Professional Documents
Culture Documents
Pointers Overlays Nonotes
Pointers Overlays Nonotes
Pointers Overlays Nonotes
Hacking in C
Thom Wiggers
1
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
2
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
3
Allocation of multiple variables
4
Printing addresses where data is located
5
Data alignment
x i0 i1 i2
i3 s0 s1 y
...
Now the data elements are not nicely aligned with the words,
which will make execution slow, since CPU instructions act on words.
6
Data alignment
x i0 i1 i2
i3 s0 s1 y
...
7
Data alignment
x i0 i1 i2 x
i3 s0 s1 y i0 i1 i2 i3
s0 s1
... y
7
Data alignment
x i0 i1 i2 x s0 s1 x y
i3 s0 s1 y i0 i1 i2 i3 i0 i1 i2 i3
s0 s1
... y ...
7
Data alignment
8
Data alignment
8
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
9
Arrays
10
Arrays
10
Array bounds checking
The historic decision not to check array bounds is responsible for in the
order of 50% of all the security vulnerabilities in software, in the form of
so-called buffer overflow attacks.
11
Typical software
Typical security
software vulnerabilities
security vulnerabilities
6HFXULW\
Security EXJV
bugs IRXQG
found LQ 0LFURVRIW¶V
in Microsoft’s first ILUVW VHFXULW\
security EXJ
bug fix IL[ PRQWK
month (2002)
0%
17%
buffer overflow
37% input validation
code defect
design defect
26%
crypto
20%
12
hic 11
Array bounds checking
13
Overrunning arrays
14
Overrunning arrays
14
Overrunning arrays
14
Arrays and alignment
15
Arrays and alignment
For good alignment, a compiler could again add padding at the ends of
arrays.
15
Arrays and alignment
For good alignment, a compiler could again add padding at the ends of
arrays.
E.g. a compiler might allocate 16 bytes rather than 15 bytes for
char text[15];
15
Array variables are references
16
Array variables are references
16
Array variables are references
16
Arrays are passed by reference
17
Arrays are passed by reference
(Actually, we are still just passing by value, but we’re passing the pointer
to the array by its value!)
17
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
18
Last week on pointers
Remember we could get the address of a variable using the & operator.
int a = 1;
printf("a is stored at %p\n", &a);
1
↑
&a
19
Last week on pointers
Remember we could get the address of a variable using the & operator.
int a = 1;
printf("a is stored at %p\n", &a);
1
↑
&a
This allowed us to create a variable that stores this reference:
int* a_ptr = &a;
With the special type int*.
19
Last week on pointers
Remember we could get the address of a variable using the & operator.
int a = 1;
printf("a is stored at %p\n", &a);
1
↑
&a
This allowed us to create a variable that stores this reference:
int* a_ptr = &a;
With the special type int*.
19
Confused? Draw some pointy arrows!
confused? draw pictures!
int y = 7; int y = 7;
int *p = &y; int
// *ppointer
= &y; // p now points
pointer to cell
p now points to celly y
int z = *p; int
// zgive
= *p; z//the
givevalue of what
z the value p points
of what p points to
to
y 7
p &y
z 7
hic 20
20
Style debate: int* p or int *p?
21
Style debate: int* p or int *p?
21
Style debate: int* p or int *p?
21
We must go deeper
int x = 3;
... p1 = &x;
... p2 = &p1;
int z = **p2 + 1;
What will the value of z be?
22
We must go deeper
int x = 3;
... p1 = &x;
... p2 = &p1;
int z = **p2 + 1;
What will the value of z be?
What should the types of p1 and p2 be?
22
still not confused? pointers to pointers
Pointerpointers
int x = 3;
int *p1 = &x; // p1 points to an int
int x = 3;
int **p2 = &p1; //p2 points to a pointer to an int
int *p1 int
= &x; // p1
z = **p2 + 1;points to an int
int **p2 = &p1; // p2 points to a _pointer_ to an int
int z = **p2 + 1;
p2 &p1 p1 &x x 3
z 4
hic 25
23
On breaking symmetry
24
On breaking symmetry
However. . .
int x = 1; &*x // SEGMENTATION FAULT!
24
On breaking symmetry
However. . .
int x = 1; &*x // SEGMENTATION FAULT!
There exists a type for which this does work!
24
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
25
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
6
25
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
6
What is the value of *p at the end?
25
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
6
What is the value of *p at the end?
6
25
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
6
What is the value of *p at the end?
6
What is the value of *q at the end?
25
Pointer puzzle
int y = 2;
int z = 3;
int* p = &y;
int* q = &z;
(*q)++;
*p = *p + *q;
q = q + 1;
printf("y is %d\n", y);
What is the value of y at the end?
6
What is the value of *p at the end?
6
What is the value of *q at the end?
We don’t know! q points to some memory cell after z in the memory
25
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
26
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointer maths
27
Pointers into array
28
Pointers into array
28
Pointers into array
28
Pointers into array
28
Looping via pointer
29
Looping via pointer
29
Potential of pointers: inspecting raw memory
31
Turning pointers into numbers
31
Turning pointers into numbers
31
Turning pointers into numbers
31
Turning pointers into numbers
31
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
32
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
33
C-strings
Figure: What someone should have said to the C standard library and compiler
people
33
Looping over C-strings
34
Looping over C-strings
34
Looping over C-strings: strlen
35
Looping over C-strings: strlen
35
How this goes horribly wrong
36
How this goes horribly wrong
36
How this goes horribly wrong
36
How this goes horribly wrong
36
How this goes horribly wrong
36
How this goes horribly wrong
36
How this goes horribly wrong
36
How strcpy breaks
37
How strcpy breaks
37
How strcpy breaks
37
How strncopy still breaks
38
How strncopy still breaks
38
How strncopy still breaks
38
How strncopy still breaks
38
Spot the bug
39
Spot the bug
39
Spot the bug
39
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Wait, what’s the deal with argv anyway
40
Handling command line arguments
#include <stdio.h>
41
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Safer strings and array?
42
Table of Contents
Memory layout
Arrays
Pointers
Pointer arithmetic
Strings
Homework
43
Homework
44