1 / 20

CSE Four Fiddy One – Section 7 Project 2 hints VM (process memory, buffer overrun attacks)

CSE Four Fiddy One – Section 7 Project 2 hints VM (process memory, buffer overrun attacks). Webserver w/user threads. Use pthreads for Web server-related parts (parts 4 and 6) We won’t test sioux with user threads. Project 2 – questions?. Virtual Memory (quick recap). Physical memory.

dorothyrsmith
Download Presentation

CSE Four Fiddy One – Section 7 Project 2 hints VM (process memory, buffer overrun attacks)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE Four Fiddy One – Section 7Project 2 hintsVM (process memory, buffer overrun attacks)

  2. Webserver w/user threads • Use pthreads for Web server-related parts (parts 4 and 6) • We won’t test sioux with user threads

  3. Project 2 – questions?

  4. Virtual Memory (quick recap) Physical memory Process’ VM: Another process Disk (Inspired from wikipedia)

  5. Virtual Memory (quick recap) Process’ Page table Physical memory Process’ VM: Another process page frame # Disk

  6. Virtual Memory (quick recap) Process’ Page table Physical memory Process’ VM: Another process page frame # Disk • How can we use paging to set up sharing of memory between two processes?

  7. Process Memory Organization 0x00000000 • In figure, stack grows downwards, but it’s not necessary • How can you determine the direction in which stack grows? • What is in the address range 0xC0000000 to 0xFFFFFFFF? Code TEXT Initialized/uninitialized global/static variables static int a = 3; DATA Heap char* buff = (char*)malloc(…) What goes here? STACK Program stack 0xBFFFFFFF

  8. Page Replacement Algorithms • What you are NOT doing this quarter: • Project 3 - Your job: Replacement Algorithms • Given: • random • You need to write: • FIFO • LRU Clock • One of your choice • A few possibilities: • True LRU (e.g. via storing full timestamp) • Variations on LRU Clock (enhanced second-chance, etc) • LFU/MFU • Your own! • You can write more than 3 if your experiment focuses on replacement algorithms. • So we are going to go over some of these instead.

  9. Page Replacement Algorithms • FIFO (First in/first out) • Replace the oldest page with the one being paged in • Not very good in practice, suffers from Belady’s Anomaly • Second-Chance (Modified FIFO) • FIFO, but skip referenced pages • VAX/VMS used this • Random • Duh • Better than FIFO! • NFU (Not Frequently Used) • Replace the page used the least number of times • Better variation: Aging ensures that pages that have not been used for a while go away. • NRU (Not Recently Used) • Replace a page not used since last clock cycle • LRU (Least Recently Used) • Replace the least recently used page • Works well but expensive to implement. (More efficient variants include LRU-K) • LRU Clock (Modified LRU) • Replace the least recently used page, with a hard limit on the max time since used • Clairvoyant • Replace the page that’s going to be needed farthest in the future.

  10. Example of Belady’s Anomaly Page Requests 321032432104

  11. Example (Page Faults in Red) 3 frames Frame 1 Frame 2 Frame 3 9 Page Faults

  12. Example (Page Faults in Red) • 4 frames • Frame 1 • Frame 2 • Frame 3 • Frame 4 10 Page Faults

  13. Stack Overflow Attacks

  14. Code Global variables Heap Program stack Example • What does the process’ memory look like for the following code: void foo(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { foo(1,2,3); } We’re here w/ execution Example taken from “Smashing The Stack For Fun And Profit ”

  15. How would you smash the stack? buffer2 3 words buffer1 2 words SFP 1 word RET 1 word a 1 word b 1 word c 1 word Bottom of stack (0xBFFFFFFF) Word size (4B)

  16. Buffer overflows • What’s the bug? void foo(char* str) { char buffer[5]; strcpy(buffer, str); } void main() { char large_string[256]; … foo(large_string); } Example taken from “Smashing The Stack For Fun And Profit ”

  17. The stack contents Small addr • void foo(char* str) { • char buffer[5]; • strcpy(buffer, str); • } • void main(int argc, • char* argv[]) { • … • foo(argv[1]); • } buffer SFP RET *str Large addr

  18. The stack contents Small addr • void foo(char* str) { • char buffer[5]; • strcpy(buffer, str); • } • void main(int argc, • char* argv[]) { • foo(argv[1]); • } • What cmd-line argument should attacker provide? • - Length? • - Contents? buffer SFP RET *str Large addr

  19. Shell code • Program to bring up a shell: #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } • If you de-assemble, you get: "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd” "\x80\xe8\xdc\xff\xff\xff/bin/sh";

  20. More information • Smashing The Stack For Fun And Profit, Aleph One: http://www.cs.washington.edu/education/courses/cse599g/CurrentQtr/stack.txt

More Related