Why? Memory Structure 101

Last updated 1 year ago

Why? Memory Structure 101

Kernel organizes memory in pages.

Typically 4096 bytes.

Processes operate in a Virtual Memory Space.

Mapped to real pages, which can be in RAM or Swapped.

Kernel splits program in several segments.

Increases security.
- segment based permissions.
Increases performance.
- some are dynamic: invalidated when program terminates.
- some are static: can be retained, speed repeated startup.

Memory Structure

SS: Local variables and execution flow
Shared Libraries: .so/dlls loaded.
- Addresses are shared between programs.
Heap: memory allocated with malloc/new.
BSS: Global Variables.
Data: Constants.
Code: Actual instructions.

mem.c

Simple program showing the memory map of itself.

Features:

Prints the address of objects of different types.
- Argument.
- Dynamic memory with malloc.
- Global Variable.
- Constant.
- Function
Prints the memory maps as exposed in /proc/self/maps.
Creates a recursive function and prints the address of local variables.
Crashes with a Stack Overflow.

Stack organization

Stack is organized by frames, one for each function call.

Memory reserved for the function to use as it requires.

Each stack frame stores:

Return Information.
Local Variables.
Arguments to following functions (x32: all, x64: +5th).

Return information has 2 major objectives.

Chaining frames as new functions are called.
Return to the next instruction after the function ends.

Frame chaining.

When a function is called, the address of the current stack frame (Register RBP in x64) is push to the frame.
When the function ends, RBP is popped.
- Caller function has it’s frame restored.

Function chaining

When a function is called, the address of the next instruction is push to the stack (RIP register).
When a function ends, that address is popped.
- Execution resumes at the caller function.

mem_local.c

Prints the address to several variables.

Local variables declared in the main function.
Arguments passed to the foo function.
Local variables in the foo function.

main
argc : 0x7fffd6baeddc
argv : 0x7fffd6baeed8

foo
a       : 0x7fffd6baed8c
local_a : 0x7fffd6baed9b
buffer  : 0x7fffd6baeda0
local_b : 0x7fffd6baed9c

char foo(int a,){
    char local_a = 3;
    char buffer[16];
    int local_b = 5;

    printf(“%p\n”,&a);
    printf(“%p\n”,&local_a);
    printf(“%p\n”,&buffer);
    printf(“%p\n”,&local_b);
    
    buffer[0] = local_a;
    return buffer[0];
}

int main(int argc, char* argv[]){
    printf(“%p\n”, &argc);
    printf(“%p\n”, argv);
 
    return foo(argc);
}

Stack frame grows from higher addresses to lower addresses.

Main has variables at 0xbaedb.
Foo has variables at 0xbaed6-8.

Declaration order doesn’t matter!

Compiler will place variables are he seems adequate.

Will keep information aligned.
May create empty spaces.
May deploy additional protection mechanisms (canaries).

mem.c

Until evolution: a limit imposed by the SO is reached.
Until vital memory is overwritten.

Last updated 1 year ago

Kernel organizes memory in pages.

Typically 4096 bytes.

Processes operate in a Virtual Memory Space.

Mapped to real pages, which can be in RAM or Swapped.

Kernel splits program in several segments.

Increases security.
- segment based permissions.
Increases performance.
- some are dynamic: invalidated when program terminates.
- some are static: can be retained, speed repeated startup.

Memory Structure

SS: Local variables and execution flow
Shared Libraries: .so/dlls loaded.
- Addresses are shared between programs.
Heap: memory allocated with malloc/new.
BSS: Global Variables.
Data: Constants.
Code: Actual instructions.

mem.c

Simple program showing the memory map of itself.

Features:

Prints the address of objects of different types.
- Argument.
- Dynamic memory with malloc.
- Global Variable.
- Constant.
- Function
Prints the memory maps as exposed in /proc/self/maps.
Creates a recursive function and prints the address of local variables.
Crashes with a Stack Overflow.

Stack organization

Stack is organized by frames, one for each function call.

Memory reserved for the function to use as it requires.

Each stack frame stores:

Return Information.
Local Variables.
Arguments to following functions (x32: all, x64: +5th).

Return information has 2 major objectives.

Chaining frames as new functions are called.
Return to the next instruction after the function ends.

Frame chaining.

When a function is called, the address of the current stack frame (Register RBP in x64) is push to the frame.
When the function ends, RBP is popped.
- Caller function has it’s frame restored.

Function chaining

When a function is called, the address of the next instruction is push to the stack (RIP register).
When a function ends, that address is popped.
- Execution resumes at the caller function.

mem_local.c

Prints the address to several variables.

Local variables declared in the main function.
Arguments passed to the foo function.
Local variables in the foo function.

main
argc : 0x7fffd6baeddc
argv : 0x7fffd6baeed8

foo
a       : 0x7fffd6baed8c
local_a : 0x7fffd6baed9b
buffer  : 0x7fffd6baeda0
local_b : 0x7fffd6baed9c

char foo(int a,){
    char local_a = 3;
    char buffer[16];
    int local_b = 5;

    printf(“%p\n”,&a);
    printf(“%p\n”,&local_a);
    printf(“%p\n”,&buffer);
    printf(“%p\n”,&local_b);
    
    buffer[0] = local_a;
    return buffer[0];
}

int main(int argc, char* argv[]){
    printf(“%p\n”, &argc);
    printf(“%p\n”, argv);
 
    return foo(argc);
}

Stack frame grows from higher addresses to lower addresses.

Main has variables at 0xbaedb.
Foo has variables at 0xbaed6-8.

Declaration order doesn’t matter!

Compiler will place variables are he seems adequate.

Will keep information aligned.
May create empty spaces.
May deploy additional protection mechanisms (canaries).

mem.c

Until evolution: a limit imposed by the SO is reached.
Until vital memory is overwritten.