8: Smashing the Stack For Fun and Profit Flashcards
What does smash the stack mean?
Code (C implementations) that
- corrupts the execution stack by writing past the end of an array declared auto in a routine
- can cause return from the routine to jump to a random address
What is a buffer?
A buffer is simply a contiguous block of computer memory that holds multiple instances of the same data type.
- mostly associated w/ character arrays
When and where are static variables allocated?
Static variables are allocated at load time on the data segment
When are dynamic variables allocated and where?
Dynamics variables are allocated at run time on the stack
What does overflow mean?
To overflow is to flow, or fill over the top, brims or bound. We will focus only on overflow of dynamic buffers, aka stack-based buffer overflows
How are processes divided in memory?
Processes are divided into three regions: Text, Data, and Stack
What are the properties of the text region of process memory?
the text region
- is fixed by the program
- includes code (instructions) and read-only data
- corresponds to the text section of the executable file
- normally marked read-only and any attempt to write to it will result in a segmentation violation
What are the properties of the data region?
The data region
- corresponds to the data-bss sections of the executable file
- its size can be changed with the brk(2) system call
- expansion of the bss daa or the user stack exhausts available memory, the process is blocked and is rescheduled to run again with a larger memory space
- new space is added between the data and stack segments
What is a stack?
- a stack is an abstract data type frequently used in CS
- LIFO
- has operation push that adds an element at the top of the stack
- has operation pop that reduces the stack size by one by removing the last element at the top of the stack
Why do we use a stack?
- modern computers are designed with the need of high-level languages in mind
- procedures/functinos structure programs in high-level languages
- a procedure call alters the flow of control just as a jump does, but unlike a jump, when finished performing its task, a function returns control to the statement or instruction following the call
- this high-level abstraction is implemented with the help of the stack
- stack also dynamically allocate the local variables used in functions, to pass parameters to functions, and to return values from the function
What are the properties of the stack region of process memory?
- stack is a contiguous block of memory containing data
- register called the stack pointer (SP) points to the top of the stack
- bottom of the stack is a fixed address
- its size is dynamically adjusted by the kernet at run time
- CPU implements instructions to PUSH onto and POP off of the stack
- stack consists of logical stack frames that are pushed when calling a function and popped when returning
- Depending on the implementation the stack will either frow down (towards lower memory addresses), or up
What does a stack frame contain?
A stack frame contains
- the parameters to a function
- its local variables
- the data necessary to recover the previous stack frame
- including the value of the instruction pointer at the time of the function call
The stack grows down towards lower memory addresses in which processors?
Intel (x86), Motorola, SPARC and MIPS processors
Is the stack pointer implementation dependent? If so, how?
- yes, the SP is implementation dependent
- it may point to the last address on the stack, or to the next free available address after the stack
In x86, where does the SP point?
the last address on the stack (the top of the stack and the lowest numerical address)
Where does the stack pointer point in ARM?
The top of the stack
What direction does the stack grow in ARM?
It is selectable, default grows to lower memory like x86
What is the FP?
- The frame pointer which pointes to a fixed location within a frame
- some texts also refer to it as a local base pointer (LB)
What is the problem with referencing local variables from the SP?
- local variables could be referenced by giving their offsets from SP
- however, as words are pushed onto and popped off the stack, these offsets change
What does accessing a variable at a known distance from SP require in an Intel-based processor?
on some machines, such as Intel based processors, accessing a variable at a known distance from SP requires multiple instructions.
What is the BP (EBP) on Intel CPUs used for?
- many compilers use a second register, FP, for referencing both local variables and parameters because their distance from FP do not change with PUSHes and POPs.
- On Intel CPUs, BP (EBP) is used for this purpose
- On Motorola CPUs (ARM), any address register except A7 (the stack pointer) will do
How are local variables referenced from the FP on x86 and Motorola ARM?
- b/c the way the stack grows, actual parameters have positive offsets and local variables have negative offsets from FP
What is the procedure prolog?
The first thing a procedure must do when called
- first save previous FP
* so it can be restored at procedure exit - then it copies SP into FP to create the new FP
- then advances SP to reserve space for the local variables
What is the procedure epilog?
- Upon procedure exit, the stack must be cleaned up again, something called the procedure epilog.
How are procedure prolog and epilog handled in Intel and Motorola CPUs?
The Intel ENTER and LEAVE instructions and the Motorola LINK and UNLINK instructions, have been provided to do most of the procedure prolog and epilog work efficiently.
What does this program does to call function()?
What causes buffer overflow?
A buffer overflow is the result of stuffing more data into a buffer than it can handle