Академический Документы
Профессиональный Документы
Культура Документы
Instructors:
Randy
Bryant
and
Dave
OHallaron
Carnegie Mellon
Summary
Carnegie Mellon
Binary Representa6ons
0"
1"
0"
3.3V"
2.8V"
0.5V"
0.0V"
Carnegie Mellon
Byte
=
8
bits
Binary
000000002
to
111111112
Decimal:
010
to
25510
Hexadecimal
0016
to
FF16
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
Carnegie Mellon
Carnegie Mellon
Machine Words
Carnegie Mellon
32-bit! 64-bit!
Bytes! Addr.!
Words! Words!
Addr !
=!
0000
??
by 4 (32-bit) or 8 (64-bit)
Addr !
=!
0004
??
Addr !
=!
0008
??
Addr !
=!
0012
??
Addr !
=!
0000
??
Addr !
=!
0008
??
0000
0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
Carnegie Mellon
Data
Representa6ons
C Data Type
Typical 32-bit
Intel IA32
x86-64
char
short
int
long
long long
float
double
long double
10/12
10/16
pointer
Carnegie Mellon
Byte Ordering
Carnegie Mellon
Big
Endian
Least
signicant
byte
has
highest
address
LiSle
Endian
Least
signicant
byte
has
lowest
address
Example
Variable
x
has
4-byte
representa0on
0x01234567
Address
given
by
&x
is
0x100
Big Endian!
01
Little Endian!
23
45
67
67
45
23
01
10
Carnegie Mellon
Disassembly
Text
representa0on
of
binary
machine
code
Generated
by
program
that
reads
the
machine
code
Example
Fragment
Address
8048365:
8048366:
804836c:
!Instruction Code
5b
81 c3 ab 12 00 00
83 bb 28 00 00 00 00
!Assembly Rendition!
pop
%ebx
add
$0x12ab,%ebx
cmpl
$0x0,0x28(%ebx)
Deciphering Numbers
Value:
Pad
to
32
bits:
Split
into
bytes:
Reverse:
0x12ab
0x000012ab
00 00 12 ab
ab 12 00 00
11
Carnegie Mellon
Printf directives:!
%p: !Print pointer!
%x: !Print Hexadecimal"
12
Carnegie Mellon
Result (Linux):!
int a = 15213;
0x11ffffcb8 0x6d
0x11ffffcb9 0x3b
0x11ffffcba 0x00
0x11ffffcbb 0x00
13
Carnegie Mellon
Decimal: !15213
Represen6ng Integers
Binary:
Hex:
int A = 15213;
IA32, x86-64!
6D
3B
00
00
Sun!
00
00
3B
6D
int B = -15213;
IA32, x86-64!
93
C4
FF
FF
Sun!
FF
FF
C4
93
x86-64!
6D
3B
00
00
00
00
00
00
Sun!
00
00
3B
6D
Carnegie Mellon
Represen6ng
Pointers
int B = -15213;
int *P = &B;
Sun!
IA32!
x86-64!
EF
D4
0C
FF
F8
89
FB
FF
EC
2C
BF
FF
FF
7F
00
00
Carnegie Mellon
Represen6ng Strings
Strings
in
C
Represented
by
array
of
characters
Each
character
encoded
in
ASCII
format
Standard
7-bit
encoding
of
character
set
Character
0
has
code
0x30
Digit
i
has
code
0x30+i
String
should
be
null-terminated
Final
character
=
0
Compa6bility
Byte
ordering
not
an
issue
Linux/Alpha!
Sun!
31
31
38
38
32
32
34
34
33
33
00
00
16
Carnegie Mellon
Summary
17
Carnegie Mellon
Boolean Algebra
And
Or
Not
~A
=
1
when
A=0
Exclusive-Or
(Xor)
A^B
=
1
when
either
A=1
or
B=1,
but
not
both
18
Carnegie Mellon
Connection when!
~B"
A&~B | ~A&B!
~A"
B"
~A&B!
= A^B!
19
Carnegie Mellon
01101001
| 01010101
01111101
01111101
01101001
^ 01010101
00111100
00111100
~ 01010101
10101010
10101010
20
Carnegie Mellon
Representa6on
Width
w
bit
vector
represents
subsets
of
{0,
,
w1}
aj
=
1
if
j
A
01101001
76543210
{ 0, 3, 5, 6 }
01010101
76543210
{ 0, 2, 4, 6 }
Opera6ons
&
Intersec0on
|
Union
^
Symmetric
dierence
~
Complement
01000001
01111101
00111100
10101010
{
0,
6
}
{
0,
2,
3,
4,
5,
6
}
{
2,
3,
4,
5
}
{
1,
3,
5,
7
}
21
Carnegie Mellon
Bit-Level Opera6ons in C
Carnegie Mellon
View
0
as
False
Anything
nonzero
as
True
Always
return
0
or
1
Early
termina0on
Carnegie Mellon
Shi\ Opera6ons
Argument x 01100010
<< 3
00010000
Log. >> 2
00011000
10100010
00010000
00101000
11101000
Undened
Behavior
ShiL
amount
<
0
or
word
size
24
Carnegie Mellon
Summary
25
Carnegie Mellon
Encoding
Integers
Unsigned
Twos Complement
Sign Bit
Sign
Bit
0
for
nonnega0ve
1
for
nega0ve
26
Carnegie Mellon
27
Carnegie Mellon
Numeric Ranges
Unsigned
Values
UMin
=
0
0000
UMax
1000
2w 1
TMax =
1111
2w1 1
0111
Other
Values
Minus
1
1111
Values for W = 16
28
Carnegie Mellon
Observa6ons
|TMin
|
=
TMax
+
1
Asymmetric
range
UMax
=
2
*
TMax
+
1
C
Programming
#include
<limits.h>
Declares
constants,
e.g.,
ULONG_MAX
LONG_MAX
LONG_MIN
Values
plazorm
specic
29
Carnegie Mellon
B2U(X)
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
B2T(X)
0
1
2
3
4
5
6
7
8
7
6
5
4
3
2
1
Equivalence
Same
encodings
for
nonnega0ve
values
Uniqueness
Every
bit
pahern
represents
30
Carnegie Mellon
Summary
31
Carnegie Mellon
Unsigned
T2U
T2B
B2U
ux
Unsigned
ux
U2T
U2B
B2T
Twos
Complement
x
Carnegie Mellon
0001
0010
0011
0100
0101
0110
0111
1000
-8
1001
-7
1010
-6
10
1011
-5
11
1100
-4
12
1101
-3
13
1110
-2
14
1111
-1
15
T2U
U2T
5
6
7
33
Carnegie Mellon
0001
0010
0011
0100
0101
0110
0111
1000
-8
1001
-7
1010
-6
10
1011
-5
1100
-4
12
1101
-3
13
1110
-2
14
1111
-1
15
+/- 16
3
4
11
34
Carnegie Mellon
Unsigned
T2U
T2B
B2U
ux
ux
+ + +
x
- + +
+++
+++
Carnegie Mellon
Conversion Visualized
2s
Comp.
Unsigned
Ordering
Inversion
Nega0ve
Big
Posi0ve
TMax
2s
Complement
Range
0
1
2
UMax
UMax
1
TMax
+
1
Unsigned
TMax
Range
TMin
36
Carnegie Mellon
Constants
By
default
are
considered
to
be
signed
integers
Unsigned
if
have
U
as
sux
0U, 4294967259U
Cas6ng
Explicit
cas0ng
between
signed
&
unsigned
same
as
U2T
and
T2U
int tx, ty;
unsigned ux, uy;
tx = (int) ux;
uy = (unsigned) ty;
Carnegie Mellon
Cas6ng Surprises
Expression
Evalua6on
If
there
is
a
mix
of
unsigned
and
signed
in
single
expression,
Constant1
0 0
-1 -1
-1 -1
2147483647
2147483647
2147483647U
2147483647U
-1 -1
(unsigned)-1
(unsigned) -1
2147483647
2147483647
2147483647
2147483647
Constant2
Rela6on Evalua6on
0U
0U
00
0U
0U
-2147483648
-2147483647-1
-2147483648
-2147483647-1
-2
-2
-2
-2
2147483648U
2147483648U
(int)
(int)
2147483648U
2147483648U
==
<
>
>
<
>
>
<
>
unsigned
signed
unsigned
signed
unsigned
signed
unsigned
unsigned
signed
38
Carnegie Mellon
Carnegie Mellon
Typical
Usage
/* Kernel memory region holding user-accessible data */
#define KSIZE 1024
char kbuf[KSIZE];
/* Copy at most maxlen bytes from kernel region to user buffer */
int copy_from_kernel(void *user_dest, int maxlen) {
/* Byte count len is minimum of buffer size and maxlen */
int len = KSIZE < maxlen ? KSIZE : maxlen;
memcpy(user_dest, kbuf, len);
return len;
}
#define MSIZE 528
void getstuff() {
char mybuf[MSIZE];
copy_from_kernel(mybuf, MSIZE);
printf(%s\n, mybuf);
}
40
Carnegie Mellon
Malicious Usage
Carnegie Mellon
Summary
Cas6ng
Signed
Unsigned:
Basic
Rules
42
Carnegie Mellon
Summary
43
Carnegie Mellon
Sign Extension
Task:
Given
w-bit
signed
integer
x
Convert
it
to
w+k-bit
integer
with
same
value
Rule:
Make
k
copies
of
sign
bit:
X
=
xw1
,,
xw1
,
xw1
,
xw2
,,
x0
k
copies
of
MSB
44
Carnegie Mellon
x
ix
y
iy
Decimal
15213
15213
-15213
-15213
Hex
3B
00 00 3B
C4
FF FF C4
6D
6D
93
93
Binary
00111011
00000000 00000000 00111011
11000100
11111111 11111111 11000100
01101101
01101101
10010011
10010011
45
Carnegie Mellon
Summary:
Expanding,
Trunca6ng:
Basic
Rules
Carnegie Mellon
Summary
47
Carnegie Mellon
Complement
Observa0on:
~x + x == 1111111 == -1
x
1
0
0
1
1
1
0
1
+
~x
0
1
1
0
0
0
1
0
-1
1
1
1
1
1
1
1
1
Complete Proof?
48
Carnegie Mellon
x = 0
49
Carnegie Mellon
Unsigned
Addi6on
u
+
v
u + v
UAddw(u , v)
Operands:
w
bits
True
Sum:
w+1
bits
Discard
Carry:
w
bits
UAddw(u , v)
= u + v mod 2w
50
Carnegie Mellon
Add4(u , v)
Integer
Addi6on
4-bit
integers
u,
v
Compute
true
sum
Add4(u
,
v)
Values
increase
linearly
with
u
and
v
Forms
planar
surface
v
u
51
Carnegie Mellon
Overow
Wraps
Around
If
true
sum
2w
At
most
once
UAdd4(u , v)
True
Sum
2w+1
Overow
2w
0
v
Modular
Sum
u
52
Carnegie Mellon
Mathema6cal Proper6es
0
UAddw(u
,
v)
2w
1
Commuta6ve
UAddw(u
,
v)
=
UAddw(v
,
u)
Associa6ve
UAddw(t,
UAddw(u
,
v))
=
UAddw(UAddw(t,
u
),
v)
0
is
addi0ve
iden0ty
UAddw(u
,
0)
=
u
Every
element
has
addi0ve
inverse
Let
UCompw
(u
)
=
2w
u
UAddw(u
,
UCompw
(u
))
=
0
53
Carnegie Mellon
u
+ v
u + v
TAddw(u , v)
Will give s == t
54
Carnegie Mellon
TAdd Overow
True Sum
Func6onality
True
sum
requires
w+1
bits
Drop
o
MSB
Treat
remaining
bits
as
2s
comp.
integer
0 1111
2w1
PosOver
TAdd Result
0 1000
2w 1
0111
0 0000
0000
1 0111
2w 11
1000
1 0000
2w
NegOver
55
Carnegie Mellon
Values
TAdd4(u
,
v)
Wraps
Around
If
sum
2w1
Becomes
nega0ve
At
most
once
If
sum
<
2w1
Becomes
posi0ve
At
most
once
v
u
PosOver
56
Carnegie Mellon
Characterizing TAdd
Posi0ve Overow
Func6onality
TAdd(u , v)
>
0
v
<
0
comp. integer
Nega0ve Overow
2w
2w
<
0
>
0
u
(NegOver)
(PosOver)
57
Carnegie Mellon
58
Carnegie Mellon
Mul6plica6on
Ranges
Unsigned:
0
x
*
y
(2w
1)
2
=
22w
2w+1
+
1
Up
to
2w
bits
Twos
complement
min:
x
*
y
(2w1)*(2w11)
=
22w2
+
2w1
Up
to
2w1
bits
Twos
complement
max:
x
*
y
(2w1)
2
=
22w2
Up
to
2w
bits,
but
only
for
(TMinw)2
59
Carnegie Mellon
Unsigned
Mul6plica6on
in
C
u
Operands: w bits
* v
UMultw(u , v)
u v mod 2w
60
Carnegie Mellon
ele_src
malloc(ele_cnt * ele_size)
61
Carnegie Mellon
XDR
Code
void* copy_elements(void *ele_src[], int ele_cnt, size_t ele_size) {
/*
* Allocate buffer for ele_cnt objects, each of ele_size bytes
* and copy from locations designated by ele_src
*/
void *result = malloc(ele_cnt * ele_size);
if (result == NULL)
/* malloc failed */
return NULL;
void *next = result;
int i;
for (i = 0; i < ele_cnt; i++) {
/* Copy object i to destination */
memcpy(next, ele_src[i], ele_size);
/* Move pointer to next memory region */
next += ele_size;
}
return result;
}
62
Carnegie Mellon
XDR
Vulnerability
malloc(ele_cnt
*
ele_size)
What
if:
ele_cnt
ele_size
Alloca0on
=
??
=
220
+
1
=
4096
= 212
63
Carnegie Mellon
Signed
Mul6plica6on
in
C
Operands:
w
bits
True
Product:
2*w
bits
u v
Discard
w
bits:
w
bits
* v
TMultw(u , v)
64
Carnegie Mellon
Opera6on
u << k
gives
u * 2k
Both
signed
and
unsigned
Operands:
w
bits
True
Product:
w+k
bits
Discard
k
bits:
w
bits
Examples
u 2k
* 2k
0 0 1 0 0 0
0 0 0
UMultw(u , 2k)
TMultw(u , 2k)
0 0
u << 3
== u * 8
u << 5 - u << 3
==
u * 24
Most
machines
shiL
and
add
faster
than
mul0ply
Carnegie Mellon
Explana6on
t <- x+x*2
return t << 2;
Carnegie Mellon
Operands:
Division:
Result:
u
/
Binary Point
2k
0 0 1 0 0 0
0 0
u / 2k 0 0 0
u / 2k
67
Carnegie Mellon
Explana6on
# Logical shift
return x >> 3;
Carnegie Mellon
x
Binary
Point
/ 2k
0 0 1 0 0 0
x / 2k
0
.
RoundDown(x / 2k)
0
69
Carnegie Mellon
In
C:
(x + (1<<k)-1) >> k
Biases
dividend
toward
0
Case
1:
No
rounding
Dividend:
Divisor:
u
+2k 1
1
0
1
2k
0
0 0
0 0 1
1 1
1
0 1 0
1 1
0 0
/
u / 2k
10 1 1 1
Binary
Point
.
1
1 1
Carnegie Mellon
x
+2k 1
1
0
k
0 0 1
1 1
Incremented
by
1
Divisor:
/ 2k
0 0 1 0 0 0
x / 2k
10 1 1 1
Binary Point
Incremented
by
1
Biasing
adds
1
to
nal
result
71
Carnegie Mellon
Explana6on
if x < 0
x += 7;
# Arithmetic shift
return x >> 3;
Carnegie Mellon
Addi6on:
Unsigned/signed:
Normal
addi0on
followed
by
truncate,
Mul6plica6on:
Unsigned/signed:
Normal
mul0plica0on
followed
by
truncate,
Carnegie Mellon
Right
shi\
Unsigned:
logical
shiL,
div
(division
+
round
to
zero)
by
2k
Signed:
arithme0c
shiL
Carnegie Mellon
Today: Integers
75
Carnegie Mellon
0
UMultw(u
,
v)
2w
1
Mul0plica0on
Commuta0ve
UMultw(u
,
v)
=
UMultw(v
,
u)
Mul0plica0on
is
Associa0ve
UMultw(t,
UMultw(u
,
v))
=
UMultw(UMultw(t,
u
),
v)
1
is
mul0plica0ve
iden0ty
UMultw(u
,
1)
=
u
Mul0plica0on
distributes
over
add0on
UMultw(t,
UAddw(u
,
v))
=
UAddw(UMultw(t,
u
),
UMultw(t,
v))
76
Carnegie Mellon
Isomorphic
Algebras
Unsigned
mul0plica0on
and
addi0on
Trunca0ng
to
w
bits
Twos
complement
mul0plica0on
and
addi0on
Trunca0ng
to
w
bits
77
Carnegie Mellon
Carnegie Mellon
Integer C Puzzles
Ini6aliza6on
int
x
=
foo();
int
y
=
bar();
unsigned
ux
=
x;
unsigned
uy
=
y;
x<0
ux >= 0
x & 7 == 7
ux > -1
x>y
x * x >= 0
x > 0 && y > 0
x >= 0
x <= 0
(x|-x)>>31 == -1
ux >> 3 == ux/8
x >> 3 == x/8
x & (x-1) != 0
((x*2) < 0)
(x<<30) < 0
-x < -y
x+y>0
-x <= 0
-x >= 0
79