DOCSLIB.ORG

Y86 Programming

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

10/28/2019 Outline Chapter 4 Introduction to assembly programing Processor Architecture: Y86 Introduction to Y86 Y86 instructions, encoding and execution (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary 1 2 Assembly Assembly Operations Perform arithmetic function on register or memory data The CPU uses machine language to perform all its operations Transfer data between memory and register Machine code (pure numbers) is generated by translating each . Load data from memory into register (read) instruction into binary numbers that the CPU uses . Store register data into memory (write) This process is called "assembling"; conversely, we can take Transfer control assembled code and disassemble it into (mostly) human . Unconditional jumps to/from procedures (calls) readable assembly language . Conditional branches (if, switch, for, while, etc) Assembly is a much more readable translation of machine language, and it is what we work with if we need to see what the computer is doing There are many different kinds of assembly languages; we'll focus on the Y86/IA32 language as defined in the text and on our system (also SPARC and MIPS) 3 4 ISA – Instruction Set Architecture ISA-More explanations ISA – instruction set architecture . Format and behavior of a machine level program . Defines . The processor state (see the CPU fetch-execute cycle) . The format of the instructions . The effect of each of these instructions on the state . Abstractions . Instruction executed “in sequence” – Technically defined to be completing one instruction before starting the next – Pipelining – Concurrent execution (but not really) . Memory addresses are virtual addresses – Very large byte-addressable array – Address space managed by the OS (virtual physical) – Contains both executable code of the program AND its data » Run-time stack » Block of memory for user (global and heap) 5 6 1 10/28/2019 Generic Instruction Cycle Hardware abstractions An instruction cycle is the basic operation cycle of a computer. It is the process by which a computer retrieves a Program Counter (PC) . Register %eip (X86) program instruction from its memory, determines what . Address in memory of the next instruction to be executed actions the instruction requires, and carries out those Integer Register File actions. This cycle is repeated continuously by the central . Contains eight named locations for storing 32-bit values processing unit (CPU), from bootup to when the computer . Can hold addresses (C pointers) or integer data . Have other special duties is shut down. Floating point registers Condition Code registers 1. Fetching the instruction . Hold status information . About arithmetic or logical instruction executed 2. Decode the instruction – CF (carry flag) 3. Memory and addressing issues – OF (overflow flag) – SF (sign flag) 4. Execute the instruction – ZF (zero flag) Memory 7 8 Machine instruction example Outline C code Introduction to assembly programing . Add two signed integers int t = x + y; Introduction to Y86 Assembly Y86 instructions, encoding and execution . Add 2 4-byte integers addl 8(%ebp),%eax Operands . X: register %eax . Y: memory M[%ebp+8] . T: register %eax . Return function value in %eax Object code 03 45 08 . 3 byte instruction . Stored at address: 0x???????? 9 10 Y86: A Simpler Instruction Set Y86 abstractions IA32 has a lot more instructions The Y86 has IA32 has a lot of quirks . 8 32-bit registers with the same names as the IA32 32-bit registers Y86 is a subset of IA32 instructions . 3 condition codes: ZF, SF, OF Y86 has a simpler encoding scheme than IA32 . no carry flag Y86 is easier . interprets integers as signed . to reason about hardware . a program counter (PC) . first-time programming in assembly language . a program status byte: AOK, HLT, ADR, INS . memory: up to 4 GB to hold program and data The Y86 does not have . floating point registers or instructions http://voices.yahoo.com/the-y86-processor-simulator-770435.html?cat=15 http://y86tutoring.wordpress.com/ 11 12 2 10/28/2019 Y86 Memory and Stack yis and yas and the Y86 Simulator check on high address 1. A huge array of bytes; . how to set up $PATH Y86 Stack 2. Set the bottom of the stack far . how to connect Linux with X display enough away from the code; 3. The location of your code should add the following variables to $PATH always start from 0x0. /home/bren/Software/sim/misc . /home/bren/Software/sim/pipe How to set up the starting point of stack and code? . /home/bren/Software/sim/seq directive: .pos address-in-hex otherwise, use absolute path . /home/bren/Software/sim/misc/yas Y86 Code . /home/bren/Software/sim/misc/yis low address example code was assembled during the build process and is in /home/bren/Software/sim/y86-code 13 14 YIS and YAS and the Y86 Simulator Run Y86 program how to assemble and run code irmovl $55,%edx % yas y86prog1.ys . % yas prog.ys rrmovl %edx, %ebx % yis y86prog1.yo irmovl Array, %eax Stopped in 6 steps at PC = 0x1a. assembles program rmmovl %ebx,4(%eax) Status 'HLT' . creates *.yo file mrmovl 0(%eax),%ecx CC Z=1 S=0 O=0 halt Changes to registers: . % yis prog.yo %eax: 0x00000000 0x0000001c %ecx: 0x00000000 0x0000006f . instruction set simulator – gives output and changes .align 4 Array: %edx: 0x00000000 0x00000037 – changes shown as original value/new value pairs .long 0x6f %ebx: 0x00000000 0x00000037 .long 0x84 . % ssim -g prog.yo & Changes to memory: . graphical simulator y86prog1.ys 0x0020: 0x00000084 0x00000037 . SimGuide: http://csapp.cs.cmu.edu/public/simguide.pdf 15 16 Y86 Simulator program code Y86 Simulator displays . contents of memory . processor state . fetch-execute loop . register file . status . condition codes 17 18 3 10/28/2019 Y86 Notes Y86 Notes Y86 is an assembly language instruction set Y86 features . simpler than but similar to IA32 . 8 32-bit registers with the same names as the IA32 32-bit registers . but not as compact (as we will see) . different names from those in text, such as %rax, which are 64-bit . F indicates no register Y86 features . 3 condition codes: ZF, SF, OF . 8 32-bit registers with the same names as the IA32 32-bit registers . a program counter (PC) . 3 condition codes: ZF, SF, OF . a program status byte: AOK, HLT, ADR, INS . no carry flag - interpret integers as signed . memory: up to 4 GB to hold program and data . a program counter (PC) . holds the address of the instruction currently being executed RF: Program registers CC: Condition Stat: Program Status codes . a program status byte: AOK, HLT, ADR, INS 0 % eax 6 % esi ZF SF OF 1 7 . state of program execution %ecx %edi DMEM: Memory PC . memory: up to 4 GB to hold program and data 2 % edx 4 % esp 3 % ebx 5 % ebp 19 20 Outline Learning Y86 Assembler Directives Introduction to assembly programing Status conditions and Exceptions Introduction to Y86 Instructions Y86 instructions, encoding and execution . Operations . Branches . Moves Addressing Modes Stack Operations Subroutine Call/Return How to encode and execute each instruction 21 22 Y86 Assembler Directives Status Conditions 23 24 4 10/28/2019 Y86 Exceptions Y86 Exceptions What happens when an invalid assembly instruction is found? What are some possible causes of exceptions? . how would this happen? . invalid operation . generates an exception . divide by 0 . sqrt of negative number In Y86 an exception halts the machine . memory access error (address too large) . stops executing . hardware error . on a real system, this would be handled by the OS and only the current process would be terminated Y86 handles 3 types of exceptions: . HLT instruction executed . invalid address encountered . invalid instruction encountered . in each case, the status is set 25 26 Y86 Instructions Y86 Instructions format Each accesses and modifies some part(s) of the program . 1–6 bytes of information read from memory state . Can determine the type of instruction from first byte . Can determine instruction length from first byte largely a subset of the IA32 instruction set . Not as many instruction types . includes only 4-byte integer operations “word” . Simpler encoding than with IA32 . has fewer addressing modes . smaller set of operations registers . rA or rB represent one of the registers (0-7) . 0xF denotes no register (when needed) . no partial register options (must be a byte) 27 28 Move Operation Move Operation different opcodes for 4 types of moves . register to register (opcode = 2) . notice conditional move has opcode 2 as well . immediate to register (opcode = 3) . register to memory (opcode = 4) . memory to register (opcode = 5) 29 30 5 10/28/2019 Move Operation Supported Arithmetic Operations the only memory addressing mode is base register + displacement OP1 (opcode = 6) # y86cc.ys memory operations always move 4 bytes (no byte or word . only takes registers as operands .pos 0x0 . only work on 32 bits irmovl $1, %eax memory operations, i.e., no 8/16-bit move) irmovl $0, %ebx . note: no “or” and “not” ops source or destination of memory move must be a register irmovl $1, %ecx . only instructions to set CC addl %eax, %eax andl %ebx, %ebx . starting point ZF=1, SF=0, OF=0 subl %eax, %ecx irmovl $0x7fffffff, %edx addl %edx, %edx arithmetic instructions halt . addl rA, rB R[rB] ← R[rB] + R[rA] . subl rA, rB R[rB] ← R[rB] − R[rA] . andl rA, rB R[rB] ← R[rB] & R[rA] . xorl rA, rB R[rB] ← R[rB] ^ R[rA] CORRECTION = F 31 32 Jump Instructions Jump Instruction Types jump instructions (opcode = 7) Unconditional jumps What about checking OF? . fn = 0 for unconditional jump . jmp Dest PC ← Dest . fn =1-6 for <= < = != >= > Conditional jumps . refer to generically as jXX . jle Dest PC ← Dest if last result ≤ 0 .
Recommended publications
  • X86 Instruction Set 4.2 Why Learn Assembly

    X86 Instruction Set 4.2 Why Learn Assembly

    4.1 CS356 Unit 4 Intro to x86 Instruction Set 4.2 Why Learn Assembly • To understand something of the limitation of the HW we are running on • Helpful to understand performance • To utilize certain HW options that high-level languages don't allow (e.g. operating systems, utilizing special HW features, etc.) • To understand possible security vulnerabilities or exploits • Can help debugging 4.3 Compilation Process CS:APP 3.2.2 void abs(int x, int* res) • Demo of assembler { if(x < 0) *res = -x; – $ g++ -Og -c -S file1.cpp else *res = x; • Demo of hexdump } Original Code – $ g++ -Og -c file1.cpp – $ hexdump -C file1.o | more Disassembly of section .text: 0000000000000000 <_Z3absiPi>: 0: 85 ff test %edi,%edi 2: 79 05 jns 9 <_Z3absiPi+0x9> • Demo of 4: f7 df neg %edi 6: 89 3e mov %edi,(%rsi) 8: c3 retq objdump/disassembler 9: 89 3e mov %edi,(%rsi) b: c3 retq – $ g++ -Og -c file1.cpp Compiler Output – $ objdump -d file1.o (Machine code & Assembly) Notice how each instruction is turned into binary (shown in hex) 4.4 Where Does It Live • Match (1-Processor / 2-Memory / 3-Disk Drive) where each item resides: – Source Code (.c/.java) = 3 – Running Program Code = 2 – Global Variables = 2 – Compiled Executable (Before It Executes) = 3 – Current Instruction Being Executed = 1 – Local Variables = 2 (1) Processor (2) Memory (3) Disk Drive 4.5 BASIC COMPUTER ORGANIZATION 4.6 Processor • Performs the same 3-step process over and over again – Fetch an instruction from Processor Arithmetic 3 Add the memory Circuitry specified values Decode 2 It’s an ADD – Decode the instruction Circuitry • Is it an ADD, SUB, etc.? 1 Fetch – Execute the instruction Instruction System Bus • Perform the specified operation • This process is known as the ADD SUB Instruction Cycle CMP Memory 4.7 Processor CS:APP 1.4 • 3 Primary Components inside a processor – ALU – Registers – Control Circuitry • Connects to memory and I/O via address, data, and control buses (bus = group of wires) Bus Processor Memory PC/IP 0 Addr Control 0 op.
  • Jump-Oriented Programming: a New Class of Code-Reuse Attack

    Jump-Oriented Programming: a New Class of Code-Reuse Attack

    Jump-Oriented Programming: A New Class of Code-Reuse Attack Tyler Bletsch, Xuxian Jiang, Vince W. Freeh Zhenkai Liang Department of Computer Science School of Computing North Carolina State University National University of Singapore {tkbletsc, xuxian_jiang, vwfreeh}@ncsu.edu [email protected] ABSTRACT to redirect control flow to the attacker-supplied code. How- Return-oriented programming is an effective code-reuse at- ever, with the advent of CPUs and operating systems that tack in which short code sequences ending in a ret instruc- support the W⊕X guarantee [3], this threat has been mit- tion are found within existing binaries and executed in ar- igated in many contexts. In particular, W⊕X enforces the bitrary order by taking control of the stack. This allows property that \a given memory page will never be both for Turing-complete behavior in the target program without writable and executable at the same time." The basic premise the need for injecting attack code, thus significantly negat- behind it is that if a page cannot be written to and later ex- ing current code injection defense efforts (e.g., W⊕X). On ecuted from, code injection becomes impossible. the other hand, its inherent characteristics, such as the re- Unfortunately, attackers have developed innovative ways liance on the stack and the consecutive execution of return- to defeat W⊕X. For example, one possible way is to launch oriented gadgets, have prompted a variety of defenses to a code-reuse attack, wherein existing code is re-purposed to detect or prevent it from happening. a malicious end.
  • X86 Assembly Language Reference Manual

    X86 Assembly Language Reference Manual

    x86 Assembly Language Reference Manual Sun Microsystems, Inc. 901 N. San Antonio Road Palo Alto, CA 94303-4900 U.S.A. Part No: 805-4693-10 October 1998 Copyright 1998 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303-4900 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, SunDocs, Java, the Java Coffee Cup logo, and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and SunTM Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
  • X86 Instruction Set Architecture

    X86 Instruction Set Architecture

    x86 Instruction Set Architecture Comprehensive 32/64-bit Coverage First Edition Also by Tom Shanley HEAVEN’S FAVORITE —A Novel of Genghis Khan— Book 1, ASCENT: THE RISE OF CHINGGIS KHAN Book 2, DOMINION: DAWN OF THE MONGOL EMPIRE MINDSHARE TECHNICAL TRAINING Please visit www.mindshare.com for a complete description of Mind- Share’s technical offerings: • Books • eBooks • eLearning modules • Public courses • On-site course • On-line courses Intel Core 2 Processor (Penryn) Intel Nehalem Processor Intel Atom Processor AMD Opteron Processor (Barcelona) Intel 32/64-bit x86 Software Architecture AMD 32/64-bit x86 Software Architecture x86 Assembly Language Programming Protected Mode Programming PC Virtualization IO Virtualization (IOV) Computer Architectures with Intel Chipsets Intel QuickPath Interconnect (QPI) PCI Express 2.0 USB 2.0 USB 3.0 Embedded USB 2.0 Workshop PCI PCI-X Modern DRAM Architecture SAS Serial ATA High Speed Design EMI / EMC Bluetooth Wireless Product Development SMT Manufacturing SMT Testing x86 Instruction Set Architecture Comprehensive 32/64-bit Coverage First Edition MINDSHARE, INC. TOM SHANLEY MindShare Press Colorado Springs, USA Refer to “Trademarks” on page 5 for trademark information. The author and publisher have taken care in preparation of this book but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connec- tion with or arising out of the use of the information or programs contained herein. ISBN: 0-9770878-5-3 Copyright © 2009 by MindShare, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopy- ing, recording, or otherwise, without the prior written permission of the publisher.
  • A Simple Computer March, 2012

    A Simple Computer March, 2012

    Cmpt 150 A Simple Computer March, 2012 A Simple Computer It’s time to assemble some pieces and create a computer. We’re not going to cover this in depth — many details will be swept under the rug — but at the end we should have a pretty good idea of how assembly language connects with the underlying hardware. Instruction Set Architecture The true specification for a CPU is the instruction set architecture (ISA). In plain language, the set of instructions that the CPU hardware is capable of recognising and executing. In the roughly 70 years since the first digital computers were constructed1 hardware and software have co-evolved to their present state. Today there are two broad classes of ISAs: e Complex Instruction Set (CISC) ISAs are the older class, evolved from the pe- riod when the guiding philosophy was a rich set of machine instructions that facilitated assembly language programming by humans and closely matched the requirements of evolving higher-level programming languages (e.g., For- tran and Cobol). The dominant CISC ISA today is the Intel x86 instruction set. e Reduced Instruction Set (RISC) ISAs are the newer class, evolving from the observation that the vast majority of assembly language today is written by compilers. RISC ISAs have a bare minimum of instructions, chosen to min- imise hardware complexity and maximise speed of execution. Multiple RISC instructions are often required to do the work of a single CISC instruction, but even so can be executed more quickly. Compilers and assemblers do the tedious work of translating programs in high-level language into machine instructions.
  • Registers Memory Segmentation and Protection

    Registers Memory Segmentation and Protection

    Intel x86 Assembly Language Programming CIS 450 { Computer Organization and Architecture c Copyright 2001 Tim Bower The Intel x86 line of CPUs use the accumulator machine mo del. Registers Note that each register has 32 bit, 16 bit and 8 bit names. We will usually use just the 32 bit names for the registers. See the diagrams of the registers on the following pages. The primary accumulator register is called EAX. The return value from a function call is saved in the EAX register. Secondary accumulator registers are: EBX, ECX, EDX. EBX is often used to hold the starting address of an array. ECX is often used as a counter or index register for an array oraloop. EDXis a general purp ose register. The EBP register is the stack frame pointer. It is used to facilitate calling and returning from functions. ESI and EDI are general purp ose registers. If a variable is to have register storage class, it is often stored in either ESI or EDI. A few instructions use ESI and EDI as p ointers to source and destination addresses when copying a blo ck of data. Most compilers preserve the value of ESI and EDI across function calls | not generally true of the accumulator registers. The ESP register is the stack p ointer. It is a p ointer to the \top" of the stack. The EFLAGS register is sometimes also called the status register. Several instructions either set or check individual bits in this register. For example, the sign ag bit 7 and the zero ag bit 6 are set by the compare cmp instruction and checked by all the conditional branching instructions.
  • IBCM: the Itty Bitty Computing Machine

    IBCM: the Itty Bitty Computing Machine

    Chapter 1 IBCM: The Itty Bitty Computing Machine The child receives data through the sense organs; the child also has some inborn processing capacities – otherwise it would not be able to learn – but in addition, some “information” or “programs” are built-in at birth . there is a working memory . and there is a permanent memory . so there must be some inner “language” or medium of representation . Jerry Fodor . has discussed this inbuilt “language of thought,” which is similar conceptually to the “machine language” that is built into the personal computer. – John Cleverly, in “Visions of childhood: Influential models from Locke to Spock” [3] 1.1 Introduction Machine language, or machine code, is the set of instructions that a computer’s central processing unit (CPU) understands. It is the binary 0’s and 1’s that form instructions for the CPU to execute. When we compile a program, that program is eventually converted to binary machine code, which we can then run. Each different CPU has a different machine language that it understands, although CPU families tend to understand a very similar language. Programming in machine language requires one to write the code in hexadecimal notation, manually encoding the instructions one at a time. For this reason, machine language can often be difficult to pro- gram in. This is especially true with the complexities of modern instruction sets on processor families such as the x86 and MIPS. One will often write a program in assembly language, which is a (somewhat) higher-level manner to create a program. In assembly language, one can specify to add two values together through a command such as sub esp, 24, and need not write it in the hexadecimal notation of 0x83ec20.