Architecture

Question 1

What part of a computer executes machine code?

Answer 1

• CPU
• machine code instructions are processed by the CPU
• each instruction is a primitive command that executes a specific command, such as moving data
• written in HEX

Question 2

What translates machine code into assembly language?

Answer 2

• Assembler

- NASM (Netwide Assembler)

Question 3

ISA

Answer 3

• Instruction Set Architecture
• set of instructions that a programmer (compiler) must understand and use to write a program
• memory, registers, instructions, etc.
• EX: x86 instruction set (or architecture)

Question 4

What does 32 or 64 refer to in ISA?

Answer 4

• width of the CPU registers
• each CPU has a fixed set of registers
• registers are temporary variables used by the CPU to get and store data
• EX: GPRs (General Purpose Registers)

Question 5

What are the eight general purpose registers?

Answer 5

• EAX
• ECX
• EDX
• EBX
• ESP
• EBP
• ESI
• EDI

Question 6

EAX

Answer 6

• Accumulator

- used in arithmetic operation

Question 7

ECX

Answer 7

• Counter

- used in shift/rotate instruction and loops

Question 8

EDX

Answer 8

• Data

- used in arithmetic operation and I/O

Question 9

EBX

Answer 9

• Base

- used as a pointer to data

Question 10

ESP

Answer 10

• Stack Pointer

- pointer to the top of the stack

Question 11

EBP

Answer 11

• Base Pointer

- pointer to the base of the stack

Question 12

ESI

Answer 12

• Source Index

- used as a pointer to a source in stream operation

Question 13

EDI

Answer 13

• Destination

- used as a pointer to a destination in stream operation

Question 14

What is the additional register that is important for x86 architecture?

Answer 14

• EIP
• The Instruction Pointer
• controls the program execution by storing a pointer to the address of the next instruction (machine code) that will be executed.
• it tells the CPU where the next instruction is

Question 15

What are the four regions that process memory is divided into?

Answer 15

• text
• data
• the heap
• the stack

Question 16

Text Region

Answer 16

• instruction segment
• contains the program code (instructions)
• marked as read-only since the program should not change during execution

Question 17

Data Region

Answer 17

• divided into initialized data and uninitialized data
• initialized data includes items such as static and global declared variables (pre-defined; can be modified)
• uninitialized data, named Block Started by Symbol (BSS), also initializes variables that are initialized to zero or do not have explicit initialization (ex. static int t)

Question 18

Heap

Answer 18

• starts right after the BSS segment

- during execution, the program can request more space in memory via BRK and SBRK system calls

Question 19

Stack

Answer 19

• LIFO block of memory
• located in the higher part of memory
• an array used for saving a function’s return addresses, passing function arguments, and storing local variables
• ESP identifies the top of the stack
• ESP is modified each time a value is pushed in (PUSH) or popped out (POP)

Question 20

Which direction does the stack grow?

Answer 20

• The stack grows downwards
• starts at higher memory and grows towards lower memory addresses
• knowing the limits of the memory allowed lets the programmer know who big the Heap or Stack will be

Question 21

Which direction does the heap grow?

Answer 21

• The Heap grows upwards

- starts from lower memory addresses and grows to higher memory addresses

Question 22

Explain the PUSH process?

Answer 22

• a PUSH instruction subtracts 4 (32-bit) or 8 (64-bit) from the ESP and writes the data to the memory address in the ESP
• then the ESP is updated to the top of the stack
• the Stack grows backward, therefore the PUSH subtracts 4 or 8 in order to point to a lower memory location on the Stack.
• if we do not subtract, the PUSH operation will overwrite the current location pointed by ESP (the top) and we would lose data

Question 23

Explain the POP process?

Answer 23

• the POP operation is the opposition of PUSH
• it retrieves data from the top of the Stack
• therefore, the data contained at the address location in ESP (the top of the stack) is retrieved and stored (usually in another register)
• after a POP operation, the ESP value is incremented, in x86 by 4

Question 24

Prologue

Answer 24

• a Function component

- prepares the Stack to be used, similar to putting a bookmark in a book

Question 25

Epilogue

Answer 25

- a Function component | - when the function has completed, the epilogue resets the stack to the prologue settings

Question 26

What happens when a function or procedure is started?

Answer 26

- a stack frame is created and assigned to the current ESP location (top of the stack) - this allows the subroutine to operate independently in its own location in the Stack

Question 27

What happens when a function or procedure ends?

Answer 27

- Two things happen: 1. the program receives the parameters passed from the subroutine 2. the EIP is reset to the location at the time of the initial call

Question 28

Little-Endian

Answer 28

- the LSB is stored at the lower memory address | - the MSB is stored at the higher memory address

Question 29

NOP

Answer 29

- No Operation instruction - instruction that does nothing - when the program encounters a NOP, it will simply skip to the next instruction - In x86 CPUs, NOP instructions with 0x90

Question 30

NOP-sled

Answer 30

- a technique used during BOF exploitation - its only purpose is to fill a large or small portion of the Stack with NOPs - this will allow us to slide down to the instruction we want to execute, which is usually put after the NOP-sled

Question 31

What security implementations are used to try and prevent BOF?

Answer 31

- ASLR - DEP - Canary

Question 32

ASLR

Answer 32

- Address Space Layout Randomization - the goal is to introduce randomness for executables, libraries, and stacks in the memory address space - this makes it more difficult for the attacker to predict memory addresses and cause exploits to fail and crash the process - the OS loads the same executable at a different location in memory every time

Question 33

DEP

Answer 33

- Data Execution Prevention - defensive hardware and software measure that prevents the execution of code from pages in memory that are not explicitly marked as executable

Question 34

Canary

Answer 34

- Stack cookie - places a value next to the return address on the stack - the function PROLOGUE loads a value into this location, while the EPILOGUE makes sure that the value is intact - When the EPILOGUE runs, it checks to make sure the value is still there and that it is correct

Question 35

Assembler

Answer 35

- a program that translates the Assembly language into machine code

Question 36

MASM

Answer 36

- Microsoft Macro Assembler - x86 assembler - uses the Intel syntax for MS-DOS and Windows

Question 37

GAS

Answer 37

- GNU Assembler | - default back-end of GCC

Question 38

NASM

Answer 38

- Netwide Assembler - x86 - Most popular for Linux

Question 39

FASM

Answer 39

- x86 | - Intel-style assembly

Question 40

Compiler

Answer 40

- similar to the assembler | - converts high-level source code (such as C) into low-level code or directly into an object file