Progetto Sicurezza di rete Assembler IA-32 (parte I) Lez. 2 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Linguaggio Assembler Linguaggio di basso livello, generalmente una versione simbolica del linguaggio macchina Strettamente dipendente dal processore Tradotto in linguaggio macchina attraverso un assemblatore Noi studieremo il linguaggio assembler relativo alla famiglia dei processi Intel AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

I processori 80x86 8088, 8086: processori a16 bit, real-mode 80286: 16-bit con protected mode 80386: 32-bit registers, 32-bit protected mode 80486/Pentium/Pentium Pro: Adds few features, speed-up Pentium MMX: Introduces the multimedia extensions (MMX) Pentium II: Pentium Pro with MMX instructions Pentium III: Speed-up, introduces the Streaming SIMD Extensions (SSE) Pentium 4: Introduces the NetBurst architecture Xeon: Introduces Hyper-Threading AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Basic Execution environment AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

La memoria The memory that the processor addresses on its bus is called physical memory. Physical memory is organized as a sequence of 8-bit bytes. Each byte is assigned a unique address, called a physical address. The physical address space ranges from zero to a maximum of 236 – 1 Virtually any operating system or executive designed to work with an IA-32 processor will use the processor’s memory management facilities to access memory These facilities provide features such as segmentation and paging, which allow memory to be managed efficiently and reliably AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Memoria Flat memory model : Memory appears to a program as a single, continuous address space. This space is called a linear address space. Code, data, and stacks are all contained in this address space. Linear address space is byte addressable Segmented memory model: Memory appears to a program as a group of independent address spaces called segments. Code, data, and stacks are typically contained in separate segments. To address a byte in a segment, a program issues a logical address AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Gestione Memoria AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Modalità CPU The IA-32 architecture supports three basic operating modes: protected mode, real-address mode, and system management mode. The operating mode determines which instructions and architectural features are accessible: Protected mode: This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute “real-address mode” 8086 software in a protected, multi-tasking environment. Real-address mode:This mode implements the programming environment of the Intel 8086 processor with extensions System management mode (SMM) — This mode provides an operating system or executive with a transparent mechanism for implementing platform-specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Basic Program Execution Register The processor provides 16 basic program execution registers for use in general system and application programing. These registers can be grouped as follows: General-purpose registers: These eight registers are available for storing operands and pointers Segment registers: These registers hold up to six segment selectors. EFLAGS (program status and control) register. The EFLAGS register report on the status of the program being executed and allows limited (application-program level) control of the processor. EIP (instruction pointer) register. The EIP register contains a 32-bit pointer to the next instruction to be executed. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Registri IA-32 EAX: Accumulator for operands and results data EBX: Pointer to data in the DS segment ECX: Counter for string and loop operations EDX: I/O pointer ESI: Pointer to data in the segment pointed to by the DS register; source pointer for string operations EDI: Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations ESP: Stack pointer (in the SS segment) EBP: Pointer to data on the stack (in the SS segment) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Segment Register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Segment Register Each of the segment registers is associated with one of three types of storage: code, data, or stack CS register: contains the segment selector for the code segment, where the instructions being executed are stored The processor fetches instructions from the code segment, using a logical address that consists of the segment selector in the CS register and the contents of the EIP register. The EIP register contains the offset within the code segment of the next instruction to be executed The SS register contains the segment selector for the stack segment, where the procedure stack is stored for the program, task, or handler currently being executed. All stack operations use the SS register to find the stack segment AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

EIP The instruction pointer (EIP) cannot be accessed directly by software is advanced from one instruction boundary to the next in straightline code or it is moved ahead or backwards by a number of instructions when executing JMP, Jcc, CALL, RET, and IRET instructions, interrupts, and exceptions. The onyl way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack. The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction (RET or IRET). AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

CS The CS register cannot be loaded explicitly by an application program. It is loaded implicitly by instructions or internal processor operations that change program control (such as, procedure calls, interrupt handling, or task switching) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

EFLAG Register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

x86 Assembly Language (Slightly) higher-level language than machine language Program is made of: directives: commands for the assembler .data identifies a section with variables instructions: actual operations jmp 8048f3f Two possible syntaxes, with different ordering of the operands! AT&T syntax (objdump, GNU Assembler) DOS/Intel syntax (Microsoft Assembler, Nasm) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Instruction syntax (AT&T) label: mnemonic source(s), destination # comment Numerical constants are prefixed with a $ Hexadecimal numbers start with 0x Binary numbers start with 0b Registers are denoted by % Instructions can be modified using suffixes b for byte, w for word (16 bits), l for long (32 bits) movl %ecx,%eax #moves ecx into eax AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Istruzioni NASM Sintassi: Gli operandi possono essere: label: mnemonic destination, source ;comment Gli operandi possono essere: registri locazioni di memoria Valori immediati Impliciti Gli operandi di un’istruzione non possono essere entrambi locazioni di memoria Gli operandi devono avere la stessa dimensione mov a,ax add bx, 4 inc ecx AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Direttive A db 190 B dw 134fh C db 101001b Array times 10 dw 0 Array2 resw 20 Le diverse locazioni sono memorizzate consecutivamente ed in ordine di dichiarazione all’interno della memoria %include per includere un file, %include “asm_io.inc” AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Tipi di Istruzioni Data transfer Aritmetiche Logiche Control transfer mov, xchg, push, pop Aritmetiche add, sub, mul, div, inc, dec Logiche and, or, xor, not Control transfer jmp, jne, call, ret, int, iret AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Istruzioni su Stack The stack usually grows towards lower memory addresses This is the way the stack grows on many architectures including the Intel, Motorola, SPARC, and MIPS processors The stack pointer (ESP) points to the top of the stack (the last valid address) A push operation first decrements the stack pointer and then stores the value in the address contained in the register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

mul mul source The source is either a register or a memory reference. It can not be an immediate value. Exactly what multiplication is performed depends on the size of the source operand: If the operand is byte sized, it is multiplied by the byte in the AL register and the result is stored in the 16 bits of AX. If the source is 16-bit, it is multiplied by the word in AX and the 32-bit result is stored in DX:AX. If the source is 32-bit, it is multiplied by EAX and the 64-bit result is stored into EDX:EAX. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

div div source If the source is 8-bit, then AX is divided by the operand. The quotient is stored in AL and the remainder in AH. If the source is 16-bit, then DX:AX is divided by the operand. The quotient is stored into AX and remainder into DX If the source is 32-bit, then EDX:EAX is divided by the operand and the quotient is stored into EAX and the remainder into EDX AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

I/O print int print char print string print nl read int read char prints out to the screen the value of the integer stored in EAX print char prints out to the screen the character whose ASCII value stored in AL print string prints out to the screen the contents of the string at the address stored in EAX. The string must be a Ctype string (i.e. null terminated). print nl prints out to the screen a new line character. read int reads an integer from the keyboard and stores it into the EAX register. read char reads a single character from the keyboard and stores its ASCII code into the EAX register. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Debugging dump regs dump mem dump stack prints out the values of the registers (in hexadecimal) of the computer to stdout (i.e. the screen) dump mem prints out the values of a region of memory (in hexadecimal). It takes three comma delimited arguments. The first is an integer that is used to label the output, the second is the address to display. (This can be a label.) The last argument is the number of 16-byte paragraphs to display after the address dump stack prints out the values on the CPU stack. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Schema programma AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Indirizzamento Remember that labels can be used to refer to data in code. There are two ways that a label can be used. If a plain label is used, it is interpreted as the address (or offset) of the data. If the label is placed inside square brackets ([ ]), it is interpreted as the data at the address AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Esercizio Scrivere un programma Assembler che chiede in input due numeri interi e stampa la loro somma, differenza, prodotto, quoziente e resto Predisporre il programma affinché durante la sua esecuzione stampi il contenuto delle locazioni di memoria che contengono i dati di input Assemblare generando anche il corrispondente listato del compilato AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Numeri complemento a 2 One of the great advantages of 2’s complement is that the rules for addition and subtraction are exactly the same as for unsigned integers There are two different multiply and divide instructions. First, to multiply use either the MUL or IMUL instruction. The MUL instruction is used to multiply unsigned numbers and IMUL is used to multiply signed integers imul dest, source1 imul dest, source1, source2 The two division operators are DIV and IDIV. They perform unsigned and signed integer division respectively A very common error is to forget to initialize DX or EDX before division. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

imul AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

idiv AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Istruzioni di controllo cmp vleft, vright For unsigned integers, the difference vleft - vright is computed and the zero (ZF) and carry (CF) flags are set accordingly If vleft = vright, then ZF is set (i.e. 1) and the CF is unset (i.e. 0) If vleft > vright, then ZF is unset and CF is unset (no borrow) If vleft < vright, then ZF is unset and CF is set (borrow) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Istruzioni di controllo For signed integers, there are three flags that are important: the zero (ZF) flag, the overflow (OF) flag and the sign (SF) flag If vleft = vright, the ZF is set (just as for unsigned integers). If vleft > vright, ZF is unset and SF = OF If vleft < vright, ZF is unset and SF <>OF Do not forget that other instructions can also change the FLAGS register, not just CMP AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Salti Branch instructions transfer execution to arbitrary points of a program There are two types of branches: unconditional and conditional A conditional branch may or may not make the branch depending on the flags in the FLAGS register. If a conditional branch does not make the branch, control passes to the next instruction The JMP (short for jump) instruction makes unconditional branches. Its single argument is usually a code label to the instruction to branch to AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Salti condizionati AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Altri Jump AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Cicli LOOP Decrements ECX, if ECX <> 0, branches to label LOOPE, LOOPZ Decrements ECX (FLAGS register is not modified), if ECX <> 0 and ZF = 1, branches LOOPNE, LOOPNZ Decrements ECX (FLAGS unchanged), if ECX <>0 and ZF = 0, branches AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

If …then … else AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

While AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Repeat …until AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

HMW #2 Scrivere un programma assembler che carica un array di 10 numeri interi con segno e calcola: la somma e il prodotto degli elementi di posizione pari, la differenza di quelli di posizione dispari, il quoziente e il resto tra il prodotto degli elementi di posizione pari e quelli dispari Scrivere un programma assembler che carica un array di 100 elementi interi senza segno con numeri casuali, li ordina e stampa sia l’array disordinato che quello ordinato Consegna: 15/10/2007 ore 24.00 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi