x = TMin32, y = 0.
B. ((x+y)<<5) + x-y == 31*y+33*x. Yes
from the ring properties of two’s complement arithmetic.
Conversions Between Signed and UnsignedA. (x>y) == (-x<-y). No
Let x = TMin32, y = 0.
B. ((x+y)<<5) + x-y == 31*y+33*x. Yes
from the ring properties of two’s complement arithmetic.
C. ~x + ~y == ~(x+y). No
let x= 0,y= 0.
Conversions Between Signed and UnsignedA. (x>y) == (-x<-y). No
Let x = TMin32, y = 0.
B. ((x+y)<<5) + x-y == 31*y+33*x. Yes
from the ring properties of two’s complement arithmetic.
C. ~x + ~y == ~(x+y). No
let x= 0,y= 0.
D. (int) (ux-uy) == -(y-x). Yes
Due to the isomorphism between two’s complement and unsigned arithmetic.
Conversions Between Signed and UnsignedA. (x>y) == (-x<-y). No
Let x = TMin32, y = 0.
B. ((x+y)<<5) + x-y == 31*y+33*x. Yes
from the ring properties of two’s complement arithmetic.
C. ~x + ~y == ~(x+y). No
let x= 0,y= 0.
D. (int) (ux-uy) == -(y-x). Yes
Due to the isomorphism between two’s complement and unsigned arithmetic.
E. ((x >> 1) << 1) <= x. Yes
Right shift rounds toward minus infinity.
13
Problem 3
Bit Operations
14
/* [absValue]
* – Calculate the absolute value of x
*
* Example: absValue(5) = 5, absValue(-29) = 29
* Legal ops: ~ & ^ | - << >>
*/
int absValue(int x) {
/* Please fill your code*/
return ret;
}
Bit Operations
15
/* [absValue]
* – Calculate the absolute value of x
*
* Example: absValue(5) = 5, absValue(-29) = 29
* Legal ops: ~ & ^ | - << >>
*/
int absValue(int x) {
/* Please fill your code*/
int mask = X >> 31
return (x ^ mask) – mask;
}
16
Problem 4
17
Operation Dest Value
subl (%ebx),%eax
incl 4(%eax)
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4321
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x8765 4421
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
18
Operation Dest Value
subl (%ebx),%eax
incl 4(%eax)
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4321
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x8765 4421
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
19
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax)
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4321
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x8765 4421
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
20
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax)
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4321
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
21
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4321
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
22
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
23
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0002
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
24
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4)
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
25
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0002
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
26
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx)
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
27
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0x0000 0001
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
28
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0xFFFF FFFE
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
29
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax %eax 0x00000100
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0xFFFF FFFE
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
30
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax %eax 0x00000100
leal 9(%eax,%ecx,2),%edx
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0xFFFF FFFE
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
31
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax %eax 0x00000100
leal 9(%eax,%ecx,2),%edx %edx 0x10B
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0xFFFF FFFE
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 0008
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
32
Operation Dest Value
subl (%ebx),%eax %eax 0x00000100
incl 4(%eax) 0x104 0x87654322
decl %ecx %ecx 0x00000001
imull $4,0x100(%edx,%ecx,4) 0x10C 0x00000008
notl (%eax, %edx) 0x108 0xFFFFFFFE
andl (%eax,%ecx,8),%eax %eax 0x00000100
leal 9(%eax,%ecx,2),%edx %edx 0x10B
Address value
0x100 0xFFFF FFFF
0x104 0x8765 4322
0x108 0xFFFF FFFE
0x10C 0x0000 0008
0x110 0x2234 7688
0x114 0x1234 5678
register value
%eax 0x0000 0100
%ebx 0x0000 0104
%ecx 0x0000 0001
%edx 0x0000 010B
1. 32-bit little endian machine2. 4 byte size and hex3. Each operation take effect on the memory and register
33
Problem 5
Switch
Suppose the following C code and assembly code are executed on a 32-bit little endian machine. Read the code and answer the following questions:
int switch_example(int op, int a, int b){
int result;
switch (op) {
case 80:
result = a * 5;
break;
case _[1]_:
result = b + 10;
break;
case 83:
result = b >> 2;
break;
case _[2]_: case _[3]_:
if (_[4]_)
result = _[5]_;
else
result = _[6]_;
break;
default:
result = 0;
break;
}
return result;
}
Switch
35
_switch_example: pushl %ebp movl %esp, %ebp subl $16, %esp movl 8(%ebp), %eax subl __[10]__, %eax cmpl __[11]__, %eax ja __[12]__ jmp __[13]__ L3: movl 12(%ebp), %eax imull $5, %eax movl %eax, -4(%ebp) jmp L11L4: movl 16(%ebp), %eax addl $10, %eax movl %eax, -4(%ebp) jmp L11 L5: movl 16(%ebp), %eax sarl $2, %eax movl %eax, -4(%ebp) jmp L11
L6: movl 12(%ebp), %eax
cmpl 16(%ebp), %eax
jge __[14]__
movl 12(%ebp), %eax
subl $3, %eax
movl %eax, -4(%ebp)
jmp L11
L9: movl 16(%ebp), %eax
imull $4, %eax
movl %eax, -4(%ebp)
jmp L11
L2: movl $0, -4(%ebp)
L11: movl -4(%ebp), %eax
leave
ret
.section
.rodata
.align 4
L7:
.long L3
.long L2
.long L4
.long _[7]_
.long _[8]_
.long L2
.long L2
.long _[9]_
op at %ebp+8 a at %ebp+12 b at %ebp+16result at %ebp-4
36
_switch_example: pushl %ebp movl %esp, %ebp subl $16, %esp movl 8(%ebp), %eax subl __[10]__, %eax cmpl __[11]__, %eax ja __[12]__ jmp __[13]__ L3: movl 12(%ebp), %eax imull $5, %eax movl %eax, -4(%ebp) jmp L11L4: movl 16(%ebp), %eax addl $10, %eax movl %eax, -4(%ebp) jmp L11 L5: movl 16(%ebp), %eax sarl $2, %eax movl %eax, -4(%ebp) jmp L11
L6: movl 12(%ebp), %eax
cmpl 16(%ebp), %eax
jge __[14]__
movl 12(%ebp), %eax
subl $3, %eax
movl %eax, -4(%ebp)
jmp L11
L9: movl 16(%ebp), %eax
imull $4, %eax
movl %eax, -4(%ebp)
jmp L11
L2: movl $0, -4(%ebp)
L11: movl -4(%ebp), %eax
leave
ret
.section
.rodata
.align 4
L7:
.long L3
.long L2
.long L4
.long _[7]_
.long _[8]_
.long L2
.long L2
.long _[9]_
Please explain the advantage and limitation of “Jump Table”, and provide a simple code which is not suitable to be translated into a “Jump Table”
37
Security vulnerability in the XDR library
“Aside Security vulnerability in the XDR library”
Answer: practice problem 2.37
void *result = malloc(ele_cnt * ele_size);
if (result == NULL)
/* malloc failed */
return NULL;
38
Security vulnerability in the XDR library
“Aside Security vulnerability in the XDR library”
Answer: practice problem 2.37
long long unsigned asize = ele_cnt * (long long unsigned) ele_size;
void *result = malloc(asize);
if (result == NULL)
/* malloc failed */
return NULL;
39
Security vulnerability in the XDR library
“Aside Security vulnerability in the XDR library”
Answer: practice problem 2.37
long long unsigned required_size = ele_cnt * (long long unsigned) ele_size;
size_t request_size = (size_t) required_size;
if (required_size != request_size)
/* Overflow must have occurred. Abort */
return NULL;
void *result = malloc(request_size);
if (result == NULL)
/* malloc failed */
return NULL;
40
Advanced Topic: Integer Security
Buffer Overflow: Array allocation
“malloc(n * size)”
Overflow: 2^30 * 2^3 = 0
Smaller buffer than expected
Memory corruption: iphone jaibreak (CVE-2011-0226)
41
Advanced Topic: Integer Security
Logical Bug
Linux kernel OOM killer (CVE-2011-4097)
Compute “memory usage score” for each process
kill process with the highest score
Score: nr_pages * 1000 / nr_totalpages
Malicious process
consume too much memory a low score
trick the kernel into killing innocent process
42
Advanced Topic: Integer Security
An emerging threat
2007 CVE survey:
“integer overflows, barely in the top 10 overall in the past few years, are number 2 for OS vender advisories, behind buffer overflow”
2010 ~ early 2011 CVE survey: Linux kernel
More than 1/3 of serious bugs are integer errors
43
Advanced Topic: Integer Security
What’s wrong?From: linux driver/gpu/drm/vmwgfx/vmwgfx_kms.c
u32 pitch = /*from user space*/
u32 height = /*from user space*/
u32 size = pitch * height;
if (size > vram_size) return;
44
Advanced Topic: Integer Security
What’s wrong?From: linux driver/gpu/drm/vmwgfx/vmwgfx_kms.c
u32 pitch = /*from user space*/
u32 height = /*from user space*/
u32 size = pitch * height;
if (size > vram_size) return;
Patch: use 64 bits?
u64 size = pitch * height;
if (size > vram_size) return;
45
Advanced Topic: Integer Security
What’s wrong?From: linux driver/gpu/drm/vmwgfx/vmwgfx_kms.c
u32 pitch = /*from user space*/
u32 height = /*from user space*/
u32 size = pitch * height;
if (size > vram_size) return;
Patch2: convert pitch and height to u64 first!
u64 size = (u64)pitch * (u64)height;
if (size > vram_size) return;