La presentazione è in caricamento. Aspetta per favore

La presentazione è in caricamento. Aspetta per favore

Progetto Sicurezza di rete

PubblicatoGiancarlo Furlan Modificato 10 anni fa

Presentazioni simili

Presentazione sul tema: "Progetto Sicurezza di rete"— Transcript della presentazione:

1 Progetto Sicurezza di rete
Assembler IA-32 (parte I) Lez. 2 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

2 Linguaggio Assembler Linguaggio di basso livello, generalmente una versione simbolica del linguaggio macchina Strettamente dipendente dal processore Tradotto in linguaggio macchina attraverso un assemblatore Noi studieremo il linguaggio assembler relativo alla famiglia dei processi Intel AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

3 I processori 80x86 8088, 8086: processori a16 bit, real-mode
80286: 16-bit con protected mode 80386: 32-bit registers, 32-bit protected mode 80486/Pentium/Pentium Pro: Adds few features, speed-up Pentium MMX: Introduces the multimedia extensions (MMX) Pentium II: Pentium Pro with MMX instructions Pentium III: Speed-up, introduces the Streaming SIMD Extensions (SSE) Pentium 4: Introduces the NetBurst architecture Xeon: Introduces Hyper-Threading AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

4 Basic Execution environment
AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

5 La memoria The memory that the processor addresses on its bus is called physical memory. Physical memory is organized as a sequence of 8-bit bytes. Each byte is assigned a unique address, called a physical address. The physical address space ranges from zero to a maximum of 236 – 1 Virtually any operating system or executive designed to work with an IA-32 processor will use the processor’s memory management facilities to access memory These facilities provide features such as segmentation and paging, which allow memory to be managed efficiently and reliably AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

6 Memoria Flat memory model : Memory appears to a program as a single, continuous address space. This space is called a linear address space. Code, data, and stacks are all contained in this address space. Linear address space is byte addressable Segmented memory model: Memory appears to a program as a group of independent address spaces called segments. Code, data, and stacks are typically contained in separate segments. To address a byte in a segment, a program issues a logical address AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

7 Gestione Memoria AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

8 Modalità CPU The IA-32 architecture supports three basic operating modes: protected mode, real-address mode, and system management mode. The operating mode determines which instructions and architectural features are accessible: Protected mode: This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute “real-address mode” 8086 software in a protected, multi-tasking environment. Real-address mode:This mode implements the programming environment of the Intel 8086 processor with extensions System management mode (SMM) — This mode provides an operating system or executive with a transparent mechanism for implementing platform-specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

9 Basic Program Execution Register
The processor provides 16 basic program execution registers for use in general system and application programing. These registers can be grouped as follows: General-purpose registers: These eight registers are available for storing operands and pointers Segment registers: These registers hold up to six segment selectors. EFLAGS (program status and control) register. The EFLAGS register report on the status of the program being executed and allows limited (application-program level) control of the processor. EIP (instruction pointer) register. The EIP register contains a 32-bit pointer to the next instruction to be executed. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

10 Registri IA-32 EAX: Accumulator for operands and results data
EBX: Pointer to data in the DS segment ECX: Counter for string and loop operations EDX: I/O pointer ESI: Pointer to data in the segment pointed to by the DS register; source pointer for string operations EDI: Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations ESP: Stack pointer (in the SS segment) EBP: Pointer to data on the stack (in the SS segment) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

11 Segment Register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

12 Segment Register Each of the segment registers is associated with one of three types of storage: code, data, or stack CS register: contains the segment selector for the code segment, where the instructions being executed are stored The processor fetches instructions from the code segment, using a logical address that consists of the segment selector in the CS register and the contents of the EIP register. The EIP register contains the offset within the code segment of the next instruction to be executed The SS register contains the segment selector for the stack segment, where the procedure stack is stored for the program, task, or handler currently being executed. All stack operations use the SS register to find the stack segment AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

13 EIP The instruction pointer (EIP)
cannot be accessed directly by software is advanced from one instruction boundary to the next in straightline code or it is moved ahead or backwards by a number of instructions when executing JMP, Jcc, CALL, RET, and IRET instructions, interrupts, and exceptions. The onyl way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack. The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction (RET or IRET). AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

14 CS The CS register cannot be loaded explicitly by an application program. It is loaded implicitly by instructions or internal processor operations that change program control (such as, procedure calls, interrupt handling, or task switching) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

15 EFLAG Register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

16 x86 Assembly Language (Slightly) higher-level language than machine language Program is made of: directives: commands for the assembler .data identifies a section with variables instructions: actual operations jmp 8048f3f Two possible syntaxes, with different ordering of the operands! AT&T syntax (objdump, GNU Assembler) DOS/Intel syntax (Microsoft Assembler, Nasm) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

17 Instruction syntax (AT&T)
label: mnemonic source(s), destination # comment Numerical constants are prefixed with a $ Hexadecimal numbers start with 0x Binary numbers start with 0b Registers are denoted by % Instructions can be modified using suffixes b for byte, w for word (16 bits), l for long (32 bits) movl %ecx,%eax #moves ecx into eax AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

18 Istruzioni NASM Sintassi: Gli operandi possono essere:
label: mnemonic destination, source ;comment Gli operandi possono essere: registri locazioni di memoria Valori immediati Impliciti Gli operandi di un’istruzione non possono essere entrambi locazioni di memoria Gli operandi devono avere la stessa dimensione mov a,ax add bx, 4 inc ecx AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

19 Direttive A db 190 B dw 134fh C db 101001b Array times 10 dw 0
Array2 resw 20 Le diverse locazioni sono memorizzate consecutivamente ed in ordine di dichiarazione all’interno della memoria %include per includere un file, %include “asm_io.inc” AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

20 Tipi di Istruzioni Data transfer Aritmetiche Logiche Control transfer
mov, xchg, push, pop Aritmetiche add, sub, mul, div, inc, dec Logiche and, or, xor, not Control transfer jmp, jne, call, ret, int, iret AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

21 Istruzioni su Stack The stack usually grows towards lower memory addresses This is the way the stack grows on many architectures including the Intel, Motorola, SPARC, and MIPS processors The stack pointer (ESP) points to the top of the stack (the last valid address) A push operation first decrements the stack pointer and then stores the value in the address contained in the register AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

22 mul mul source The source is either a register or a memory reference.
It can not be an immediate value. Exactly what multiplication is performed depends on the size of the source operand: If the operand is byte sized, it is multiplied by the byte in the AL register and the result is stored in the 16 bits of AX. If the source is 16-bit, it is multiplied by the word in AX and the 32-bit result is stored in DX:AX. If the source is 32-bit, it is multiplied by EAX and the 64-bit result is stored into EDX:EAX. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

23 div div source If the source is 8-bit, then AX is divided by the operand. The quotient is stored in AL and the remainder in AH. If the source is 16-bit, then DX:AX is divided by the operand. The quotient is stored into AX and remainder into DX If the source is 32-bit, then EDX:EAX is divided by the operand and the quotient is stored into EAX and the remainder into EDX AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

24 I/O print int print char print string print nl read int read char
prints out to the screen the value of the integer stored in EAX print char prints out to the screen the character whose ASCII value stored in AL print string prints out to the screen the contents of the string at the address stored in EAX. The string must be a Ctype string (i.e. null terminated). print nl prints out to the screen a new line character. read int reads an integer from the keyboard and stores it into the EAX register. read char reads a single character from the keyboard and stores its ASCII code into the EAX register. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

25 Debugging dump regs dump mem dump stack
prints out the values of the registers (in hexadecimal) of the computer to stdout (i.e. the screen) dump mem prints out the values of a region of memory (in hexadecimal). It takes three comma delimited arguments. The first is an integer that is used to label the output, the second is the address to display. (This can be a label.) The last argument is the number of 16-byte paragraphs to display after the address dump stack prints out the values on the CPU stack. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

26 Schema programma AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

27 Indirizzamento Remember that labels can be used to refer to data in code. There are two ways that a label can be used. If a plain label is used, it is interpreted as the address (or offset) of the data. If the label is placed inside square brackets ([ ]), it is interpreted as the data at the address AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

28 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

29 Esercizio Scrivere un programma Assembler che chiede in input due numeri interi e stampa la loro somma, differenza, prodotto, quoziente e resto Predisporre il programma affinché durante la sua esecuzione stampi il contenuto delle locazioni di memoria che contengono i dati di input Assemblare generando anche il corrispondente listato del compilato AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

30 Numeri complemento a 2 One of the great advantages of 2’s complement is that the rules for addition and subtraction are exactly the same as for unsigned integers There are two different multiply and divide instructions. First, to multiply use either the MUL or IMUL instruction. The MUL instruction is used to multiply unsigned numbers and IMUL is used to multiply signed integers imul dest, source1 imul dest, source1, source2 The two division operators are DIV and IDIV. They perform unsigned and signed integer division respectively A very common error is to forget to initialize DX or EDX before division. AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

31 imul AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

32 idiv AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

33 Istruzioni di controllo
cmp vleft, vright For unsigned integers, the difference vleft - vright is computed and the zero (ZF) and carry (CF) flags are set accordingly If vleft = vright, then ZF is set (i.e. 1) and the CF is unset (i.e. 0) If vleft > vright, then ZF is unset and CF is unset (no borrow) If vleft < vright, then ZF is unset and CF is set (borrow) AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

34 Istruzioni di controllo
For signed integers, there are three flags that are important: the zero (ZF) flag, the overflow (OF) flag and the sign (SF) flag If vleft = vright, the ZF is set (just as for unsigned integers). If vleft > vright, ZF is unset and SF = OF If vleft < vright, ZF is unset and SF <>OF Do not forget that other instructions can also change the FLAGS register, not just CMP AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

35 Salti Branch instructions transfer execution to arbitrary points of a program There are two types of branches: unconditional and conditional A conditional branch may or may not make the branch depending on the flags in the FLAGS register. If a conditional branch does not make the branch, control passes to the next instruction The JMP (short for jump) instruction makes unconditional branches. Its single argument is usually a code label to the instruction to branch to AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

36 Salti condizionati AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

37 Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

38 Altri Jump AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

39 Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

40 Cicli LOOP Decrements ECX, if ECX <> 0, branches to label
LOOPE, LOOPZ Decrements ECX (FLAGS register is not modified), if ECX <> 0 and ZF = 1, branches LOOPNE, LOOPNZ Decrements ECX (FLAGS unchanged), if ECX <>0 and ZF = 0, branches AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

41 Esempio AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

42 If …then … else AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

43 While AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

44 Repeat …until AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

45 HMW #2 Scrivere un programma assembler che carica un array di 10 numeri interi con segno e calcola: la somma e il prodotto degli elementi di posizione pari, la differenza di quelli di posizione dispari, il quoziente e il resto tra il prodotto degli elementi di posizione pari e quelli dispari Scrivere un programma assembler che carica un array di 100 elementi interi senza segno con numeri casuali, li ordina e stampa sia l’array disordinato che quello ordinato Consegna: 15/10/2007 ore 24.00 AA. 2007/2008 Corso: Sicurezza 2 © Danilo Bruschi

Scaricare ppt "Progetto Sicurezza di rete"

Presentazioni simili

Primary Italian Saying How You Are.

Primary Italian Saying How You Are.
Trieste, 26 novembre © 2005 – Renato Lukač Using OSS in Slovenian High Schools doc. dr. Renato Lukač LinuxDay 2005 - Trieste.

Trieste, 26 novembre © 2005 – Renato Lukač Using OSS in Slovenian High Schools doc. dr. Renato Lukač LinuxDay Trieste.
Preposizioni semplici e articolate

Preposizioni semplici e articolate
Centro Internazionale per gli Antiparassitari e la Prevenzione Sanitaria Azienda Ospedaliera Luigi Sacco - Milano WP4: Cumulative Assessment Group refinement.

Centro Internazionale per gli Antiparassitari e la Prevenzione Sanitaria Azienda Ospedaliera Luigi Sacco - Milano WP4: Cumulative Assessment Group refinement.
I numeri, l’ora, I giorni della settimana

I numeri, l’ora, I giorni della settimana
L’esperienza di un valutatore nell’ambito del VII FP Valter Sergo

L’esperienza di un valutatore nell’ambito del VII FP Valter Sergo
Linux examples of Buffer overflow attacks

Linux examples of Buffer overflow attacks
Cache Memory Prof. G. Nicosia University of Catania www.dmi.unict.it/nicosia www.dmi.unict.it/nicosia/ae.html.

Cache Memory Prof. G. Nicosia University of Catania
Prof. Stefano Bistarelli

Prof. Stefano Bistarelli
Teoria e Tecniche del Riconoscimento

Teoria e Tecniche del Riconoscimento
Interfacce Java.

Interfacce Java.
1 Teaching Cloud Computing and Windows Azure in Academia Domenico Talia UNIVERSITA DELLA CALABRIA & ICAR-CNR Italy Faculty Days 2010.

1 Teaching Cloud Computing and Windows Azure in Academia Domenico Talia UNIVERSITA DELLA CALABRIA & ICAR-CNR Italy Faculty Days 2010.
A. Oppio, S. Mattia, A. Pandolfi, M. Ghellere ERES Conference 2010 Università Commerciale Luigi Bocconi Milan, 23-26 june 2010 A Multidimensional and Participatory.

A. Oppio, S. Mattia, A. Pandolfi, M. Ghellere ERES Conference 2010 Università Commerciale Luigi Bocconi Milan, june 2010 A Multidimensional and Participatory.
EBRCN General Meeting, Paris, 28-29/11/20021 WP4 Analysis of non-EBRCN databases and network services of interest to BRCs Current status Paolo Romano Questa.

EBRCN General Meeting, Paris, 28-29/11/20021 WP4 Analysis of non-EBRCN databases and network services of interest to BRCs Current status Paolo Romano Questa.
DG Ricerca Ambientale e Sviluppo FIRMS' FUNDING SCHEMES AND ENVIRONMENTAL PURPOSES IN THE EU STRUCTURAL FUNDS (Monitoring of environmental firms funding.

DG Ricerca Ambientale e Sviluppo FIRMS' FUNDING SCHEMES AND ENVIRONMENTAL PURPOSES IN THE EU STRUCTURAL FUNDS (Monitoring of environmental firms funding.
Laurea Magistrale in Informatica Thecnologies for Innovation

Laurea Magistrale in Informatica Thecnologies for Innovation
Sequential Statements. – Il VHDL simula lo svolgersi in parallelo di varie operazioni – Loggetto fondamentale e il PROCESS – Un PROCESS contiene una serie.

Sequential Statements. – Il VHDL simula lo svolgersi in parallelo di varie operazioni – Loggetto fondamentale e il PROCESS – Un PROCESS contiene una serie.
1.E un algoritmo ricorsivo: Tutti le istanze di oggetti raggiungibili da un oggetto persistente diventano anchessi persistenti.

1.E un algoritmo ricorsivo: Tutti le istanze di oggetti raggiungibili da un oggetto persistente diventano anchessi persistenti.
© and ® 2011 Vista Higher Learning, Inc.4B.1-1 Punto di partenza Italian uses two principal tenses to talk about events in the past: the passato prossimo.

© and ® 2011 Vista Higher Learning, Inc.4B.1-1 Punto di partenza Italian uses two principal tenses to talk about events in the past: the passato prossimo.
Cancer Pain Management Guidelines

Cancer Pain Management Guidelines

Presentazioni simili

Annunci Google