11/8/23

Outline

Assembly languages
Low Level Programming ¢
¢ Intel x86 family of CPUs
¢ Process memory layout
8. x86 assembly ¢ Intel x86 instruction sets
l Intel x86-32 registers
l Intel x86-64 registers
l x86 instruction set
¢ Interrupts and system calls
¢ Assembly in practice
¢ Stack management
¢ Application binary interfaces

Low Level Programming (LLP) 2

Assembly languages: motivations and

Assembly languages: keywords
warnings
¢ Pros ¢ Variables
l Understand the machine l Restricted to processor registers and memory locations
• Helps debugging, understand low-level security attacks ¢ Expressions
l Code hardware-dependant routines (operating systems, l Restricted to the instructions available on the CPU
device drivers)
¢ Instruction set
l Reverse-engineering (malware, driver analysis)
l Set of instructions provided by the CPU
¢ Cons
¢ Opcodes (for Operation Code)
l Portability is lost (w.r.t. processor, device interface)
l Encoding of instructions in memory
l Obfuscates the code (only a few programmers can read
assembly) ¢ Mnemonic
l Human-readable name of an instruction
l Optimization is tedious (compilers are usually more
efficient than humans) ¢ Operand(s)
l Use it with caution and sparsity! l Argument(s) of an instruction
Low Level Programming (LLP) 3 Low Level Programming (LLP) 4

1
 11/8/23

Assembly languages: keywords Assembly languages: a short list

¢ Examples (disassambled code, using objdump -d) ¢ MIPS (42 and 64 architectures), RISC-V
¢ Intel IA-32, Intel IA-64
c7 05 50 00 00 00 07 00 00 00 movl $7, 80(%rip)
¢ Motorola 68000
Memory transfer instruction ¢ Arm
Opcode (‘movl’ mnemonic)
¢ Motorola PowerPC
Operands (immediate operand,
memory operand)
¢ Sun Sparc
¢ Texas Instrument MSP430
83 c1 01 addl $1, %ecx

Addition instruction Operands (immediate operand, ¢ RISC (Reduced Instruction Set Computers) vs CISC
(‘addl’ mnemonic) register) (Complex Instruction Set Computers)
Note: in general no more than one memory operand per instruction, ¢ Instruction set vs. micro-architecture
registers as temporaries
Low Level Programming (LLP) 5 Low Level Programming (LLP) 6

Intel x86 family of CPUs Name soup!

¢ x86-32 Architecture Names

AMD: x86 Intel: IA-32
Oracle/Microsoft: x32 GCC: i386
Linux kernel: x86 BSD: i386
Debian/Ubuntu: i386 Fedora/Suse: i386
Gentoo: x86 Solaris: x86
¢ x86-64 Architecture Names
AMD: x86-64, AMD64 Intel: IA-32e, EM64T, Intel 64
Oracle/Microsoft: x64 GCC: amd64
Linux kernel: x86_64 BSD: amd64
Debian/Ubuntu: amd64 Fedora/Suse: x86_64
Gentoo: amd64 Solaris: amd64

Low Level Programming (LLP) 7 Low Level Programming (LLP) 8

2
 11/8/23

Process memory layout (simplified) x86-32 registers

¢ Memory = array of bytes, address = index ¢ Data registers (read-write)

Address (EAX, EBX, ECX, EDX)
¢ Memory areas (regions) 0x00000000
l Code: .text Code (.text) ¢ Index and pointer registers (read-write)
l Data: .data, .bss Data (.rodata, (EBP, ESP, ESI, EDI, EIP)
l Heap: for dynamically allocated data .data, .bss)
¢ Segment registers (protected)
l Stack: for local data Heap
(CS, DS, ES, FS, GS, SS)
• One stack frame per function call
• Stack frame for parameters and local variables
¢ Flag register (read-only)
¢ Registers (EFLAGS)
l Program Counter (PC) ¢ Floating-point registers (read-write)
bar
l Stack Pointer (SP) foo
(ST0, …, ST7)
Stack
l General Purpose registers (GPR) main
0xffffffff
¢ Addresses of regions can be controlled (ldscript)
Low Level Programming (LLP) 9 Low Level Programming (LLP) 10

x86-32 registers x86-32: data registers

¢ EAX (Accumulator)
Accumulator for operands
and results data (add, sub)
¢ EBX (Base address)
Usually used to store the
base adress of a data
structure in memory
¢ ECX (Counter)
Usually used as loop counter
¢ EDX (Data store)
l Used to store operand and
For backward compatibility for old results for mult and div
8-bit and 16-bit registers
Low Level Programming (LLP) 11 Low Level Programming (LLP) 12

3
 11/8/23

x86-32: index and pointer registers x86-32: segment registers

¢ ESP (Stack Pointer)

Pointer to the last cell of the
stack ¢ CS (Code Segment)
Point to the corrent code segment
¢ EBP (Base Pointer)
Pointer to the base of the ¢ SS (Stack Segment)
current stack frame Point to the current stack segment
¢ ESI (Source Index) ¢ DS (Data Segment)
Source in string operations Point to the current data segment
¢ EDI (Data Index) ¢ EF, FS, GS (Extra Data
Index in string operations Segments)
¢ EIP (Instruction Pointer) Additionnal segment registers

For backward compatibility for old Pointer on next instruction

16-bit registers
Low Level Programming (LLP) 13 Low Level Programming (LLP) 14

x86-32: EFLAGS register x86-32: FLAGS register

¢ Usage ¢ Types of flags

l Store information about l Status flags (stat) ¢ CF (stat) Carry flag ¢ OF (stat) Overflow flag
instruction results • Results of arithmetic and (left-most bit of the result) (set of overflow occurs)
l Store information about comparison instructions
¢ PF (stat) Parity flag ¢ DF (ctrl)
tests l Control flags (ctrl) (right-most bit of the result) Set reading direction of a string
l Information about the • Change the behavior of ¢ AF (stat) Auxiliary Carry flag ¢ IF (sys) Interrupt enabled flag
behavior of the CPU or some instructions (std, cld) (carry at 4 least significant bits – BCD)
¢ TF (sys) Trap flag
the OS l System flags (sys) ¢ ZF (stat) Zero flag Single step mode
l A few reserved bits • Control system properties (set if result is zero)
¢ IOPL (sys) I/O privilege level
¢ SF (stat) Sign flag ¢ NT (sys) Nested task flag
(most significant bit of result)
Low Level Programming (LLP) 15 Low Level Programming (LLP) 16

4
 11/8/23

x86-32: Floating point registers x86-32: Status Word Register (STW)

¢ FPU stack registers

l Size of floating point numbers:
• 32-bit long (“float”)
• 64-bit long (“double”)
l FPU registers on 80 bits to ¢ Exception Flags (bits 0-5) ¢ Other Flags (bits 6-15)
reduce rounding errors l IE: Invalid Operation Exception l B: FPU Busy
l Registers organized as a stack l DE: Denormalized Operand l TOP: Top of Stack Pointer
(no direct access) Exception l C0, C1, C2, C3: Condition
l Register contents l FE: Zero Divide Exception Code
• Sign: 1 bit l OE: Overflow Exception l ES: Error Summary Status
• Exponent: 15 bits
l UE: Underflow Exception l SF: Stack Fault
• Mantissa: 64 bits
l PE: Precision Exception

Low Level Programming (LLP) 18 Low Level Programming (LLP) 19

x86-32: Streaming SIMD extensions (SSE) x86-32 Streaming SIMD extensions (SSE)

¢ SIMD: Single Instruction, Multiple Data

l Same operation (add, mult, …) on vectors of data
¢ SSE: SIMD extension added in Pentium III (1999) ¢ Typical SSE instructions
¢ First version of SSE l Load data in SSE registers

l SSE register contains a single data type l Scalar operations

• ADDSS, SUBSS, MULSS,
¢ Extensions of SSE: SSE2
DIVSS, RCPSS, SQRTSS,
l SSE registers may include MAXSS, MINSS,
• Two 64-bit double precisions floating point numbers RSQRTSS
• Two 64-bit integers l Comparison operations
• Four 32-bit integers ¢ On vectors!
• Eight 16-bit short integers
• Sixteen 8-bit integers
SSE registers
Low Level Programming (LLP) 20 (in addition other registers) Low Level Programming (LLP) 21

5
 11/8/23

x86-64 versus x86-32 x86-64 registers

¢ The good news

l Instructions are mostly the same
l More registers to play with
• 8 new general purpose 64-bit registers (R8-R15);
• 8 new SSE 128-bit registers (XMM8-XMM15).
¢ The bad news
l Calling convention change totally
l Optimized code is tricky.
• (because of massive usage of SSE instructions)

Low Level Programming (LLP) 22 Low Level Programming (LLP) 23

x86-64: Data registers x86-64: Index and pointer registers

¢ Longer versions of existing registers (RAX-RDX)

¢ New data registers (R8-R15)

Addition of a new way to access the low 8-bit of these

registers (SPL, BPL, SIL, DIL)

Low Level Programming (LLP) 24 Low Level Programming (LLP) 25

6
 11/8/23

x86-64 all registers (wikipedia) x86 assembly syntax: basics

¢ A bit of syntax .text section (contains the code)

.text
_start: size (optionnal)
movl $8,%ebx # ebx = 8
Labels cmpl %eax,%ebx # compare eax and ebx
(targets jle L0
of jumps) ret
L0: decl %ebx
Comments
ret

Instruction Instruction (AT&T syntax, see next slide)

mnemonics operands
Low Level Programming (LLP) 26 Low Level Programming (LLP) 27

x86 assembly syntax: AT&T vs Intel x86 assembly syntax: AT&T vs Intel
syntax syntax
AT&T syntax Intel syntax AT&T syntax Intel syntax
Community UNIX Microsoft Data types • Registers: ‘%eax’ • Registers: ‘eax’
Left to right Right to left
• Concatenation: • Concatenation: ‘eax:ebx’
Direction of operands • ‘%eax:%ebx’ • Immediate values: ‘1’
(first operand is source, second is (first operand is destination, second
destination) is source) • Immediate values: ‘$1’ • Decimal: ‘10’ (or ‘10d’)
inst src, dst inst dst, src • Decimal: ‘10’ (or ‘0d10’) • Hexadecimal: ‘10h’
mov (%ecx), %eax mov eax, [ecx] • Hexadecimal: ‘0x10’ • Address of bytes: ‘byte ptr’
Memory addressing Addresses are enclosed in Addresses are enclosed in • Operand on bytes: ‘movb’ • Address of words: ‘word ptr’
parenthesis brackets • Operand on words: ‘movw’ • Address of longs: ‘dword ptr’
(‘(’, ‘)’) and given by the formula: (‘[’, ‘]’) and given by the formula: • Operand on longs: ‘movl’
offset(base, index, scale) [base+index*scale+offset] movl $1, %eax mov eax, 1
movl (%ebx), %eax mov eax, [ebx] movl $0xff, %ebx mov ebx, 0ffh
movl 3(%ebx), %eax mov eax, [ebx+3] int $0x80 int 80h
movl 0x20(%ebx), %eax mov eax, [ebx+20h] movb %bl, %al mov al, bl
addl (%ebx,%ecx,0x2), %eax add eax, [ebx+ecx*2h] movw %bx, %ax mov ax, bx
leal (%ebx,%ecx), %eax lea eax, [ebx+ecx] movl %ebx, %eax mov eax, ebx
subl -0x20(%ebx,%ecx,0x4), %eax sub eax, [ebx+ecx*4h-20h] movl (%ebx), %eax mov eax, dword ptr [ebx]

(Just a matter of syntax, the code is the same!)

Low Level Programming (LLP) 28 Low Level Programming (LLP) 29

7
 11/8/23

x86 assembly instructions Moving data to/from memory

¢ Memory instructions Mnemonic Operand Operand Operation

l Moving data to/from memory, stack management, mov src dst src → dst
instructions on strings xchg src dst src ↔ dst
¢ Arithmetic and logic instructions lea src reg @(src) → dst
l Integer operations, bitwise operations, shift and rotate
¢ Notes
¢ Control flow instructions
l FLAGS are not modified
l Tests, jumps
l lea (load effective address) loads the address of the
¢ Floating point instructions operand rather than its contents
l FPU stack management, floating point arithmetic, tests on
movl $8,%ebx # ebx = 8
floating point values (not detailed)
movl %ebx,(ecx) # store content of ebx at @ecx
¢ Additionnal instructions xchg ax,bx # exchange contents of ax and bx
l MMX, SSE for vectorization (not detailed) leal 2(%esp), %ecx # ecx = esp+2

Low Level Programming (LLP) 30 Low Level Programming (LLP) 31

Moving data: addressing modes Addition and substraction instructions

¢ Direct
Mnemonic Operand Operand Operation Flags
.data add src dst src + dst → dst OF, SF, ZF, AF, CF, PF
var:
.long 42 # Reserve a 4-byte value, initialized to 42
sub src dst dst - src → dst OF, SF, ZF, AF, CF, PF
.text inc dst __ dst + 1→ dst OF, SF, ZF, AF, CF, PF
mov %ebx, var # Move the contents of ebx at memory address var
dec dst __ dst - 1→ dst OF, SF, ZF, AF, CF, PF
¢ Offset(Base+Index+Scale) (in any combination) neg dst reg @(src) → dst OF, SF, ZF, AF, PF
¢ Example
mov (%ebx), %eax # Load 4 bytes from the memory address in ebx into eax
mov -4(%esi), %eax # Move 4 bytes at memory address esi-4 into eax
mov %cl,(%esi,%eax,1) # Move the contents of CL into the byte at address esi+eax movl $15, %eax # %eax = 15
mov (%esi,%ebx,4),%edx # Move the 4 bytes of data at address asi+4*ebx into edx subl $7, %eax # %eax = %eax - 7
addl $30, %eax # %eax = %eax + 30
decl %eax # %eax = %eax - 1

Low Level Programming (LLP) 32 Low Level Programming (LLP) 33

8
 11/8/23

Multiplication and division instructions Jump instructions (non exhaustive)

Mnemonic Operand Operation

Mnemonic Operand Operation Flags jmp addr Jump to ‘addr’ (unconditional jump)

mul src src × %eax → %eax (unsigned) OF, CF ja/jge addr Jump to ‘addr’ if above / greater or equal

OF, CF jae/jnb addr Jump to ‘addr’ if above or equal / not below

imul src src × %eax → %eax (signed)
jbe/jna addr Jump to ‘addr’ if below or equal / not above
div src src ÷ %eax → %eax (unsigned) OF, SF, ZF, AF, CF, PF
jb/jnae addr Jump to ‘addr’ if below / not above or equal
idiv src src ÷ %eax → %eax (signed) OF, SF, ZF, AF, CF, PF
jg/jnle addr Jump to ‘addr’ if greater / not less or equal
¢ Example jge/jnl addr Jump to ‘addr’ if greater or equal / not less
movl $8, %eax jle/jng addr Jump to ‘addr’ if less or equal / not greater
movl $0, %edx jl/jnge addr Jump to ‘addr’ if less / not greater or equal
movl $2, %ebx
divl %ebx # %eax = %edx.%eax / %ebx je/jz addr Jump to ‘addr’ if equal / zero (ZF=1)
addl $3, %eax # %eax = %eax + 3
jne/jnz addr Jump to ‘addr’ if not equal / not zero (ZF=0)
movl $-15, %ebx
imull %ebx # %eax = -15 * %eax jc/jnc addr Jump to ‘addr’ if carry (CF=1) / not carry (CF=0)
js/jns addr Jump to ‘addr’ if signed (SF=1) / not signed (SF=0)
Low Level Programming (LLP) 34 Low Level Programming (LLP) 35

Jump instructions (non exhaustive) Bitwise instructions

¢ Signed vs unsigned Mnemonic Operand Operand Operation Flags

l Below/above: unsigned and src dst src & dst → dst SF, ZF, PF

l Greater/less: signed or src dst src | dst → dst SF, ZF, PF

xor src dst src ^ dst → dst SF, ZF, PF

¢ Usually used after a cmp instruction (see next slide)
test op1 op2 op1 & op 2 (result discarded) SF, ZF, PF
¢ Example
not dst ___ ~dst → dst ___

# Decrement %ebx if 8<= %ebx, else increment it cmp op1 op2 op1 - op2 (result discarded) OF, SF, ZF, AD,
movl $8, %ebx CF, PF
cmpl %eax, %ebx # Compare %eax, %ebx
jle L0 # If %eax <= %ebx go to L0 ¢ Example
incl %ebx # Increment %ebx (then)
ret movl $8, %ebx
L0: andl $8, %ebx # And with myself, does not change
decl %ebx # Decrement %ebx (else) notl %ebx # Now is 0x7
ret cmpl $7, %ebx # Compare with value $7
je L0 # Should branch!

Low Level Programming (LLP) 36 Low Level Programming (LLP) 37

9
 11/8/23

Shift and rotate instructions Other instructions

Mnemonic Operand Operand Operation Flags Mnemonic Operation

nop No Operation
shl cnt dst dst << cnt → dst CF, OF
(unsigned) hlt Stop the CPU until the next interruption occurs
shr cnt dst dst >> cnt →dst (unsigned) CF, OF int System call (see after)

sal cnt dst dst << cnt →dst (signed) CF, OF ¢ x86-64 new instructions (far from exhaustive)
sar cnt dst dst >> cnt →dst (signed) CF, OF
Mnemonic Operation
rol cnt dst Left rotate ‘dst’ of ‘cnt’ bits CF, OF lodsq (rsi) → rax
ror cnt dst Left rotate ‘dst’ of ‘cnt’ bits CF, OF stosq (rax) → (rdi)
syscall System call
shll $7, %eax # %eax = 2 ^ 7 sysret Return from syscall

(Intel® 64 and IA-32 Architectures Software

Developer’s Manual in 5000 pages long!)
Low Level Programming (LLP) 38 Low Level Programming (LLP) 39

Toy code snippets Interrupts and system calls

¢ Absolute value of %eax put in %eax ¢ Effects of interrupts on execution

cmpl %eax,$0 # If %eax greater or equal to zero, goto end
l Stop program execution and save current execution status
jge end (eip/flags mainly) – mask interrupts
subl $0,%eax # take the opposite of %eax
end: l Branch to interrupt handling routine
l At end of routine (instruction RTI) restore the saved
¢ Sum all integers from 1 to 10, result in %ecx execution status and continue the interrupted code
movl $1, %eax # %eax = 1
movl $0, %ecx # %ecx = 0 @ IT handling routine
Save EIP
loop:
addl %eax, %ecx Interrupt Interrupt handling
incl %eax routine
cmpl $10, %eax
jle loop
Restore EIP RTI
Program

Low Level Programming (LLP) 40 Low Level Programming (LLP) 41

10
 11/8/23

Types of interrupts System calls

¢ Software interrupt meant to execute a system routine

¢ Interrupts coming from internal hardware exceptions ¢ Specific instruction for system calls: int (x86-32 and
l Division by zero, overflow, protection error, … x86-64) and syscall (x86-64)
¢ External hardware interrupts l int 0x80

l Events produced by controllers of peripheral devices (disk

• Syscall id: eax
controller, network controller, keyboard, etc) • Syscall arguments: ebx, ecx, edx, esi, edi
¢ Interrupts from software l syscall
• Syscall id: rax
l Mainly produced by the operating system (system calls)
• Syscall arguments: rdi, rsi, rdx, r10, r8, r9
l Produced by executing the instruction ‘int’
¢ Example (exit, x86-32)
movl $1, %eax # %eax = 1
int $0x80 # %ecx = 0

Low Level Programming (LLP) 42 Low Level Programming (LLP) 43

System calls Example of assembly code: Hello World!

¢ x86-32 (/usr/include/asm/unistd_32.h) … first calls only .data # Data section

msg:
eax Name Operation .asciz "Hello World!\n" # String
0x01 sys_exit Exit from the current process len = . - msg # String length
0x02 sys_fork Duplicate the current process
.text # Text section
0x03 sys_read Read from file .globl main # Export entry point to linker
0x04 sys_write Write to a file main: # Write the string to stdout
movl $len, %edx # 3rd argument: string length
¢ x86-64 (/usr/include/asm/unistd_64.h) movl $msg, %ecx # 2nd argument: pointer to string
movl $1, %ebx # 1st argument: file handler (stdout)
movl $4, %eax # System call number (sys_write)
rax Name Operation int $0x80 # System call
0x00 sys_read Read from file # And exit
movl $0, %ebx # 1st argument: exit code
0x01 sys_write Write to a file movl $1, %eax # System call number (sys_exit)
0x02 sys_open Open a file int $0x80 # System call
0x03 sys_close Close a file
Low Level Programming (LLP) 44 Low Level Programming (LLP) 45

11
 11/8/23

Get information on your CPU on Linux Compiling assembly with gcc

cat /proc/cpuinfo
processor : 0 ¢ With libc ¢ Without libc
vendor_id : GenuineIntel
cpu family : 6
model : 23 .glob main .glob __start
model name : Intel(R) Core(TM)2 Quad CPU Q9505 @ 2.83GHz Model name main: __start:
stepping : 10
microcode : 0xa07 movl $20, %eax movl $20, %eax
cpu MHz : 1998.000 Processor frequency ret # no ret in __start!!
cache size : 3072 KB
physical id : 0
siblings : 4
core id : 0 ¢ Binary build ¢ Binary build
cpu cores : 4 Number of cores
apicid : 0
gcc –m32 –static –o f f.s gcc –m32 –static –nostdlib –o f f.s
initial apicid : 0
fpu : yes gcc –m64 –static –o f f.s gcc –m64 –static –nostdlib –o f f.s
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr Supported
pge mca cmov pat pse36 clflush dts acpi mmx fxsr
sse sse2 ss ht tm pbe syscall nx lm constant_tsc instruction sets
arch_perfmon pebs bts rep_good nopl aperfmperf
eagerfpu pni dtes64 monitor ds_cpl vmx smx est
tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm Low Level Programming (LLP) 46 Low Level Programming (LLP) 47
tpr_shadow vnmi flexpriority dtherm

Compiling assembly with as/ld Disassembling code: objdump -d

Instruction addresses
Without libc
00000000004004ed <main>:
.glob __start Operands
4004ed: 55 push %rbp
__start: 4004ee: 48 89 e5 mov %rsp,%rbp
movl $20, %eax 4004f1: 48 83 ec 10 sub $0x10,%rsp
# no ret in __start!! 4004f5: c7 45 f8 00 00 00 00 movl $0x0,-0x8(%rbp)
4004fc: 8b 45 f8 mov -0x8(%rbp),%eax
4004ff: 89 c7 mov %eax,%edi
400501: e8 05 00 00 00 callq 40050b <foo>
¢ Binary build (32) ¢ Binary build (64) 400506: 89 45 fc mov %eax,-0x4(%rbp)
400509: c9 leaveq
as --32 –o f.o f.s as --64 –o f.o f.s 40050a: c3 retq Opcodes
ld –m elf_i386 –o f f.o ld –m elf_86_64 –o f f.o 000000000040050b <foo>:
40050b: 55 push %rbp
40050c: 48 89 e5 mov %rsp,%rbp
40050f: 89 7d fc mov %edi,-0x4(%rbp)
400512: 8b 45 fc mov -0x4(%rbp),%eax
400515: 83 c0 01 add $0x1,%eax
400518: 5d pop %rbp
400519: c3 retq Mnemonics
Low Level Programming (LLP) 48 Code binaire main (objdumpLow
–d Level
main)Programming (LLP) 49 49

12
 11/8/23

Stack management: instructions Stack: basic principle

¢ Managing stack data ¢ Stack pointer: ESP

Mnemonic Operand Operation l Last In First Out (LIFO)
push src Push content of ‘src’ on the stack l push: push an item on the stack
pop dst Pop the content of the stack to ‘dst’ l pop: pop an item from the stack
0
¢ Managing call stack eax 77
41

Mnemonic Operand Operation

call addr Function call (save eip and jump to ‘addr’) push push $77
41 esp
pop esp push $41
ret ___ Function return (restore saved eip) 77
esp pop %eax
pop %eax
¢ Managing stack frames
Mnemonic Operation @max

enter Create a new stack frame

leave Restore previous stack frameLow Level Programming (LLP) 50 Low Level Programming (LLP) 51
50

Stack (x86-32 and x86-64) Stack (x86-32 and x86-64): push

¢ Stack pointer
l ESP (x86-32) Addresses
l RSP (x86-64) 0x00000000 eax 0x1a1b1c1d

¢ Description of data management operations ebx 0x20202020

l push <src>
1. Fetch operand from src Effect of push %eax
1. Fetch operand from <src>
2. esp = esp – x (x = 2, 4 or 8 depending on operand size) 2. esp = esp – 4
3. Write operand to (esp) Stack 3. Write operand to (esp)
0xffffffdc 0x33333333
l pop <dst> 0xfffffff0 0x00001111
0x1a1b1c1d esp (0xfffffff0)
• Fetch operand from esp 0xfffffff4 0x44444444 esp (0xfffffff4)
0xfffffff8 0x42424242
• Write operand to dst
0xfffffffc 0x44444444
• esp = esp + x (x = 2, 4 or 8 depending on operand size)

Low Level Programming (LLP) 52 Low Level Programming (LLP) 53

13
 11/8/23

Stack (x86-32 and x86-64): pop Calls: basic principles

Addresses ¢ When calling a function, have to know which instruction

0x00000000 eax 0x1a1b1c1d to execute after the function
ebx 0x20202020
0x1a1b1c1d ¢ Instructions
l Call: push return address (eip register) and branch to
Effect of pop %ebx function
1. Fetch operand from (esp)
2. Write operand to ebx l Ret: pop register eip
3. esp = esp + 4
Stack 0xffffffdc 0x33333333
0xfffffff0 0x00001111
0x1a1b1c1d esp (0xfffffff0)
0xfffffff4 0x44444444 esp (0xfffffff4)
0xfffffff8 0x42424242
0xfffffffc 0x44444444
Note: popped value still in memory!

Low Level Programming (LLP) 54 Low Level Programming (LLP) 55

Calls: call instruction Calls: ret instruction

00007f50 <_f>: 00007f50 <_f>:
eip 7f50: 55 pushl %ebp 7f50: 55 pushl %ebp
… …
7f60: c3 retl eip 7f60: c3 retl
Addresses 00007f70 <_main>: Addresses 00007f70 <_main>:
0x00000000 7f70: 55 0x00000000 7f70: 55
… …
7f8a: 89 04 24 movl %eax, (%esp) 7f8a: 89 04 24 movl %eax, (%esp)
eip 7f8d: e8 be ff ff ff calll 0x7f50 <_f> 7f8d: e8 be ff ff ff calll 0x7f50 <_f>
7f92: a1 00 80 00 00 movl 32768, %eax eip 7f92: a1 00 80 00 00 movl 32768, %eax

eip 0x00007f8a
0x00007f50 eip 0x00007f60
0x00007f92

0xffffffdc 0x33333333 0xffffffdc 0x33333333

0xfffffff0 0x0x007f92
0x00001111 esp (0xfffffff0) 0xfffffff0 0x0x007f92
0x00001111 esp (0xfffffff0)
0xfffffff4 0x44444444 esp (0xfffffff4) 0xfffffff4 0x44444444 esp (0xfffffff4)
0xfffffff8 0x42424242 0xfffffff8 0x42424242
0xfffffffc 0x44444444 0xfffffffc 0x44444444
Effect of call 0x7f50 (call to _f) Effect of ret
1. Push return address 1. pop %eip
2. Branch to f
Low Level Programming (LLP) 56 Low Level Programming (LLP) 57

14
 11/8/23

Stack frame Stack frame

¢ Used to reference local variables in a function ¢ Typical use of bp

¢ Represented by a pair (esp,ebp) l Base to reference local variables (negative offsets)
l ebp used as a base to reference local variables l Base to reference parameters (positive offsets)
(+parameters when stack allocated) ¢ Typical stack frame (when parameters on the stack)
l esp = stack pointer
¢ Stack frame creation: ‘enter’ instruction
1. push %ebp
2. mov %esp, %ebp
¢ Stack frame cleaning: ‘leave’ instruction
1. mov %ebp, %esp
2. pop %ebp
¢ Note: compiler may use push/mov and not enter/leave
Low Level Programming (LLP) 58 Low Level Programming (LLP) 59

Calls: enter instruction Calls: leave instruction

Addresses Addresses
0x00000000 Effect of enter 0x00000000 Effect of leave
1. push %ebp 1. mov %ebp, %esp
2. mov %esp, %ebp 2. pop %ebp

0xffffffd0 0x44444444 esp (0xffffffdc)

0xffffffd4 0x42424242
0xffffffd8 0x44444444
0xffffffdc 0x33333333
Old bp esp (0xffffffdc) ebp (0xffffffdc) 0xffffffdc 0x33333333
Old bp ebp (0xffffffdc)
esp (0xfffffff0) esp (0xfffffff0)
0xfffffff0 0x00001111
Return @ esp (0xfffffff0) 0xfffffff0 0x00001111
Return @
0xfffffff4 0x44444444 0xfffffff4 0x44444444
0xfffffff8 0x42424242 ebp (0xfffffff8) 0xfffffff8 0x42424242 ebp (0xfffffff8)
0xfffffffc 0x44444444 0xfffffffc 0x44444444

Low Level Programming (LLP) 60 Low Level Programming (LLP) 61

15
 11/8/23

Application binary interface (ABI) SystemV i386 ABI: register usage

¢ Provides the conventions to implement the following ¢ Volatile/non volatile registers

features for each specific processor l Volatile: can be overwritten by the callee with no harm for the
l Function calling conventions caller
l Return value conventions l Non volatile: may be used by the caller: have to be preserved
l Stack frame by the callee
l Exceptions ¢ Examples
l eax: used for integer return value (if any), volatile
¢ Unix Systems (Linux, BSD, MacOS) susually follow the
System V ABI l st(0): used for float return value (if any), volatile

l SystemV i386 ABI supplement (32-bits) l ecx, edx: volatile

l SystemV amd64 ABI supplement (64-bits) l ebx: non volatile (callee must preserve)

Low Level Programming (LLP) 62 Low Level Programming (LLP) 63

SystemV i386 ABI: calling conventions SystemV i386 ABI: Calling conventions

¢ Source code (caller = main, callee = max)

¢ Multiple calling conventions for system i386 ABI
int max(int a, int b) {
l cdecl, stdcall, fastcall (cdecl here) int res;
if (a>b) res = a;
¢ Calling sequences else res = b;
return res;
1. Push parameters onto the stack in reverse order (caller) }
2. Call instruction (caller) ¢ Stack frame
3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 0xffffffd0 0x44444444 res: -4(%ebp)
5. Preserve registers if needed (callee) 0xffffffd4 0x42424242
old bp ebp
0xffffffd8 0x44444444
return @
6. <Function code> …
0xffffffdc 0x00000005 a: 8(%ebp)
7. Deallocation of the stack frame (callee) 0xfffffff0 0x00000006 b: 12(%ebp)
8. Return instruction (callee) 0xfffffff4 0x44444444
0xfffffff8 0x42424242
9. Deallocation of parameters (caller) 0x44444444
0xfffffffc
¢ Note: use of frame pointer optional
l -fomit-frame-pointer option of gcc Low Level Programming (LLP) 64 Low Level Programming (LLP) 65

16
 11/8/23

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x33333333 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x33333333 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00001111 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00001111 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 esp 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 esp 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 66 Low Level Programming (LLP) 67

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 esp 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 esp 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 68 Low Level Programming (LLP) 69

17
 11/8/23

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ esp 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ esp 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 70 Low Level Programming (LLP) 71

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242
old bp ebp esp
7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242
old bp ebp esp
7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
7f3d: 5d popl %ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 72 Low Level Programming (LLP) 73

18
 11/8/23

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444 esp 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444 esp 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242
old bp ebp 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242
old bp ebp 7f1a: 8b 45 08 movl 8(%ebp), %eax compare
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax a&b
0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp) set res
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax ret in
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
7f3d: 5d popl %ebp 7f3d: 5d popl %ebp
%eax
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 74 Low Level Programming (LLP) 75

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444
0x0000006 esp 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444
0x0000006 esp 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242
old bp ebp 7f1a: 8b 45 08 movl 8(%ebp), %eax compare 0xffffffd4 0x42424242
old bp ebp 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax a&b 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) set res 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax ret in 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
7f3d: 5d popl %ebp
%eax 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 76 Low Level Programming (LLP) 77

19
 11/8/23

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444
0x00000006 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444
0x00000006 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242
old bp 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242
old bp 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ esp 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ esp 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 78 Low Level Programming (LLP) 79

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller) 1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller) 2. Call instruction (caller)
3. Creation of new stack frame (callee) 3. Creation of new stack frame (callee)
4. Allocate locals on the stack (callee) 4. Allocate locals on the stack (callee)
5. Preserve registers if needed (callee) 5. Preserve registers if needed (callee)
6. <Function code> … 6. <Function code> …
Addresses Addresses
7. Deallocation of the stack frame (callee) 7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) 0x00000000 8. Return instruction (callee)
9. Deallocation of parameters (caller) 9. Deallocation of parameters (caller)

00007f10 <_max>: 00007f10 <_max>:

7f10: 55 pushl %ebp 7f10: 55 pushl %ebp
7f11: 89 e5 movl %esp, %ebp 7f11: 89 e5 movl %esp, %ebp
7f13: 50 pushl %eax 7f13: 50 pushl %eax
0xffffffd0 0x44444444
0x00000006 7f14: 8b 45 0c movl 12(%ebp), %eax 0xffffffd0 0x44444444
0x00000006 7f14: 8b 45 0c movl 12(%ebp), %eax
7f17: 8b 45 08 movl 8(%ebp), %eax 7f17: 8b 45 08 movl 8(%ebp), %eax
0xffffffd4 0x42424242
old bp 7f1a: 8b 45 08 movl 8(%ebp), %eax 0xffffffd4 0x42424242
old bp 7f1a: 8b 45 08 movl 8(%ebp), %eax
7f1d: 3b 45 0c cmpl 12(%ebp), %eax 7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> 0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21>
0xffffffdc 0x00000005 esp 7f26: 8b 45 08 movl 8(%ebp), %eax 0xffffffdc 0x00000005 esp 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) 7f29: 89 45 fc movl %eax, -4(%ebp)
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27> 0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax 0xfffffff4 0x44444444 7f31: 8b 45 0c movl 12(%ebp), %eax
7f34: 89 45 fc movl %eax, -4(%ebp) 7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax 0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp 0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl 7f3e: c3 retl

Low Level Programming (LLP) 80 Low Level Programming (LLP) 81

20
 11/8/23

SystemV i386 ABI: Calling conventions SystemV i386 ABI: Calling conventions
1. Push parameters onto the stack in reverse order (caller)
2. Call instruction (caller)
3. Creation of new stack frame (callee) ¢ Return of structures
4. Allocate locals on the stack (callee) l Caller in charge of allocating space for the result
5. Preserve registers if needed (callee)
6. <Function code> … l First argument of the function = address of memory space
Addresses
7. Deallocation of the stack frame (callee)
0x00000000 8. Return instruction (callee) l Callee sets %eax to this area on return
9. Deallocation of parameters (caller)
¢ %esp may be rounded down to a frontier of 16-bytes for more
00007f10 <_max>:
7f10: 55 pushl %ebp efficiency
7f11: 89 e5 movl %esp, %ebp
7f13: 50
7f14: 8b 45 0c
pushl
movl
%eax
12(%ebp), %eax
¢ Arguments may be longer than 4 bytes
0xffffffd0 0x44444444
0x00000006
0xffffffd4 0x42424242
old bp
7f17: 8b 45 08
7f1a: 8b 45 08
movl
movl
8(%ebp), %eax
8(%ebp), %eax ¢ Examples
7f1d: 3b 45 0c cmpl 12(%ebp), %eax
0xffffffd8 0x44444444
return @ 7f20: 0f 8e 0b 00 00 00 jle 0x7f31 <_max+0x21> l int foo (int a, int b, int *c);
0xffffffdc 0x00000005 7f26: 8b 45 08 movl 8(%ebp), %eax
7f29: 89 45 fc movl %eax, -4(%ebp) parameters in 8(%ebp), 12(%ebp), 16(%ebp), result in %eax
0xfffffff0 0x00000006 7f2c: e9 06 00 00 00 jmp 0x7f37 <_max+0x27>
0xfffffff4 0x44444444 esp 7f31: 8b 45 0c movl 12(%ebp), %eax l float bar (float a, int b)
7f34: 89 45 fc movl %eax, -4(%ebp)
0xfffffff8 0x42424242 7f37: 8b 45 fc movl -4(%ebp), %eax parameters in 8(%ebp) and 16(%ebp), result in %st(0)
0xfffffffc 0x44444444 7f3a: 83 c4 04 addl $4, %esp
ebp 7f3d: 5d popl %ebp
7f3e: c3 retl

Low Level Programming (LLP) 82 Low Level Programming (LLP) 83

Security issues SystemV AMD64: calling conventions

¢ Issue
¢ Calling conventions through registers
l Buffer overflow in local variable:
Addresses l 6 registers for integer arguments: rdi, rsi, rdx, rcx, r8, r9
erase return address 0x00000000
l 8 registers for floats/doubles: xmm0-xmm7
l Source: unsafe string
functions (among others) l First available register for parameter type is used
l Everything else goes to the stack
¢ Fixes
l Non executable stack
0xffffffd0 0x44444444
0x0000006 ¢ Volatile and non volatile registers
0xffffffd4 0x42424242
old bp
l ASLR 0xffffffd8 0x44444444
return @
l Volatile (no need to protect)
0xffffffdc 0x00000005 • rax, rcx, rdx, rsi, rdi, r8-r11, xmm0-xmm15
l More sophisticated attacks 0x00000006
0xfffffff0
l Better defenses (see SE course) 0xfffffff4 0x44444444 l Non-volatile (need to protect)
0xfffffff8 0x42424242 • rbx, rbp, rsp, r12, r15
0xfffffffc 0x44444444
¢ Example
l int f(int a, float b, int c); a in %rdi, b in %xmm0, c in %rsi, result in
%rax
Low Level Programming (LLP) 84 Low Level Programming (LLP) 85

21
 11/8/23

References Following lecture

¢ Intel Corporation. Intel 64 and IA-32 Architectures ¢ None!

Optimization Reference Manual, April 2012. l Thanks for your attention
¢ Intel Corporation. Intel 64 and IA-32 Architectures Software l x86 stuff to be used in the SE (Software Exploitation)
Developer’s Manual, August 2012. module – keep the important information in mind (calling
¢ Michael Matz, Jan Hubicka, Andreas Jaeger, and Mark convention)
Mitchell. System V Application Binary Interface: AMD64
Architecture Processor Supplement, September 2010.
Version 0.99.5.
¢ Santa Cruz Operation, Inc. System V Application Binary
Interface: i386 Architecture Processor Supplement, fourth
edition, March 1997.

Low Level Programming (LLP) 86 Low Level Programming (LLP) 87

22