UNIVERSITY OF CALIFORNIA, DAVIS

______________________________________________________________________________________ BERKELEY DAVIS IRVINE LOS ANGELES RIVERSIDE SAN DIEGO SAN FRANCISCO ______________________________________________________________________________________ _________________________________ SANTA BARBARA SANTA CRUZ _________________________________

EEC70: Computer Structures and Assembly Language Programming Homework Assignment #6 (due Dec 7)

Fall 2012

Problem 1. Buffer Overflow (20 points) The purpose of this assignment is to help you learn (1) how data is stored in memory, and (2) how programs can be vulnerable to buffer-overrun attacks. We will provide you a program, hw6p1_given.s, which asks you for your name (up to 20 characters) and prints out the grade of a test you have taken. It so happens that everyone gets a C in this test. The output of the program on the screen looks like this: What is your name? Gandalf Hello, Gandalf. Your grade in this assignment is: C However, the author of the program has inexplicably forgotten to do bounds-checking on the array into which it reads the input, and therefore it is vulnerable to attack. Your task is to attack the given program by exploiting its buffer overrun vulnerability. More specifically, your job is to provide input "data" to the program so that it prints out grade A for you. Your tasks: (5 pt.) Copy this sentence to the #comment section of your file, and fill in the blanks such that the sentence is correct: "If you were to use a buffer overrun attack to knowingly gain unauthorized access or to cause damage to other people's computers, the Computer Fraud and Abuse Act provides a maximum penalty of ___5____ years in prison for a first offense. However, the creator of the Melissa virus plea-bargained down to __20____ months in prison." (5 pt.) In the #Comment section, provide an example input that you will enter as you run the given program to achieve the desired result, i.e., trick the program to give you an A. Input a LONG name to fill up the buffer for space allocated for name (20 chars), and attach A at the end such that the space allocated for grade is overwritten by character A. (10 pt.) Revise the SAL program so that you can remove this vulnerability to make sure that a too-long input does *NOT* overwrite other important memory locations. See a separate .s file Submit your revised program via smartsite. Please use the following convention to name your program: {your last name}_hw6p1.s

Chuah

Fall 2012

Problem 2. I/O (15 points) (a) (5 pt.) Write a MAL code to implement: puts prompt assuming prompt is pointing to a string of characters stored at memory location starting at 0x4000 0000 lui $a0, 0x4000 # I1: set $a0 (or $4) to beginning of prompt addi $v0, $0, 4 # I2: put value 4 into $v0 (or $2) syscall # I3

(b) (10 pt.) Translate to TAL and machine language.

ID 3 1 3 0 2 9 2 8 2 7 2 6 2 5 2 4 2 3 2 2 2 1 2 0 1 9 1 8 1 7 1 6 1 5 1 4 1 3 1 2 1 1 1 0 9 8 7 6 5 4 3 2 1 0

I1 I2 I3

0 0 0

0 0 0

1 1 0

1 0 0

1 0 0

1 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

1 0 0

0 1 0

0 0 0

0 0 0

1 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 0

0 0 1

0 1 1

0 0 0

0 0 0

Problem 3. Exception and Interrupts (15 points) (a) (5 pt.) How is a trap different from an interrupt? A trap is synchronous exception that results from the execution of the program. An interrupt is asynchronous exception that is due to external events like I/O devices. (b) (5 pt.) Why should the exception handler be privileged code? Exception handler can disable and restore interrupts and have access to special registers (e.g., EPC) that is restricted to operating system (or when processor is in kernel mode). So it should be privileged code that cannot be accessed by user programs to prevent user programs for accessing special registers or special regions of memory. (c) (5 pt.) Is it possible for the exception handler to return control to a user program while the processor is still in kernel mode? What would be the effect if this were to happen? No. Exception handler is supposed to reset the processor mode back to user before returning control to user program. Otherwise, it would have disastrous effect because the user programs will have access to special registers or special regions of memory.