Principles of Software Security IFN657 Lecture 3

Questions and Answers

What is the primary function of the 'mov' instruction in x86 assembly?

• To change the flow of execution in a program
• To perform arithmetic operations on registers
• To load the effective address of a memory location
• To copy data from one location to another (correct)

Which instruction is used to load an effective address into a register?

• pop
• push
• mov
• lea (correct)

What does the instruction 'mov eax, [ebx+esi*4]' do?

• Loads the effective address EBX+ESI into EAX
• Initializes EAX with a fixed value from EBX
• Copies the contents of EAX into memory at EBX+ESI
• Copies data from the memory address computed by EBX+ESI*4 into EAX (correct)

Why is 'mov eax, ebx+8' considered invalid in x86 assembly?

The 'mov' instruction cannot compute memory addresses (B)

If you want to copy a value from a memory address into a register, which instruction should you use?

mov (D)

What does the instruction 'jg loc' do in assembly language?

Jump if the destination operand is greater than the source operand. (C)

Which instruction performs a jump if the destination operand is less than the source operand?

jl loc (D)

What is the effect of the instruction 'jge loc'?

Jump if the destination operand is greater than or equal to the source operand. (C)

What condition does 'jecxz loc' check before performing the jump?

Jump to location if ECX equals zero. (B)

Which instruction should be used for an unsigned comparison to check if the destination is greater than the source?

ja loc (D)

What is a characteristic of the C programming language that makes it distinct from higher-level languages?

Manual memory management (D)

Which section of computer memory grows by making function calls?

Stack (C)

What is the primary function of a disassembler?

Translates binary to assembly language (D)

How does an assembler differ from a compiler?

Assemblers generally work in two passes (D)

Which of the following describes low-level languages?

Provide a human-readable version of the instruction set (A)

What is a key feature of interpreted languages?

Executed within an interpreter after translation to bytecode (D)

In x86 architecture, what role does microcode play?

Functions at a level close to firmware (A)

Which statement is true regarding assembly language?

It is a class of languages focusing on x86 architecture (B)

What is the value of argc when the program is executed with the command 'filetestprogram.exe -r filename.txt'?

3 (B)

What does the statement 'strncmp(argv, "-r", 2) == 0' check for in the program?

If the first two characters of argv are '-r' (C)

What will happen if the condition 'argc != 3' evaluates to true?

The program will return 0 and terminate. (B)

In the assembly code, which instruction is executed to compare argc with the value 3?

cmp [ebp+argc], 3 (D)

What is likely to occur if the command 'filetestprogram.exe -r filename.txt' is altered to 'filetestprogram.exe filename.txt'?

The program will return 0 without doing anything. (A)

Which assembly syntax reverses the order of operands and uses a % before registers?

AT&T format (A)

What does EAX primarily serve as in the context of x86 registers?

Primary accumulator for input/output and arithmetic (D)

In a little-endian format, where is the low-order byte stored?

At the lower memory address (A)

Which of the following segment registers points to the code segment containing instructions?

CS (D)

What is the role of the EIP register in the CPU?

To track the next instruction address (A)

What does the CF flag represent in the EFLAGS register?

It signifies a carry in arithmetic operations (A)

Which of the following registers is used primarily as a source index for string operations?

ESI (B)

Which general register is used for holding loop counts during iterative operations?

ECX (D)

What is the purpose of the EBP register in x86 architecture?

To provide a reference for parameter variables (B)

Which statement best describes segment registers in x86 architecture?

They define the logical address space within memory. (C)

What happens to the EIP when a function is called?

Current instruction address in EIP is pushed onto the stack. (D)

Which instruction is equivalent to using 'sub' but only sets the Zero Flag and Carry Flag without modifying the operands?

cmp (C)

What does the 'jz' instruction do in a program's control flow?

Jumps to the specified location if ZF = 1. (A)

What is the primary purpose of a function restoring local variables and EBP after execution?

To maintain stack integrity for the calling function. (A)

What do conditional jumps rely on to determine program control flow?

Status flags. (A)

What is the result of the 'test' instruction when used in a program?

It only sets the Zero Flag based on the result. (B)

How many different types of conditional jumps are mentioned?

More than 30 (B)

In the context of stack operations, what must happen before a function call completes successfully?

The EIP must be restored. (A)

Flashcards

Machine Code

Binary instructions that directly control a computer's processor.

Assembly Language

Human-readable version of machine code instructions.

Disassembler

A tool that converts machine code to assembly language.

Compiler

A program that translates high-level language code to machine code.

Assembler

A program that translates assembly language to machine code.

x86 architecture

A common computer architecture used in many personal computers.

Levels of Abstraction

Different ways of viewing the same hardware or software.

Interpreted Language

A programming language that's not directly compiled into machine code.

mov eax, ebx

Copies the contents of EBX register into EAX register.

mov eax, 0x42

Copies the hexadecimal value 0x42 into the EAX register.

mov eax, [0x4037C4]

Copies the 4 bytes of data at memory location 0x4037C4 into the EAX register.

lea instruction

Loads the effective address into the destination.

mov vs. lea

mov loads the data at the address, whereas lea loads the address itself.

jg instruction

Performs a signed comparison jump if the destination operand is greater than the source operand after a cmp instruction.

jge instruction

Performs a signed comparison jump if the destination operand is greater than or equal to the source operand after a cmp instruction.

jb instruction

Performs an unsigned comparison jump if the destination operand is less than the source operand after a cmp instruction.

jo instruction

Jump if the overflow flag (OF) is set to 1 after the previous instruction.

jecxz instruction

Jump to a location if the ECX register is 0.

NASM syntax

A specific assembly language syntax for x86 architecture.

Stack Push

Placing data onto the stack.

AT&T syntax

Another assembly language syntax for x86, different from NASM.

Function Call

Instructing the processor to execute a function.

Little-endian format

Memory storage scheme where the low-order byte is at the lower memory address.

EIP

Instruction pointer; holds address of next instruction.

CPU Registers

Small storage areas inside the CPU that hold data or addresses for quick access.

Conditional Jump (jz)

Branching to another location if a condition (e.g., zero flag) is true.

General registers

CPU registers used for storing data or addresses during program execution.

Conditional Jump (jnz)

Branching to another location if a condition (e.g., zero flag) is false.

cmp Instruction

Compares two operands, setting flags, without modifying the operands.

Segment registers

Registers that point to sections (segments) of memory.

Status register

CPU register holding flags indicating results of operations.

test Instruction

Compares two operands, setting flags only.

Instruction pointer (EIP)

Register that points to the next instruction to be executed.

Stack Layout

Organization of data on the stack during function execution

Stack pointer (ESP)

Register pointing to the top of the program stack.

Base pointer (EBP)

Register used to reference parameter variables in a subroutine.

C Main Method Args

The int main(int argc, char* argv[]) method in C takes two arguments: argc (argument count) and argv (argument vector).

argc Value

The argc argument holds the count (number) of command-line arguments given when the program is run, including the program name.

argv Description

The argv argument is an array of strings. Each string holds a command-line argument, starting with the program name followed by other arguments.

Command-Line Args

These are options or file names passed to a program when it's run from a command line (e.g., terminal).

strncmp Function

The strncmp function compares up to a specified number of characters of two strings, looking for matches.

Study Notes

QUT Acknowledgement of Traditional Owners

• QUT recognizes the Turrbal and Yugara peoples as the First Nations owners of the land.
• Respect is paid to Elders, customs, lores, and creation spirits.
• The land has always been a place of learning, teaching, and research.
• QUT acknowledges the important role of Aboriginal and Torres Strait Islander people within their community.

Principles of Software Security (IFN657 Lecture 3)

• Key Points from Last Lecture (C and C#):
  • C is efficient but error-prone, closely related to the machine model with flexible memory management.
  • C# is type-safe, with built-in bounds and string checks, and automatic memory management.
  • Computer memory is divided into sections (stack, heap).
  • Stack grows as function calls are made.
  • Heap grows dynamically as memory is allocated.

x86 Architecture - Assembly Basics

• x86 architecture and assembly basics

Machine vs. Assembly vs. C

• Shows the relationship between C code, compiled machine code, and assembly code.
• Demonstrates the translation process from a high-level language (C) to low-level machine code.
• Includes example C code, generated machine code (in hexadecimal format), and assembly instructions.

Levels of Abstraction

• Hardware: Basic electrical circuits implementing logical operations (XOR, AND, OR, NOT).
• Microcode (Firmware): Lower-level instructions.
• Machine code: Opcodes (hexadecimal digits) that tell the processor what to do.
• Low-level languages: Human-readable versions of an architecture's instruction set.
• High-level languages: Transformed into machine code at compilation (e.g., C/C++).
• Interpreted languages: Translated to bytecode, then executed.

Assembly Language

• Assembly is the highest-level language reliably recovered from machine code.
• Vulnerable code or malware is typically stored in binary at the machine code level.
• Disassemblers convert binary to assembly language code.
• Assembly language is a class of languages, with x86 as a specific focus (explained in more detail).

Assemblers and Linkers

• Assemblers and linkers are tools used in software development that manipulate object files and libraries in creating and managing executable code.
• Assembly files are transformed into object files by assemblers.
• Object files are linked into an executable file by a linker that also incorporates libraries.

Assembler vs. Compiler

• Compilers translate high-level languages to machine code in a single step.
• Assemblers translate assembly language to machine code in multiple steps.
• A compiler checks and converts the entire code simultaneously, whereas an assembler typically works in multiple passes.
• Compilers may include a lexical analyzer (scanning), syntax analyzer, semantic analyzer, code optimizer, code generator, and produce mnemonic versions.

AT&T vs. Intel Syntax (NASM)

• Two main assembly language syntax forms.
• NASM format uses a different order, and symbols before registers/literals.
• AT&T format, uses the reverse order, and includes % before registers and $ before literal values.

Fundamental Data Types

• Binary representations of data types (bytes).

Memory

• Memory addresses and their corresponding data.

Data in Memory (Little-Endian Format)

• How data is stored in memory using little-endian format

CPU Registers

• A small amount of data storage directly accessible by the CPU.
• Registers are faster accessible than memory.

x86 Registers

• Categorizes x86 registers into General, Segment, Status, and Instruction Pointer registers.

General Registers

• Storing data or memory addresses and functions like storing data.

x64 Registers

• A further division of x86 registers based on 64-bit architecture

Data Registers

• Functions of EAX, EBX, ECX, EDX registers (explained in more detail).

Index Registers

• Functions of ESI (source) and EDI (destination) registers.

Segment Registers

• Functions of CS (Code Segment), DS (Data Segment), SS (Stack Segment) for referencing code, global data and stack, respectively.
• ES, FS, and GS provide additional segments.
• Memory address are relative to the starting address of the segment.

Status Registers

• Functions of ZF, CF, SF, TF flags (zero, carry, sign, trap).

Instruction Pointer (EIP)

• Points to the next instruction to be executed.
• The complete address consists of a segment selector and offset.

Other Pointer Registers

• ESP (Stack Pointer) and EBP (Base Pointer) are described.
• ESP points to the top of the stack, while EBP points to the current stack frame or local variables in current functions.

Simple Instructions

• Functions and uses of various instructions like MOV, LEA, arithmetic instructions (e.g., ADD, SUB, INC, DEC, MUL, DIV), logic instructions(e.g., XOR, OR, SHR, ROR), and the 'nop' instruction.

Stack Layout

• Visual representation of the stack with multiple stack frames.

Function Calls

• Process of calling and returning from a function explained.

Conditionals

• Functions of test and cmp instructions and how they use flags (ZF, CF).

Branching

• Types of unconditional jumps (JMP) and conditional jumps (e.g., JZ, JNZ, JG, JGE).

Examples of Conditional Jumps

• A variety of conditional jumps.

C Main Method and Offsets

• How C programs organize arguments using the main method (argc, argv array).

A Simple C Program (and compiled form)

• C program demonstrating the usage of file operations.
• Shows assembly code after compilation.

Home Readings

• List of resources for additional learning about NASM Assembly.