EC312 Homework 7
Name: ______key______
1. What features of the C language make a buffer overflow attack possible?
C does not automatically perform bounds checking.
2. Answer the following questions concerning how a program is stored in memory during its execution.
(a) Which segment of memory has contents that remain unchanged during program execution? The text segment (also known as the code segment)
(b) Does the programmer have complete control over how the stack is organized? No, the stack is controlled by the compiler.
(c) What is the relationship between the order in which variables appear in a function and the order in which these same variables are stored in the function's stack frame? Variables are stored on the stack in the order they are declared.
(d) What important registers are used to define the boundaries of a stack frame? esp – Stack Pointer ebp – Base Pointer
(e) Suppose main calls a function named fun. After all the commands of fun have executed, how does the program know to continue at the exact location in main where it left off? The return address is stored on the stack when the function fun is called.
(f) Is a source code file permitted to have more than one function? Yes.
(g) If your answer to (f) was "no", explain why that is the case. If your answer to (e) was "yes", explain how the operating system knows where to begin executing your program if the source code file contains multiple functions. Program execution always begins at the main() function for command line programs.
1 3. Segmentation Fault Carefully enter the following program using nano. Notice that the program has no blank lines.
#include
} Execute the program entering just the numeric portion of your alpha code. You should see something like this:
Now, rerun the program entering a ridiculously long alpha code. You should see a segmentation fault:
Recall that a segmentation fault occurs if a program attempts to run beyond the boundaries of main memory that the operating system has allotted the program. In this homework problem we will explore in depth the cause of this segmentation fault.
Let's run our program (which I've named happy.c) by entering:
gcc –g happy.c gdb –q ./a.out list main disass main break 13 run nexti nexti Exactly four nexti's nexti nexti 2
(a) Using your gdb skills, determine the following: - What is the next instruction that will be executed? ___call 0x80483b4
- Is the program execution still in main, or has it moved into the function happy_times? _Program execution is still in main.______
- List the variables which should already have been loaded onto the stack, from lowest on the stack to highest (i.e. from highest address to lowest address)? [Hint: you don’t have to examine memory to figure this out. You can determine it based on your knowledge of how a stack is set up during program execution.]
______a,b,y,x______
(b) Our goal is to locate main's variables and the function's arguments on the stack. As a first step, simply express the variables a and b in hexadecimal format:
a: 0x_0000004d______
b: 0x_00000015______
Note: For Parts (c) – (i) you will fill in the table which begins on page 5.
(c) Determine the current value of the stack pointer and the base pointer. Fill in the values in the table below, showing where the base pointer (label as EBP-main) and stack pointer (label as ESP-main) are pointing to.
(d) Use the examine (x) command to look at 40 bytes starting at the stack pointer. Now locate main's variables and the function's arguments on the stack. Fill in the table, annotating the locations of these four values. Label these as (main variable: a), (main variable b), (function argument: x) and (function argument: y).
(e) Now set a breakpoint at line 2 of your code (which is in the happy_times function), run the program until that point, and then execute one more instruction, by entering
break 2 continue nexti
The program is now at the point where the old value of the base pointer and the correct return address have been placed on the stack.
What should be stored as the correct return address? ______0x0804841e__
What should be the saved value of the base pointer? ______0xbffff808___
3
(f) Enter x/40xb $esp to examine the 40 bytes in the stack starting with the new stack pointer, esp. Locate the saved value of the base pointer and the return address on the stack. Fill in the table, annotating the locations of these two items. Label these as (saved base pointer) and (return address).
(g) Now enter
break 8 continue
When prompted to enter your alpha code, enter: AAAAAA
Determine the current value of the stack pointer and the base pointer. Fill in the values in the table below, showing where the base pointer (label as EBP-happy_times) and stack pointer (label as ESP- happy_times) are pointing to.
(h) Locate the alpha code you entered (i.e. AAAAAA) in the stack frame for happy_times. Do this by examining 40 bytes starting at the stack pointer. Note that the capital letter A is equivalent to hexadecimal 0x41. Fill in the table, annotating the location of the string alpha_code. Note that the NULL that terminates the string is part of the string.
(i) Now, examine your memory drawing. How many characters would you have had to enter for your alpha code before you start to overwrite the saved value of the base pointer (remember that the NULL is automatically added)? [Note: you should enter the number of characters required to overwrite the byte at the lowest address of the save value of the base pointer, i.e. you don’t need to overwrite the entire address.] Answer: _____24______
Overwriting the saved value of the base pointer will (almost always) cause a segmentation fault, because the program will attempt to restore the stack to a location in memory outside the region of main memory given to the program.
(j) Exit the debugger (by entering quit) and run your program by entering ./a.out. Enter an alpha code of size equal to the number of characters you calculated in part (i). Did you get a segmentation fault? (You should have!) ____Yes______
(k) Enter an alpha code of size less than the number of characters you calculated in part (i). Did you get a segmentation fault? (You should not have.) ____No______
4 Address Value Description BFFFF7ED 84 BFFFF7C0 esp-happy-times points BFFFF7EE 04 here BFFFF7EF 08 BFFFF7C1 BFFFF7F0 4d x BFFFF7C2 BFFFF7F1 00 BFFFF7C3 BFFFF7F2 00 BFFFF7C4 BFFFF7F3 00 BFFFF7C5 BFFFF7F4 15 y BFFFF7C6 BFFFF7F5 00 BFFFF7C7 BFFFF7F6 00 BFFFF7C8 BFFFF7F7 00 BFFFF7C9 BFFFF7F8 BFFFF7CA BFFFF7F9 BFFFF7CB BFFFF7FA BFFFF7CC BFFFF7FB BFFFF7CD BFFFF7FC BFFFF7CE BFFFF7FD BFFFF7CF BFFFF7FE BFFFF7D0 41 alpha_code BFFFF7FF BFFFF7D1 41 BFFFF800 15 b BFFFF7D2 41 BFFFF801 00 BFFFF7D3 41 BFFFF802 00 BFFFF7D4 41 BFFFF803 00 BFFFF7D5 41 BFFFF804 4d a BFFFF7D6 00 BFFFF805 00 BFFFF7D7 BFFFF806 00 BFFFF7D8 BFFFF807 00 BFFFF7D9 BFFFF808 ebp-main points here BFFFF7DA BFFFF809 BFFFF7DB BFFFF80A BFFFF7DC BFFFF80B BFFFF7DD BFFFF80C BFFFF7DE BFFFF80D BFFFF7DF BFFFF80E BFFFF7E0 BFFFF80F BFFFF7E1 BFFFF810 BFFFF7E2 BFFFF811 BFFFF7E3 BFFFF812 BFFFF7E4 BFFFF813 BFFFF7E5 BFFFF814 BFFFF7E6 BFFFF815 BFFFF7E7 BFFFF816 BFFFF7E8 08 Saved base pointer BFFFF817 (ebp-happy_times points BFFFF818 here) BFFFF819 BFFFF7E9 f8 BFFFF81A BFFFF7EA ff BFFFF7EB bf BFFFF7EC 1e return address 5