Intel's Instruction Set Architecture (ISA) Quiz

Questions and Answers

Which of the following instructions is used to perform a function call?

call (correct)

return

jmp

push

The ret instruction pushes the return address onto the stack.

False

The ___ instruction loads the return address into the instruction pointer.

ret

What is the purpose of the push rbp instruction in the function prologue?

To store the base pointer of the caller on the stack.

What does the return address point to after a function call?

The next instruction after the call instruction.

How much space is typically reserved for local variables in a function?

16 bytes

What instruction is used to initialize a new base pointer in a function?

mov rbp, rsp

What happens during the function epilogue?

The base pointer is reset.

The calling convention is irrelevant to function execution.

False

What is the market share of Intel processors in Q1 2024?

63.8%

What is the purpose of understanding how processors work in relation to software vulnerabilities?

To understand how vulnerabilities can be exploited.

ARM architectures are dominant in the PC market.

False

Which of the following is an extension for 64-bit processors?

x86-64

What does the 'mov' instruction do in assembly language?

Performs a data movement operation from source to destination.

___ refers to the sequential order used to numerically interpret a range of bytes in computer memory.

Endianness

In which memory segment does the following variable 'static float v = 0;' reside?

Data

What happens to the stack pointer (rsp) when pushing an element onto the stack?

The stack pointer is decremented.

Conditional jump instructions are executed regardless of conditions.

False

Which register points to the instruction that should be executed next?

rip

What is the first step in a function prologue?

Store Base Pointer on the stack

What does the function epilogue do?

Sets the Stack Pointer back to its original state

What is a common instruction to save the Base Pointer?

push rbp

Which instruction is used to load the Base Pointer to the Base Pointer Register?

mov rbp,rsp

When calling a function in System V AMD64, the first 6 arguments are passed in the registers rdi, rsi, rdx, rcx, r8, and ___

r9

Calling conventions are the same across all operating systems.

False

What instruction is utilized as a software breakpoint in debuggers?

int3

What is the purpose of using interrupts in the context of program execution?

To halt the execution of a program

What is loaded into rax before performing a system call?

System call number

What is generally used for performing system calls in 32-bit Linux?

int 0x80

Study Notes

Background on Intel's Instruction Set Architecture (ISA)

• The importance of understanding processor internals:
  • Attacks that exploit software vulnerabilities are processor-specific
  • Necessary to know how processors work to understand how vulnerabilities can be exploited
• Why Intel processors are focused on:
  • Dominant market share of PCs, notebooks, and servers (63.8% in Q1 2024)
  • ARM architectures dominant in mobile and embedded markets, but slowly coming to PCs and servers

Variety of Instruction Set Architectures

• Different versions of processor instruction set architectures exist:
  • x86 (i386, IA-32) for 32-bit processors (older and low-end systems)
  • x86-64 (x64, AMD64, Intel 64) extension for 64-bit processors (modern PCs, notebooks, servers with Intel and AMD CPUs)
  • ARM, MIPS, RISC-V, etc. (mostly mobile and embedded systems)

Content of the Lecture

• Focus on Intel x86-64 instruction set architecture and differences to Intel x86
• Topics to be covered:
  • Registers, data types, and basic assembler instructions
  • Memory segmentation and stack operations
  • Function calling and system calls
  • Compilation process in C/C++

Program Compilation Process in C/C++

• Steps involved:
  • Preprocessing using preprocessor (cpp)
  • Compilation using compiler (gcc, g++)
  • Assembling using assembler (as)
  • Linking using linker (ld)
• Output at each step:
  • Source code including headers and macros (.i, .ii)
  • Assembly code (.s)
  • Machine code (.o, .obj)
  • Executable machine code

Assembly Code and Machine Code

• Assembly code is written using mnemonics, which represent opcodes and operands
• Machine code is code that is directly executable by the computer's physical processor
• Opcode is a number interpreted by a machine (virtual or silicon) that represents the operation to perform

Registers in x86-64

• 16 general-purpose registers, each 64 bits wide
• Registers include:
  • Accumulator register (rax)
  • Base register (rbx)
  • Counter register (rcx)
  • Data register (rdx)
  • Stack pointer (rsp)
  • Base pointer (rbp)
  • Source index pointer (rsi)
  • Destination index pointer (rdi)
  • Additional registers (r8-r15)

Data Types

• Byte: 8 bits
• Word: 16 bits
• Double word (DWORD): 32 bits
• Quad word (QWORD): 64 bits
• Little Endianness used on Intel CPUs

Instruction Pointer Register

• The instruction pointer (rip) points to the instruction that should be executed next
• rip is not a general-purpose register and cannot be accessed by any instruction except explicit branch instructions

Program Status and Control Register

• The rflags register stores the status of arithmetic and bit-wise instructions
• Flags include:
  • Zero flag (ZF)
  • Sign flag (SF)
  • Carry flag (CF)
  • Overflow flag (OF)

Basic Assembler Instructions

• mov instruction: used for data movement operations
• Immediate to register, register to register, immediate to memory, and register to memory operations are possible
• Arithmetic and bit-level operations:
  • add, sub, mul, div
  • and, or, xor, not### Unconditional Jump Instructions
• Unconditional jump instructions change the value of the instruction pointer (rip) to a specified address
• Direct jump instructions use a fixed target address, e.g. jmp address and jmp function
• Indirect jump instructions use a general purpose register or a memory operand as the target address, e.g. jmp rax and jmp [rbx]

Conditional Jump Instructions

• Conditional jump instructions are executed if a certain condition holds
• Conditions are managed via the rflags register
• Most of the time, a conditional jump instruction is preceded by a compare instruction (cmp)
• Examples of conditional jump instructions include:
  • jle - jump if the destination operand of the preceding cmp instruction is less than or equal to the source operand
  • jz - jump if the zero flag in the rflags register is set

Intel vs. AT&T Syntax

• We use Intel syntax in this lecture
• Differences between Intel and AT&T syntax:
  • Register prefixes: Intel uses no prefix, AT&T uses %
  • Immediate value prefixes: Intel uses no prefix, AT&T uses $
  • Direction of operands: opposite in AT&T syntax
  • Suffixes for AT&T mnemonics: quad (64 bits), long (32 bits), word (16 bits), byte (8 bits)
• Examples of Intel and AT&T syntax:
  • mov rax,1 (Intel) vs. movq $1,%rax (AT&T)
  • mov rbx,0ff (Intel) vs. movq $0xff,%rbx (AT&T)

Memory Segmentation

• Exploitation of security bugs involves overwriting or overflowing one portion of memory into another
• Program execution involves:
  1. OS creates an address space for the program
  2. The address space includes program instructions and required data
  3. Stack and heap are initialized
• Memory is divided into five segments:
  • Text segment: holds program instructions
  • Data segment: holds static initialized data
  • BSS segment: holds uninitialized data
  • Stack segment: a LIFO data structure that grows down the address space
  • Heap segment: a FIFO data structure that grows up the address space

Stack Operations

• Stack is a LIFO memory area where the Stack Pointer (rsp) points to the last stored element
• Stack grows downwards
• Two basic operations on the stack:
  1. Push elements onto the stack (rsp is decremented)
  2. Pop elements off the stack (rsp is incremented)

Stack Frame

• Each function is associated with one stack frame on the stack
• The rbp register is used to reference function arguments and local variables
• Stack frame components:
  • Function arguments
  • Return address
  • Saved Base Pointer
  • Local variables

Function Calling Convention

• Function calls are performed using the call instruction
• The call instruction pushes the return address onto the stack
• Function returns are performed using the ret instruction
• The ret instruction pops the return address off the stack and loads it into the instruction pointer (rip)

Function Prologue and Epilogue

• Function prologue:

  • Store the Base Pointer (rbp) of the caller on the stack
  • Initialize a new Base Pointer

• Function epilogue:

  • Pop the Base Pointer (rbp) of the caller off the stack### Function Prologue and Epilogue

• A function prologue initializes a new base pointer, reserves space for local variables, and saves the base pointer of the caller on the stack.

• The function epilogue sets the stack pointer (rsp) to the location where the saved base pointer is stored, loads the saved base pointer to the base pointer register, and issues a return to the caller.

Stack Management

• The stack stores the base pointer of the caller (rbp) and the return address.
• The base pointer is saved on the stack in a field called "Saved Base Pointer".
• The function prologue reserves space for local variables by subtracting the required space from the stack pointer (rsp).
• The function epilogue sets the stack pointer (rsp) to the location where the saved base pointer is stored.

Register Management

• The base pointer register (rbp) is used to store the base pointer of the caller.
• The function prologue initializes a new base pointer by moving the stack pointer (rsp) to the base pointer register (rbp).
• The function epilogue loads the saved base pointer to the base pointer register.

Code Organization

• The function prologue and epilogue are separated from the function code.
• The function code is executed between the prologue and epilogue.
• The epilogue instructions include pushing the base pointer, moving the base pointer to the stack pointer, subtracting the reserved space from the stack pointer, and issuing a return to the caller.

Description

Test your knowledge of Intel's processor internals, including its Instruction Set Architecture (ISA), and understand how it relates to software vulnerabilities and attacks.