[linux-elitists] Fun with processors

Jason Spence jspence@lightconsulting.com
Wed Feb 4 13:33:52 PST 2004

On Wed, Feb 04, 2004 at 03:00:25PM +0200, Gilad Ben-Yossef wrote: 
> On Tuesday 03 February 2004 21:31, Jason Spence wrote:
> > I'm putting together a presentation on frame pointer spoofing (to fake
> > backtraces) for both attackers and defenders for a thing I'm doing.  I
> > want to have a wide variety of stack pictures for the discussion, but
> > all I have so far are OS X, the usual x86 calling conventions, IRIX,
> > and Solaris.
> >
> > Question: what does the stack look like before and after a procedure
> > call on less common platforms, like PA-RISC, AIX, or BSD/MIPS?
> >
> I'm probably stupid, but why do you except, say, the IRIX calling convention 
> (which runs on MIPS since that's the only chip that IRIX ever ran on, at 
> least outside of SGI labs) to be different from BSD/MIPS?

Because I've come to expect that kind of thing from the OS
implementers.  ABI compatibility with the "native" OS for the chip is
one of the first things to go out the window when you're primarily
concerned with getting the OS running.

> I would think that the chip and/or the compiler to have an effect on
> calling convention, but why the OS? or did you mean the common
> toolchain used on said OSes?

It's different for every platform.  For example, the VAX has a very
specific calling mechanism provided by the hardware, and using
anything else will slow it down quite a bit.  Just about every OS on
VAX uses the standard VAX calling mechanism.

On PowerPC, there's a bunch of different calling formats depending on
whether the callee is a leaf procedure, whether you care about
preserving floating point registers and the status word, caller stack
clean up vs callee stack clean up, etc.  Which one is used depends
mainly on the OS.  On x86, there's 3 calling conventions of note in
Microsoft land: stdcall, cdecl, and fastcall.  The compiler determines
which one is used here.  Linux/x86 uses the traditional UNIX calling
conventions, with a register based function code/parameter calling
mechanism for syscalls on non P4 machines; SYSENTER and some MSR
manipulation to set the vectors is used for P4 machines.

> Anyways, it sounds a very interesting presentation. If you plan to make it 
> available publically (and we are elitists here, no? ;-) I'd love to take a 
> peek.

It's actually a section of a larger presentation I'm giving at
Interz0ne in Atlanta between July 16 and 18th.  Topics are:

 - Spoofing backtraces and defeating automated code analysis by
   manipulating the frame pointer

 - Writing portbinding shellcode using the Win32 TDI mechanism (as
   opposed to dynlinking to winsock like everyone else)

 - Overriding the syscall vector and bypassing on-host IDS mechanisms
   by rooting the bootloader

 - Jason           Last known location:  3.2 miles northwest of Union City, CA

Common sense and a sense of humor are the same thing, moving at
different speeds.  A sense of humor is just common sense, dancing.
		-- Clive James

More information about the linux-elitists mailing list