La presentazione è in caricamento. Aspetta per favore

La presentazione è in caricamento. Aspetta per favore

AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Progetto Sicurezza di rete Assembler IA-32 (parte I) Lez. 2.

Presentazioni simili


Presentazione sul tema: "AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Progetto Sicurezza di rete Assembler IA-32 (parte I) Lez. 2."— Transcript della presentazione:

1 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Progetto Sicurezza di rete Assembler IA-32 (parte I) Lez. 2

2 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Linguaggio Assembler Linguaggio di basso livello, generalmente una versione simbolica del linguaggio macchina Strettamente dipendente dal processore Tradotto in linguaggio macchina attraverso un assemblatore Noi studieremo il linguaggio assembler relativo alla famiglia dei processi Intel

3 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi I processori 80x , 8086: processori a16 bit, real-mode 80286: 16-bit con protected mode 80386: 32-bit registers, 32-bit protected mode 80486/Pentium/Pentium Pro: Adds few features, speed-up Pentium MMX: Introduces the multimedia extensions (MMX) Pentium II: Pentium Pro with MMX instructions Pentium III: Speed-up, introduces the Streaming SIMD Extensions (SSE) Pentium 4: Introduces the NetBurst architecture Xeon: Introduces Hyper-Threading

4 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Basic Execution environment

5 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi La memoria The memory that the processor addresses on its bus is called physical memory. Physical memory is organized as a sequence of 8-bit bytes. Each byte is assigned a unique address, called a physical address. The physical address space ranges from zero to a maximum of 2 36 – 1 Virtually any operating system or executive designed to work with an IA-32 processor will use the processors memory management facilities to access memory These facilities provide features such as segmentation and paging, which allow memory to be managed efficiently and reliably

6 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Memoria Flat memory model : Memory appears to a program as a single, continuous address space. This space is called a linear address space. Code, data, and stacks are all contained in this address space. Linear address space is byte addressable Segmented memory model: Memory appears to a program as a group of independent address spaces called segments. Code, data, and stacks are typically contained in separate segments. To address a byte in a segment, a program issues a logical address

7 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Gestione Memoria

8 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Modalità CPU The IA-32 architecture supports three basic operating modes: protected mode, real-address mode, and system management mode. The operating mode determines which instructions and architectural features are accessible: Protected mode: This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute real-address mode 8086 software in a protected, multi-tasking environment. Real-address mode:This mode implements the programming environment of the Intel 8086 processor with extensions System management mode (SMM) This mode provides an operating system or executive with a transparent mechanism for implementing platform-specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated

9 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Basic Program Execution Register The processor provides 16 basic program execution registers for use in general system and application programing. These registers can be grouped as follows: General-purpose registers: These eight registers are available for storing operands and pointers Segment registers: These registers hold up to six segment selectors. EFLAGS (program status and control) register. The EFLAGS register report on the status of the program being executed and allows limited (application-program level) control of the processor. EIP (instruction pointer) register. The EIP register contains a 32- bit pointer to the next instruction to be executed.

10 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Registri IA-32 EAX: Accumulator for operands and results data EBX: Pointer to data in the DS segment ECX: Counter for string and loop operations EDX: I/O pointer ESI: Pointer to data in the segment pointed to by the DS register; source pointer for string operations EDI: Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations ESP: Stack pointer (in the SS segment) EBP: Pointer to data on the stack (in the SS segment)

11 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Segment Register

12 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Segment Register Each of the segment registers is associated with one of three types of storage: code, data, or stack CS register: contains the segment selector for the code segment, where the instructions being executed are stored The processor fetches instructions from the code segment, using a logical address that consists of the segment selector in the CS register and the contents of the EIP register. The EIP register contains the offset within the code segment of the next instruction to be executed The SS register contains the segment selector for the stack segment, where the procedure stack is stored for the program, task, or handler currently being executed. All stack operations use the SS register to find the stack segment

13 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi EIP The instruction pointer (EIP) cannot be accessed directly by software is advanced from one instruction boundary to the next in straightline code or it is moved ahead or backwards by a number of instructions when executing JMP, Jcc, CALL, RET, and IRET instructions, interrupts, and exceptions. The onyl way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack. The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction (RET or IRET).

14 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi CS The CS register cannot be loaded explicitly by an application program. It is loaded implicitly by instructions or internal processor operations that change program control (such as, procedure calls, interrupt handling, or task switching)

15 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi EFLAG Register

16 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi x86 Assembly Language (Slightly) higher-level language than machine language Program is made of: directives: commands for the assembler.data identifies a section with variables instructions: actual operations jmp 8048f3f Two possible syntaxes, with different ordering of the operands! AT&T syntax (objdump, GNU Assembler) DOS/Intel syntax (Microsoft Assembler, Nasm)

17 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Instruction syntax (AT&T) label: mnemonic source(s), destination # comment Numerical constants are prefixed with a $ Hexadecimal numbers start with 0x Binary numbers start with 0b Registers are denoted by % Instructions can be modified using suffixes b for byte, w for word (16 bits), l for long (32 bits) movl %ecx,%eax #moves ecx into eax

18 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Istruzioni NASM Sintassi: label: mnemonic destination, source ;comment Gli operandi possono essere: registri locazioni di memoria Valori immediati Impliciti Gli operandi di unistruzione non possono essere entrambi locazioni di memoria Gli operandi devono avere la stessa dimensione mov a,ax add bx, 4 inc ecx

19 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Direttive A db 190 B dw 134fh C db b Array times 10 dw 0 Array2 resw 20 Le diverse locazioni sono memorizzate consecutivamente ed in ordine di dichiarazione allinterno della memoria %include per includere un file, %include asm_io.inc

20 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Tipi di Istruzioni Data transfer mov, xchg, push, pop Aritmetiche add, sub, mul, div, inc, dec Logiche and, or, xor, not Control transfer jmp, jne, call, ret, int, iret

21 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Istruzioni su Stack The stack usually grows towards lower memory addresses This is the way the stack grows on many architectures including the Intel, Motorola, SPARC, and MIPS processors The stack pointer (ESP) points to the top of the stack (the last valid address) A push operation first decrements the stack pointer and then stores the value in the address contained in the register

22 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi mul mul source The source is either a register or a memory reference. It can not be an immediate value. Exactly what multiplication is performed depends on the size of the source operand: If the operand is byte sized, it is multiplied by the byte in the AL register and the result is stored in the 16 bits of AX. If the source is 16-bit, it is multiplied by the word in AX and the 32-bit result is stored in DX:AX. If the source is 32-bit, it is multiplied by EAX and the 64-bit result is stored into EDX:EAX.

23 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi div div source If the source is 8-bit, then AX is divided by the operand. The quotient is stored in AL and the remainder in AH. If the source is 16-bit, then DX:AX is divided by the operand. The quotient is stored into AX and remainder into DX If the source is 32-bit, then EDX:EAX is divided by the operand and the quotient is stored into EAX and the remainder into EDX

24 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi I/O print int prints out to the screen the value of the integer stored in EAX print char prints out to the screen the character whose ASCII value stored in AL print string prints out to the screen the contents of the string at the address stored in EAX. The string must be a Ctype string (i.e. null terminated). print nl prints out to the screen a new line character. read int reads an integer from the keyboard and stores it into the EAX register. read char reads a single character from the keyboard and stores its ASCII code into the EAX register.

25 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Debugging dump regs prints out the values of the registers (in hexadecimal) of the computer to stdout (i.e. the screen) dump mem prints out the values of a region of memory (in hexadecimal). It takes three comma delimited arguments. The first is an integer that is used to label the output, the second is the address to display. (This can be a label.) The last argument is the number of 16-byte paragraphs to display after the address dump stack prints out the values on the CPU stack.

26 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Schema programma

27 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Indirizzamento Remember that labels can be used to refer to data in code. There are two ways that a label can be used. If a plain label is used, it is interpreted as the address (or offset) of the data. If the label is placed inside square brackets ([ ]), it is interpreted as the data at the address

28 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

29 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Esercizio Scrivere un programma Assembler che chiede in input due numeri interi e stampa la loro somma, differenza, prodotto, quoziente e resto Predisporre il programma affinché durante la sua esecuzione stampi il contenuto delle locazioni di memoria che contengono i dati di input Assemblare generando anche il corrispondente listato del compilato

30 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Numeri complemento a 2 One of the great advantages of 2s complement is that the rules for addition and subtraction are exactly the same as for unsigned integers There are two different multiply and divide instructions. First, to multiply use either the MUL or IMUL instruction. The MUL instruction is used to multiply unsigned numbers and IMUL is used to multiply signed integers imul dest, source1 imul dest, source1, source2 The two division operators are DIV and IDIV. They perform unsigned and signed integer division respectively A very common error is to forget to initialize DX or EDX before division.

31 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi imul

32 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi idiv

33 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Istruzioni di controllo cmp vleft, vright For unsigned integers, the difference vleft - vright is computed and the zero (ZF) and carry (CF) flags are set accordingly If vleft = vright, then ZF is set (i.e. 1) and the CF is unset (i.e. 0) If vleft > vright, then ZF is unset and CF is unset (no borrow) If vleft < vright, then ZF is unset and CF is set (borrow)

34 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Istruzioni di controllo For signed integers, there are three flags that are important: the zero (ZF) flag, the overflow (OF) flag and the sign (SF) flag If vleft = vright, the ZF is set (just as for unsigned integers). If vleft > vright, ZF is unset and SF = OF If vleft OF Do not forget that other instructions can also change the FLAGS register, not just CMP

35 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Salti Branch instructions transfer execution to arbitrary points of a program There are two types of branches: unconditional and conditional A conditional branch may or may not make the branch depending on the flags in the FLAGS register. If a conditional branch does not make the branch, control passes to the next instruction The JMP (short for jump) instruction makes unconditional branches. Its single argument is usually a code label to the instruction to branch to

36 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Salti condizionati

37 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Esempio

38 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Altri Jump

39 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Esempio

40 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Cicli LOOP Decrements ECX, if ECX <> 0, branches to label LOOPE, LOOPZ Decrements ECX (FLAGS register is not modified), if ECX <> 0 and ZF = 1, branches LOOPNE, LOOPNZ Decrements ECX (FLAGS unchanged), if ECX <>0 and ZF = 0, branches

41 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Esempio

42 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi If …then … else

43 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi While

44 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Repeat …until

45 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi HMW #2 Scrivere un programma assembler che carica un array di 10 numeri interi con segno e calcola: la somma e il prodotto degli elementi di posizione pari, la differenza di quelli di posizione dispari, il quoziente e il resto tra il prodotto degli elementi di posizione pari e quelli dispari Scrivere un programma assembler che carica un array di 100 elementi interi senza segno con numeri casuali, li ordina e stampa sia larray disordinato che quello ordinato Consegna: 15/10/2007 ore 24.00


Scaricare ppt "AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi Progetto Sicurezza di rete Assembler IA-32 (parte I) Lez. 2."

Presentazioni simili


Annunci Google