Information Security Design Foundation Fifth Week study summary

Information Security System Design Foundation Fifth Week study summary

"Learning Time: 10 hours"

"Learning content: Chapter III: Machine Representation of the program"

First, the contents of the textbook 1. Changes in X86 addressing modes:

1 The flat mode of the DOS era, does not distinguish between user space and kernel space, very insecure;

2 8086 sub-mode;

3 IA32 Flat mode with protected mode

2. Two kinds of abstraction of machine programming:

1) instruction set architecture (instruction set Architecture,isa)-defines the instruction format and the effect on state after each instruction is executed. Most ISA describes the program behavior as sequential execution;

2) virtual Address

3. Some processor states

1) A PC, which is a program counter, used to indicate the address of the next instruction to be executed in memory;

2) integer register, store data, condition code Register, save logic instruction status information, etc.

4.gcc-s xxx.c can get the assembler code generated by the C language compiler, but will not do any other work; with the "-C" command, GCC compiles and assembles the code to get the binary file XXX.O. This shows that the machine is actually executing a sequence of bytes that encode a series of instructions. 5. General Assembly statements in the function:

pushl %ebp //将该寄存器内容全部压入程序栈movl %esp,%ebp……addl %eax,accumpopl %ebp

6.64-bit machine want to get 32 code: Gcc-m32-s XXX.C7. Disassembler: Produces a format similar to assembly code based on the target code. In Linux, the objdump-d XXX.O can be implemented in 8. Binary files can be viewed with the OD command or by GDB's X command. Some of the output is too much, and we can use the more or less command to view it in conjunction with a pipeline, or you can use output redirection to view:

OD CODE.O | More

OD code.o > Code.txt

9.Linux and the assembly format for ATT format, while Windows is in Intel format. There is a grammatical difference-the latter omits the suffix of the indicated size, the% before the register, and so on. 10.intel uses the term "word" to represent 16-bit data types. both int and long int are 4 bytes or two characters long; char is single byte; the pointer is stored as a 4-byte double word. In addition, in the assembly code, B is the byte, w denotes the word, and L is the double word 11. A IA32 central processing unit (CPU) contains a set of 8 registers that store 32-bit values. where ESI EDI can be used to manipulate arrays, esp EBP is used to manipulate stack frames. The other four registers are common (available on both 32-bit and 16-bit machines). However, when the lower four bits are used alone, the overflow will still occur once the result is more than 8 bits. 12. Understand the three types of operands: Immediate number (no more than 32 digits), register (with Ea means any register A,r[ea] to indicate its value), memory (will access a memory according to the calculated address, with M[ADDR] 13. General formula for addressing: Valid addresses can be represented as imm+r[eb]+r[ei]*s. IMM is the immediate number offset; EB is the base register; EI is the variable address register; s is a scale factor. Such as:

1) ea--operation value: R[ea]

2) (Ea)--Operation value: M (R[ea])

3) Imm (Ea)--Operation value: M (Imm+r[ea])

A 14.mov statement means that the value is "moved" from the source operand to the destination operand (the former, the latter in the previous), and equivalent to the assignment. In IA32, it is stipulated that the memory address cannot be directly mov to another memory address, and the register is used for relay. Where Movs is the symbol extension; Movz is a 0 extension. 15.push,pop statement: And press in or eject data to the program stack. The stack follows the principle of "last in first out", and the top of the stack grows downward, and a pointer to the top element of the stack is saved in the stack pointer%esp. 16.leal--load valid address, read data from memory to register neg--take negative sub s,d--send D-s result to shift operation SAL,SHL,SAR,SHR shift amount can be immediate or% Number in CL 17. In addition to Leal, the conditional code is set for other logical operations. In addition, some operations only set the condition code without sending the result to the operand--cmp: comparison instruction, similar to sub; test instruction, similar to and (when two numbers are equal, the condition code is set to 0)

Think about it: Where are CMP and sub used?

"In general, CMP should be used to test the operand, for example, to test the size relationship of a number to a known quantity, and the sub performs a subtraction operation for the common operation"

The 18.SET class instruction sets a byte (the destination operand) to 0 or 119 according to the condition code set by the result of the t=a-b. Jump command:

1) Unconditional jump--jmp.< label > Jump to the statement indicated by the label; jmp *< operand indicator > Note: If the shape is%eax, that is, the value in%eax as the jump target, and the shape (%EAX) is the value of the address, read the jump target "2) Conditional jump--similar to set class instructions, is based on the condition code or its combination to jump

20.do-while statement equivalent goto statement--

loop:  body-statement  t = test-sxpr;  if(t)      goto loop;

21.while statement equivalent goto statement--

t = test-sxpr;if(!t)    goto done;  loop:  body-statement  t = test-sxpr;  if(t)      goto loop;done:

22.for Loop Flow: The program first evaluates the initial expression init-expr, then enters the loop, and in the loop it evaluates the test condition test-expr first, and if it is false, exits the loop or executes the loop body; finally evaluates the update expression. A 23.switch statement makes multiple branches based on an integer index value, making it more efficient by using a jump table. The jump table is an array, and the table item I is a code snippet address (the C language uses & to denote a pointer to a data value, and && represents a pointer to a code location) 24. IA32 uses the program stack to support process calls (including data and control). stack frames for the portion of the stack allocated for a single process. The bottommost (maximum address)%EBP is the frame pointer, and the topmost (least address)%ESP is the stack pointer. When the program executes, the stack pointer can be moved. 25. Transfer Control--

1) Call command: The address of the command that is followed by the beginning of the called procedure. The effect is to put the return address into the stack and jump to the beginning of the called procedure.

2) ret instruction: POPs the address from the stack and jumps to this position.

"Together, the function calls the convergence: that is, call similar to the first explorers, the address of the maze entrance to a safe place, and then explore the maze (function), ret similar to the protection of personnel, after the expedition to the completion of the address taken out, to lead the program back to the original entrance, Follow the road (main program) "

26. The compiler generates code that manages the stack structure based on a very simple set of conventions. Parameters are passed to the function on the stack and can be accessed from the stack relative to the positive offset of the%EBP. You can allocate space on the stack with the push instruction or by subtracting the offset from the stack pointer. Ii. selection of exercises 1. Where are the errors of the following code?

Movb $0xf, (%BL)---the destination operand can only be a register or a memory address. (%BL) Represents a value

MOVW (%eax), 4 (%ESP)---purpose operand and source operand cannot all be memory

Movb%si, 8 (%EBP)---instruction suffix does not match the register address

The 2.xp,yp,zp are stored in a location relative to the register%EDP, where the address value is offset by 8, 12, 16, respectively. Try to write the C code equivalent to the following code

movl 8(%ebp),%edimovl 12(%ebp),%edxmovl 16(%ebp),%ecxmovl (%edx),%ebxmovl (%ecx),%esimovl (%edi),%eaxmovl %eax,(%edx)movl %ebx,(%ecx)movl %esi,(%edi)

The code is as follows:

void decode1(int *xp,int *yp,int *zp){    int x=*xp;    int y =*yp;    int z = *zp;    *yp = x;    *zp = y;    *xp = z;}

3. According to the Assembly code, supplementary C language code (x, y, z are stored in relative to the register%EDP address value offset 8, 12, 16 places)

movl 12(%ebp),%eaxxorl 8(%ebp),%eaxsarl $3,%eaxnotl %eaxsubl 16(%ebp),%eax

C Language code:

int arith(int x,int y,int z){    int t1 = x^y;    int t2 = 3*t1;    int t3 = ~t2;    int t4 = t3-z;    return t4;}

4. Consider the following C language code:

int test(data_t a){    return a TEST 0;}

What data type and comparison test will cause the compiler to generate code based on each of the following sequence of instructions?

A. testl %eax,%eax setne %al

[Since it is an L, which indicates that it is 32 bits, and data_t can be int,unsigned and pointers, and NE indicates that the comparison type is! = and that there are unsigned digits; for unsigned, the comparison can also be A;]

B. testb %al,%al setg %al

[Since it is B, indicating that it is 16 bits, and the comparison is = =; then data_t should be short or unsigned short]

5. In the following excerpt of the disassembly binary code, some of the code is replaced by X. Please Add.

A.

804828f:74 05   je   XXXXXXX8048291:E8 10 00 00 00   CALL 80482B4

xxxxxxxx:0x8048291+0x05 = 0x8048296[using P129, the value of the program counter is the address of the instruction after the jump instruction, and the update counter is the first step to execute an instruction, so add the original address] B.

8048357:72 e7   jB   XXXXXXX8048359:c6 05 10 a0 04 08 01   movb   $0x1,0x804a010

Xxxxxxx:0xe7 (complement) +0x8048359 = 0X8048359-25 = 8048340

6. The following C language codes are known:

void cond(int a,int *p){    if(p&&a>0)        *p +=a;}

Write a C-language code equivalent to the C-language goto version equivalent to the assembly code. For:

void goto_cond(int a,int *p){    if(p == 0)        goto done;    if(a<=0)        goto done;    *p +=a;    done:        return;}

Why does the C language have only one conditional statement, and there are two branches in a compilation? "The first conditional branch is part of the && expression implementation, and if the test fails for p non-null, the code skips the test of a"

7. According to the Assembly code, to supplement the corresponding C Language code vacancy section

movl 8(%edp),%edx   //x at %edp+8movl $0,%eaxtestl %edx,%edxje .L7.L10:xorl %edx,%eaxshrl %edx          //shift right by 1jne .L10.L7:andl $1,%eax

Then the corresponding C language code is:

int fun_a(unsigned x){    int val = 0;    while(x!=0)    {        val = val ^ x;        x>> = 1;    }    return val & 0x1;}

What is the function of this piece of code? "If X has an odd number of 1, it returns 1, and if there is an even number 1, it returns 0"

8. The function Fun_b is compiled by GCC and produces the following assembly code:

movl 8(%ebp),%ebx      //x at %ebp+8movl $0,%eaxmovl $0,%ecx.L13:leal (%eax,%eax),%edxmovl %ebx,%eaxandl $1,%eaxorl %edx,%eaxshrl %edxaddl $1,%ecxcmpl $32,%ecxjne .L13

Add the following C language source code

int fun_b(unsigned x){    int val = 0;    int i;    for(i =0;i<32;i++)    {        val = (val<<1) | (x & 0x1);        x>> =1;    }return val;}

Role? "Flip the bits of x (hex) over to fill in Val"

9. According to the assembly code of P148 figure 3-20, fill in the Supplemental C source code

int switcher(int a,int b,int c){    int answer;    switch(a)    {        case 5 :            c = b ^ 15;        case 0 :            answer = c+112;        case 2 :        case 7 :            answer = c+6;            break;        case 4 :            answer = a;            break;        default :            answer = b;    }    return answer;}

10.

call nextnext:popl %eax

A. What value is the register%eax set to? "Popl" B. Explains why this call does not match the RET instruction "This is not a real procedure call, because it is done in the same order as the instruction" C. What is the function of this piece of code? "This is the only way to put the value in the program counter into an integer counter in IA32"

Third, the question 1. Since Leal is the deformation of MOV, then all can use Leal the occasion can use MOV? 2. (Has been resolved in the follow-up study, can be below 3. For reference, jump to the target value may then execute a piece of code) P127,

JMP *< Operand Indicator "NOTE: If the shape is%eax, that is, the value in%eax as the jump target, and the shape (%EAX) is the value of the address, read the jump target" then, if there is such a statement in the program, what happens after jumping to the target value?

In 3.p146, the 6th line of the code block in Figure 3-19 is:

JMP *. L7 (,%eax,4)

However, there is no identification in the code. The location of the L7. So how does the JMP command address?

4.p148 Exercises 3.29

 int switcher (int a,int b,int c) {int answer;        Switch (a) {case 5:c = b ^ 15;        Case 0:answer = c+112;            Case 2:case 7:answer = c+6;        Break            Case 4:answer = A;        Break    Default:answer = b;
 } return answer;}  

case 4 :    answer = a;    break;

The answer is interpreted as:

GCC optimizes the program to optimize answer = 4 to answer = a.

Why?

5.

call nextnext:popl %eax

C. What is the function of this piece of code? "This is the only way to put the value in the program counter into an integer counter in IA32"

What do you mean by this explanation?

Iv. Learning Experience

In this week's self-study, the main is to learn the machine in the execution of the program when the dynamic changes occur. To investigate the dynamic, it is necessary to understand the static internal "parameters", there is the basis of the previous lay, only to learn to understand the possibility of learning. On the big side, it is because there is the basis of the assembly language last semester, in order to ensure the smooth reading of the basic assembly code, and not always "look up the dictionary." In the study, there are similar to the so-called "foreshadowing" in literary works-what kind of foundation they have laid, and what kind of transforms is determined.

Information Security Design Foundation Fifth Week study summary