C++

[ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04] Local 1 // w [ebp -08] Local 2 // x [ebp -0C] Local 3 // z or y

Stack Packing E0: 8B FF mov edi,edi E2: 53 push ebx E3: 56 push esi E4: 8B F1 mov esi,ecx E6: 8B 5E 18 mov ebx,dword ptr[esi+18h] E9: 8B mov eax,dword ptr [esi+4] EC: F6 C3 01 test bl, EF: je F F1: 3B cmp eax,dword ptr [esi+8] F4: 76 1E jbe F6: 5E pop esi F7: 5B pop ebx F8: C3 ret MORE COLD CODE No Stack Packing (R1 – R5 reasons for bad code) 639E2840: 8B FF mov edi,edi 639E2842: 55 push ebp  #R1 639E2843: 8B EC mov ebp,esp 639E2845: 51 push ecx  #R2 639E2846: 53 push ebx 639E2847: 56 push esi 639E2848: 8B F1 mov esi,ecx 639E284A: 57 push edi  #R3 639E284B: 8B 5E 18 mov ebx,dword ptr [esi+18h] 639E284E: 8B mov eax,dword ptr [esi+4] 639E2851: F6 C3 01 test bl,1 639E2854: 74 0C je 639E E2856: 3B cmp eax,dword ptr [esi+8] 639E2859: 76 3F jbe 639E289A 639E285B: 5F pop edi  #R4 639E285C: 5E pop esi 639E285D: 5B pop ebx 639E285E: 8B E5 mov esp,ebp  #R5 639E2860: 5D pop ebp 639E2861: C3 ret MORE COLD CODE

Vector - all loads before all stores B[0] B[1] B[2] B[3] A[0] A[1] A[2] A[3] A[0] + B[0] A[1] + B[1] A[2] + B[2] A[3] + B[3] xmm0 “addps xmm1, xmm0 “ xmm1 +

for (i = 0; i < 1000/4; i++){ movps xmm0, [ecx] movps xmm1, [eax] addps xmm0, xmm1 movps [edx], xmm0 } for (i = 0; i < 1000; i++) A[i] = B[i] + C[i]; Compiler looks across loop iterations !

A(3) = ?

ALL loads before ALL stores A (2:5) = A (1:4) + A (3:7) VR1 = LOAD(A(1:5)) VR2 = LOAD(A(3:7)) VR3 = VR1 + VR2 // A(3) = F (A(2) A(4)) STORE(A(2:5)) = VR3

Instead - load store load store... Instead - load store load store... FOR ( j = 2; j <= 257; j++) A( j ) = A( j-1 ) + A( j+1 ) A(2) = A(1) + A(3) A(3) = A(2) + A(4) // A(3) = F ( A(1)A(2)A(3)A(4) ) A(4) = A(3) + A(5) A(5) = A(4) + A(6) … …

A ( a1 * I + c1 ) ?= A ( a2 * I’ + c2)

Complex C++ Not just arrays!

void foo(int n, float *a, float *b, float *c) { for (int j=0; j<n; j++) { *a++ = *b++ + *c++; } Legal ? Where’s the base of the array?

void transform1(int * first1, int * last1, int * first2, int * result) { while (first1 != last1) { *result++ = *first1++ + *first2++; } …and where’s the IV? A ( a1 * I + c1 ) ?= A ( a2 * I’ + c2)

int synthetic_i; int synthetic_upper = (last1 – first1 + 4)/4; for (synthetic_i = 0; synthetic_i < synthetic_upper; synthetic_i++) { result[synthetic_i] = first1[synthetic_i] + first2[sythetic_i]; } while (first1 != last1) { *result++ = *first1++ + *first2++; }

HRESULT CDocManager::IsValidWMToolsStream(bool* pfValid) { long cbSize; if(FAILED(hr = ExtractDataSize(strPath, &cbSize))) return S_OK; CSmartPtr pBuffer = new BYTE[cbSize]; ExtractData(strPath, pBuffer, cbSize); long dwCheckSum = DwChecksumFromLpvCb(0, pBuffer, cbSize); long dwStreamCnt = GetStreamCount(m_pVisitedTree); if(FAILED(hr = ExtractDataSize(kszCheckSumStream, &cbSize))) { return S_OK; } //ExtractData(kszCheckSumStream, pBuffer, cbSize); for(int i=0; i<cbSize; i++) { *pBuffer++ = *kszCheckSumStream++; } HRESULT CDocManager::IsValidWMToolsStream(bool* pfValid) { long cbSize; if(FAILED(hr = ExtractDataSize(strPath, &cbSize))) return S_OK; CSmartPtr pBuffer = new BYTE[cbSize]; ExtractData(strPath, pBuffer, cbSize); long dwCheckSum = DwChecksumFromLpvCb(0, pBuffer, cbSize); long dwStreamCnt = GetStreamCount(m_pVisitedTree); if(FAILED(hr = ExtractDataSize(kszCheckSumStream, &cbSize))) { return S_OK; } //ExtractData(kszCheckSumStream, pBuffer, cbSize); for(int i=0; i<cbSize; i++) { *pBuffer++ = *kszCheckSumStream++; } 1. cbSize assigned allocate buffer with 4470 bytes 3. cbSize re- assigned 4496 Heap Overflow! Leads to Hijack

var e1; function f1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp").innerHTML = ""; window.setInterval(f2, 50); } function f2(){ var t = e1.srcElement; } var e1; function f1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp").innerHTML = ""; window.setInterval(f2, 50); } function f2(){ var t = e1.srcElement; } 1. Pass onload event (evt) to f1 2. Copy evt, but fail to AddRef on CTreeNode! 3. Destroy img tag in span leading to a free when evt falls out of scope 4. Call f2 async so evt goes out of scope Hijack! Vtable call via freed CTreeNode Red is C++ called from javascript

pointer heap vtable function_1 function_2 Vulnerability: “use after free” attack code attack data

Example for : Hardware + Language + Compiler co-design

for (k=1;k<=nn;k++){ if (yy[k] > y) { xx[k] > x ? ++na : ++nb; } else{ xx[k] > x ? ++nd : ++nc; }

G[0:3] = bit_mask(a[i] == b[i] ) xffffffff 0x xffffffff xmm0 “pcmpeq xmm1, xmm0 “ xmm1 ==

(Lhs[0:3] & ! G[0:3]) 0xffffffff 0x xffffffff Lhs[0] Lhs[1] Lhs[2] Lhs[3] 0x Lhs[1] Lhs[2] 0x xmm0 “pandn xmm1, xmm0 “ xmm1 &!

(Rhs[0:3] & G[0:3]) 0xffffffff 0x xffffffff Rhs[0] Rhs[1] Rhs[2] Rhs[3] Rhs[0] 0x Rhs[3] xmm2 “pandn xmm1, xmm0 “ xmm3 &

= (Lhs[0:3] & ! G[0:3]) | (Rhs[0:3] & G[0:3]) Rhs[0] 0x Rhs[2] 0x Lhs[1] Lhs[2] 0x Rhs[0] Lhs[1] Lhs[2] Rhs[3] xmm1 “por xmm1, xmm3 “ xmm3 or

STORE Rhs[0] Lhs[1] Lhs[2] Rhs[3] “movups [esi], xmm3 “ xmm3

New Fact of Life The system must never invent a write to a variable that wouldn’t be written to in an SC execution. Q: Why? If you the programmer can’t see all the variables that get written to, you can’t possibly know what locks to take.

*x = new Base

// Need alias “q is now made type-of (r)” / / De-virtualizing this call depends on type-of (q)

32nm 22nm 22nm 14nm 10nm 256 bit AVX(2)256 bit AVX 128 bit SSE You are here (3D tri-state transistors)