lecture 1. x86 prof. taeweon suh computer science & engineering korea university com850 computer...
TRANSCRIPT
Lecture 1. x86
Prof. Taeweon SuhComputer Science &
EngineeringKorea University
COM850 Computer Hacking and Security
Korea Univ
x86?
• What is x86? Generic term referring to processors from Intel, AMD and VIA Derived from the model numbers of the first few generations of processors:
• 8086, 80286, 80386, 80486 x86
Now it generally refers to processors from Intel, AMD, and VIA• x86-16: 16-bit processor• x86-32 (aka IA32): 32-bit processor * IA: Intel Architecture• x86-64: 64-bit processor
• Intel takes about 80% of the PC market and AMD takes about 20% Apple also have been introducing Intel-based Mac from Nov. 2006
2* aka: also known as
Korea Univ
x86 History (as of 2008)
3
Korea Univ
x86 History (Cont.)
4
32-bit (i386)
32-bit (i586) 64-bit (x86_64)32-bit (i686)
8-bit 16-bit 4-bit
2009 20111st Gen. Core i7
(Nehalem)2nd Gen. Core i7(Sandy Bridge)
20123rd Gen. Core i7
(Ivy Bridge)
20134th Gen. Core i7
(Haswell)
8086 in 1978
Korea Univ5
Moore’s Law
• Transistor count will be doubled every 18 months
Exponential growth
2,250
42millions
1.7 billions
Montecito
Korea Univ
Feature Size (Technology) Trend
6
Korea Univ
Power Dissipation
7
• By early 2000, Intel and AMD made every effort to increase clock frequency to enhance the performance of their CPUs
• But, the power consumption is the problem
P ≈ CVDD2f
C: CapacitanceVDD: Voltagef: Frequency
Korea Univ
Power Density Trend
8Source: Intel Corp.
Korea Univ
Watch this!
9
Click the chip
Slide from Prof H.H. Lee in Georgia Tech
Korea Univ
How to Reduce Power Consumption?
• Reduce supply voltage with new technologies i.e., reducing transistor size
• Keep the clock frequency in modest range No longer increase the clock frequency
• Then… what would be the problem?
• So, the strategy is to integrate simple many CPUs in a chip
10
Performance
Dual Core, Quad Core….
Korea Univ11
Multi-core Processor Gala
Prof. Sean Lee’s Slide in Georgia Tech
Korea Univ
Intel’s Core 2 Duo
12
• 2 cores on one chip• Two levels of caches
(L1, L2) on chip• 291 million
transistors in 143 mm2 with 65nm technology
L2 Cache
Core0 Core1
Source: http://www.sandpile.org
DL1 DL1
IL1 IL1
Korea Univ
Intel’s Core i7
13
• 4 cores on one chip• Three levels of
caches (L1, L2, L3) on chip
• 731 million transistors in 263 mm2 with 45nm technology
Korea Univ
Intel’s Core i7 (2nd Gen.)
14
2nd Generation Core i7
995 million transistors in 216 mm2 with 32nm
technology
L1 32 KB
L2 256 KB
L3 8MB
Sandy Bridge
Korea Univ
Intel’s Core i7 (3rd Gen.)
15
3rd Generation Core i7
L1 64 KB
L2 256 KB
L3 8MB
1.4 billion transistors in 160 mm2 with 22nm
technology
http://blog.mytechhelp.com/laptop-repair/the-ivy-bridge/
Korea Univ
AMD’s Opteron – Barcelona (2007)
16
• 4 cores on one chip• 1.9GHz clock• 65nm technology• Three levels of caches (L1, L2, L3) on chip• Integrated North Bridge
Korea Univ
Intel Teraflops Research Chip
• 80 CPU cores• Deliver more than 1 trillion
floating-point operations per second (1 Teraflops) of performance
17
Introduced in September 2006
Korea Univ
Intel’s 48 Core Processor
• 48 x86 cores manufactured with 45nm technology• Nicknamed “single-chip cloud computer”
18
Debuted in December 2009
Korea Univ
Reg File
L1Data cache
L1Inst cache
L2 Cache
MainMemory
DISKSRAM DRAM
Model of Memory Hierarchy
19Slide from Prof Sean Lee in Georgia Tech
Korea Univ20
x86 Operation Modes
• Real Mode (= real address mode) Programming environment of the 8086 processor 8086 is a 16-bit processor from Intel
• Protected Mode Native state of the 32-bit Intel processor 32-bit mode
• IA-32e mode (Intel) or Long mode (AMD) 2 sub modes: Compatibility mode and 64-bit mode
• Compatibility mode is enabled by the operating system on a code segment basis. It means that a single 64-bit OS can support both 64-bit applications running in 64-bit mode and legacy 32-bit applications running in compatibility mode.
Korea Univ
Registers in x86
• Registers in 8086 4 segment registers (16-bit)
• CS, DS, SS, ES
8 general-purpose registers (16-bit) • AX, BX, CX, DX, SP, BP, SI, DI
• Registers in x86-32 (Protected Mode) 6 segment registers (16-bit)
• CS, DS, SS, ES, FS, GS
8 general-purpose registers (32-bit)• EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI
21
Korea Univ
Registers in x86
• Registers in IA-32e (Long mode) 6 segment registers (16-bit)
• CS, DS, SS, ES, FS, GS
16 general-purpose registers (64-bit)• RAX, RBX, RCX, RDX, RSP, RBP, RSI, RDI, R8 ~ R15
22
Korea Univ
EFLGAS in x86
23
Korea Univ
EFLGAS in x86
24
Korea Univ
Software Compatibility
25AMD64 Architecture Programmer’s Manual. Vol 2 System Programming
Korea Univ26
Segmentation and Paging in Protected Mode
Segmentation
Paging
Korea Univ
TLB in Processor
• Translation Lookaside Buffer (TLB) TLB is there for Virtual Memory
27
Intel Pentium Processor (1993)
virtual address
physical address
data
TLB
Processor
CPU core
Main Memory
Korea Univ28
Real Mode Addressing
• In real mode (8086), general purpose registers are all 16-bit wide Segment registers specify the
base address of each segment Segment registers
• CS: Code Segment for instructions• DS: Data Segment for data• SS: Stack Segment for stack• ES: Extra Segment could be used
to store more data Addressing method
• Segment << 4 + offset = physical address
Main Memory(1MB)
2000hDS
mov ax, 2000h
mov ds, axmov al,
[100h]100hoffset
0x0
0xFFFFF
20000h = 2000h << 4
20100h
Korea Univ29
Protected Mode Addressing
IndexSegment Selector TI
RPL
15 3 2 1 0
GDT LDT
TI = 0 TI = 1
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
Segment Descriptor
BaseAccess info
31 0 19 0
Limit
CPU Mainmemory
Visible to software
Invisible to software
• TI: Table Indicator• RPL: Requested Privilege Level
Korea Univ30
Segment Descriptor Format
• Software (OS) creates descriptor tables (GDT, LDT)
When S == 1
Korea Univ31
Address Translation in Protected Mode
Korea Univ
Segmentation in Linux (Protected Mode)
• All Linux processes running in User mode or Kernel mode use the same pair of segments to address instruction and data CS, DS bases: 0x0
Limit: 0xfffff (4GB)
• Thus, logical address is the same as linear address
32http://www.c-jump.com/CIS77/ASM/Memory/M77_0240_protected_diagram.htm
Korea Univ
Paging
33
Korea Univ34
Page Translation in Protected Mode(4K Page, Non-PAE)
Korea Univ35
Page Translation in Protected Mode(4KB, PAE)
32-bit linear address
PAE: Physical Address Extension
52-bit physical address
Korea Univ36
Address Translation in 64-bit Mode
• Descriptor (each entry) in GDT and LDT is 16B-wide
• Segmentation is disabled in 64-bit mode Thus, switching a logical processor into
64-bit mode causes it to enforce the Flat Memory Model by largely disabling the segmented memory logic
However, anytime the 64-bit OS kernel causes the logical processor to jump to a 16- or 32-bit legacy code segment, the segmentation logic is immediately re-enabled in order to maintain backward-compatibility
Reference: x86 Instruction Set Architecture, Tom Shanley, MindShare, 2009
Korea Univ
Code Segment Descriptor• Segmentation is disabled in 64-bit mode• Compatibility mode is enabled by the operating system on a code segment basis
37
L (Long) bit 1: 64-bit mode 0: Compatibility mode
AMD64 Architecture Programmer’s Manual. Vol 2 System Programming
Korea Univ38
Page Translation in 64-bit Mode
48-bit linear address
52-bit physical address
Korea Univ
Linear Space Segmentation
• A compiled program’s memory is divided into 5 segments: Text segment (code segment) where
program (assembled machine instructions) is located
Data and bss segments• Data segment is filled with the initialized data
and static variables• bss (Block Started by Symbol) is filled with the
uninitialized data and static variables
Heap segment for dynamic allocation and deallocation of memory using malloc() and free()
Stack segment for scratchpad to store local variables and context during context switch
39
Korea Univ
Stack Frame
• EBP (aka, Frame Pointer (FP) or Local Base (LB) Pointer) for referencing function parameters and local variables in the current stack frame
• Each stack frame contains Parameters to the function Local variables 2 pointers: Saved Frame Pointer (SFP) and
return address• SFP for restoring EBP to its previous value• Return address for restoring EIP to its previous value
40
Korea Univ
Stack Layout with x86
41Source: Reversing, Secrets of Reverse Engineering, Eldad Eilam, 2005
Korea Univ
Stack Frame Example
42
Korea Univ
Stack Frame Example
43
stack
ESP
5
memory
ebp
6
4321
eip (0x8048410)
High address
Low address
( push ebp) ESP EBP (mov ebp, esp)
( sub esp, 0x20) ESP( call 0x8048394) ESP
• Compilation outcome could be different depending on compiler version and optimization flags
Korea Univ
Stack Frame Example
44
stack
ESP
5
memory
ebp
6
4321
eip
High address
Low address
( push ebp) ESP EBP (mov ebp, esp)
( sub esp, 0x20) ESP( call 0x8048394) ESP
ebpResult
(a+b+c+d)J, I, H, GF, E, D, C
B, A
( push ebp) ESP EBP (mov ebp, esp)
( sub esp, 0x10) ESP
0x140x100xC0x080x04
- 0x04
- 0x08
- 0x0C
- 0x10
LEAVE instruction
• Compilation outcome could be different depending on compiler version and optimization flags
Korea Univ
Stack Frame Example
45
stack
ESP
5
memory
ebp
6Result
(a+b+c+d)4321
eip
High address
Low address
( push ebp) ESP EBP (mov ebp, esp)
( sub esp, 0x20) ESP
ebpResult
(a+b+c+d)J, I, H, GF, E, D, C
B, A
after RET instruction
- 0x04
- 0x08
- 0x0C
- 0x10
• Compilation outcome could be different depending on compiler version and optimization flags
Korea Univ46
Backup Slides
Korea Univ
Segment Selector
47
Korea Univ
Floating Point Formats
48
Korea Univ
Debugging Tools
• GDB, the GNU Project Debugger
• DDD, the Data Display Debugger GUI front ends to GDB
• Eclipse Integrated Development Environment (IDE)
Eclipse CDT (C/C++ Development Toolkit)• “Install New Software”
• Name: Galileo
• URL: http://download.eclipse.org/tools/cdt/releases/galileo
• IDA Pro, the Interactive Disassembler Professional Audit binary with no source code
Support more than 50 families of processors
IDA 5.0 is free for non-commercial use
49
Korea Univ
Just in case…
• Compile your code with gcc gcc –g float-d.c -o float-d //
compiled with debugging info• Disassemble the binary with objdump
objdump –M intel –Stx float-d > float-d.dump
50
Korea Univ
GDB
• $ echo “set disassembly-flavor intel” > ~/.gdbinit• Shows disassembly in Intel format (rather than AT&T format)
Operation <destination>, <source> mov ebp, esp ; ebp <- esp
• GDB command summary (gdb) help (gdb) help disass (gdb) list (gdb) list 1,20 (gdb) disass main (gdb) disass /mr main (gdb) info registers (or i r) ; display x86 registers
• Examples: (gdb) i r (gdb) i r $eip (gdb) x ; examine
• (gdb) x/10i $eip ; display 10 instructions from eip• (gdb) x/2x $eip ; display 2 words (4 bytes) in hex. B (byte), h (halfword), w
(word, 4B), g (8B) (gdb) nexti ; execute 1 machine instruction. Will step into subfunctions (gdb) stepi ; execute 1 machine instruction. Will not enter subfunctions (gdb) next ; step program (gdb) step ; step program until it reaches a different source line
51
Korea Univ
x86 Instructions
• CALL – call procedure In 32-bit near call,
• Push EIP of the instruction following the CALL instruction
• Then, branch to the target specified in the operand
• LEAVE – high level procedure exit Release the stack frame set up by an earlier ENTER instruction
In 32-bit,• ESP ← EBP;
• EBP ← pop();
• RET – return from procedure In 32-bit near return,
• EIP ← pop();
52
Korea Univ
x86 Instructions
• PUSH – push word, double-word or quadword onto the stack Decrement the stack pointer and then store the source operand
on the top of the stack
• POP – pop a value from the stack Load the value from the top of the stack and increment the stack
pointer
• LEA – load effective address For instance, LEA ecx, dword ptr [edx+edx]
• ECX ← EDX + EDX;
• Note that even though most disassemblers add the words DWORD PTR before the operands, LEA really can’t distinguish between a pointer and an integer. LEA never performs any actual memory accesses.
53
Korea Univ
x86 Instructions
• TEST Compute the bit-wise logical AND of the first
operand and second operands
Set flags (SF, ZF, and PF) according to the result
Then, discard the result
Example: test eax eax
54
Korea Univ
Buffer Overflow Protection
• gcc –fstack-protector-all• gcc –fno-stack-protector• objdump -SD –disassembler-options=intel stack_example
55http://en.wikipedia.org/wiki/Buffer_overflow_protection