02/03/2019

Chapter 4

THE CENTRAL
PROCESSING UNIT

Language levels

 High-Level Languages
 Characteristics
 Portable : to varying
degrees
 Complex:one statement
can do much work
 Expressive
 Human readable

1
 02/03/2019

Machine languages

 Characteristics
 Not portable : specific to
hardware
 Simple : each instruction
does a simple task
 Not expressive : each
instruction performs little
work
 Not human readable :
requires losts of effort,
requires tool support

Assembly languages

 Characteristics
 Not portable : each
assembly language
instruction map to one
machine language
instruction
 Simple : each
instruction does a
simple task
 Not expressive
 Human readable

2
 02/03/2019

Why learn assembly language ?

 Why learn assembly language ?

 Knowing assembly language helps you :
 Write fast code : in assembly language, in a high –
level language
 Understand what’s happening under the hood
 Someone needs to develop future computer systems
 Maybe that will be you

Why Learn x86-64 Assembly Lang?

 Pros
 X86-64 is popular
 CourseLab computers are x86-64 computers
 Program natively on CourseLab instead of using an emulator
 Cons
 X86-64 assembly language is big
 Each instruction is simple, but…
 There are many instructions
 Instructions differ widely

3
 02/03/2019

Von Neumann Architecture

 Includes
 CPU : CU, ALU,
Registers
 Memory : RAM

RAM

4
 02/03/2019

Intel Microprocessors

 Intel introduced the 8086 microprocessor in 1979

 8086, 8087, 8088, and 80186 processors
 16-bit processors with 16-bit registers
 16-bit data bus and 20-bit address bus
 Physical address space = 220 bytes = 1 MB
 8087 Floating-Point co-processor
 Uses segmentation and real-address mode to address
memory
 Each segment can address 216 bytes = 64 KB
 8088 is a less expensive version of 8086
 Uses an 8-bit data bus
 80186 is a faster version of 8086

Intel 80286 and 80386 Processors

 80286 was introduced in 1982
 24-bit address bus  224 bytes = 16 MB address space
 Introduced protected mode
 Segmentation in protected mode is different from the real
mode
 80386 was introduced in 1985
 First 32-bit processor with 32-bit general-purpose
registers
 First processor to define the IA-32 architecture
 32-bit data bus and 32-bit address bus
 232 bytes  4 GB address space
 Introduced paging, virtual memory, and the flat memory
model Segmentation can be turned off

5
 02/03/2019

Intel 80486 and Pentium Processors

 80486 was introduced 1989

 Improved version of Intel 80386
 On-chip Floating-Point unit (DX versions)
 On-chip unified Instruction/Data Cache (8 KB)
 Uses Pipelining: can execute up to 1 instruction per clock
cycle
 Pentium (80586) was introduced in 1993
 Wider 64-bit data bus, but address bus is still 32 bits
 Two execution pipelines: U-pipe and V-pipe
 Superscalar performance: can execute 2 instructions per clock/c
 Separate 8 KB instruction and 8 KB data caches
 MMX instructions (later models) for multimedia
applications

Intel P6 Processor Family

 P6 Processor Family: Pentium Pro, Pentium II and III

 Pentium Pro was introduced in 1995
 Three-way superscalar: can execute 3 instructions per clock
cycle
 36-bit address bus  up to 64 GB of physical address space
 Introduced dynamic execution
 Out-of-order and speculative execution
 Integrates a 256 KB second level L2 cache on-chip
 Pentium II was introduced in 1997
 Added MMX instructions (already introduced on Pentium
MMX)
 Pentium III was introduced in 1999
 Added SSE instructions and eight new 128-bit XMM registers

6
 02/03/2019

Pentium 4 and Xeon Family

 Pentium 4 is a seventh-generation x86 architecture

 Introduced in 2000
 New micro-architecture design called Intel Netburst
 Very deep instruction pipeline, scaling to very high frequencies
 Introduced the SSE2 instruction set (extension to SSE)
 Tuned for multimedia and operating on the 128-bit XMM registers
 In 2002, Intel introduced Hyper-Threading technology
 Allowed 2 programs to run simultaneously, sharing resources
 Xeon is Intel's name for its server-class microprocessors
 Xeon chips generally have more cache
 Support larger multiprocessor configurations

Pentium-M and EM64T

 Pentium M (Mobile) was introduced in 2003
 Designed for low-power laptop computers
 Modified version of Pentium III, optimized for power efficiency
 Large second-level cache (2 MB on later models)
 Runs at lower clock than Pentium 4, but with better performance
 Extended Memory 64-bit Technology (EM64T)
 Introduced in 2004
 64-bit superset of the IA-32 processor architecture
 64-bit general-purpose registers and integer support
 Number of general-purpose registers increased from 8 to 16
 64-bit pointers and flat virtual address space
 Large physical address space: up to 240 = 1 Terabytes

7
 02/03/2019

64-bit Processors

 Intel64
 64-bit linear address space
 Intel: Pentium Extreme, Xeon, Celeron D, Pendium D,
Core 2, and Core i7
 IA-32e Mode
 Compatibility mode for legacy 16- and 32-bit
applications
 64-bit Mode uses 64-bit addresses and operands

CISC and RISC

 CISC – Complex Instruction Set Computer

 Large and complex instruction set
 Variable width instructions
 Requires microcode interpreter
 Each instruction is decoded into a sequence of micro-operations
 Example: Intel x86 family
 RISC – Reduced Instruction Set Computer
 Small and simple instruction set
 All instructions have the same width
 Simpler instruction formats and addressing modes
 Decoded and executed directly by hardware
 Examples: ARM, MIPS, PowerPC, SPARC, etc.

8
 02/03/2019

Basic Program Execution Registers

 Registers are high speed memory inside the CPU

 Eight 32-bit general-purpose registers
 Six 16-bit segment registers
 Processor Status Flags (EFLAGS) and Instruction
Pointer (EIP)
32-bit General-Purpose Registers
EAX EBP
EBX ESP
ECX ESI
EDX EDI

16-bit Segment Registers

EFLAGS CS ES
SS FS
EIP
DS GS

General-Purpose Registers
 Used primarily for arithmetic and data movement
 mov eax, 10 move constant 10 into register eax
 Specialized uses of Registers
 EAX – Accumulator register
 Automatically used by multiplication and division instructions
 ECX – Counter register
 Automatically used by LOOP instructions
 ESP – Stack Pointer register
 Used by PUSH and POP instructions, points to top of stack
 ESI and EDI – Source Index and Destination Index register
 Used by string instructions
 EBP – Base Pointer register
 Used to reference parameters and local variables on the stack

9
 02/03/2019

Accessing Parts of Registers

 EAX, EBX, ECX, and EDX are 32-bit Extended registers
 Programmers can access their 16-bit and 8-bit parts
 Lower 16-bit of EAX is named AX
 AX is further divided into
 AL = lower 8 bits
 AH = upper 8 bits
 ESI, EDI, EBP, ESP have only
16-bit names for lower half

Accessing Parts of Registers

 Difference name of registers

10
 02/03/2019

Special-Purpose & Segment Registers

 EIP = Extended Instruction Pointer
 Contains address of next instruction to be executed
 EFLAGS = Extended Flags Register
 Contains status and control flags
 Each flag is a single binary bit
 Six 16-bit Segment Registers
 Support segmented memory
 Six segments accessible at a time
 Segments contain distinct contents
 Code
 Data
 Stack

EFLAGS Register
 Status Flags
 Status of arithmetic and logical operations
 Control and System flags
 Control the CPU operation
 Programs can set and clear individual bits in the EFLAGS
register

11
 02/03/2019

Status Flags

 Carry Flag
 Set when unsigned arithmetic result is out of range
 Overflow Flag
 Set when signed arithmetic result is out of range
 Sign Flag
 Copy of sign bit, set when result is negative
 Zero Flag
 Set when result is zero
 Auxiliary Carry Flag
 Set when there is a carry from bit 3 to bit 4
 Parity Flag
 Set when parity is even
 Least-significant byte in result contains even number of 1s

Floating-Point, MMX, XMM Registers

 Floating-point unit performs high speed FP

operations
 Eight 80-bit floating-point data registers
 ST(0), ST(1), . . . , ST(7)
 Arranged as a stack
 Used for floating-point arithmetic
 Eight 64-bit MMX registers
 Used with MMX instructions
 Eight 128-bit XMM registers
 Used with SSE instructions

12
 02/03/2019

Registers in Intel Core Microarchitecture

X86 – 64 Registers

 There are sixteen, 64-bit General Purpose Registers

(GPRs)
 A GPR register can be accessed with all 64-bits or some
portion or
subset accessed.

13
 02/03/2019

 General purpose registers

 When using data element sizes less than 64-bits (i.e.,

32-bit, 16-bit, or 8-bit), the lower portion of the register
can be accessed by using a different register name

14
 02/03/2019

RSP Register

 RSP (Stack Pointer)

register
 Contains address of top (low
address) of current
function’s stack frame
 Allows use of the STACK
section of memory
 (See Assembly Language:
Function Calls lecture)

15
 02/03/2019

 RBP (Base Pointer Register)

 is used as a base pointer during function calls
 The rbp register should not be used for data or other
uses.


 Flag Register (rFlags)

16
 02/03/2019

RIP Register

 Special-purpose register…
 RIP (Instruction Pointer) register
 Stores the location of the next instruction
 Address (in TEXT section) of machine-language instructions to be
executed next
 Value changed:
 Automatically to implement sequential control flow
 By jump instructions to implement selection, repetition

Memory Segmentation
 Memory segmentation is necessary since the 20-bits memory
addresses cannot fit in the 16-bits CPU registers
 Since x86 registers are 16-bits wide, a memory segment is made of
216 consecutive words (i.e. 64K words)
 Each segment has a number identifier that is also a 16-bit number
(i.e. we have segments numbered from 0 to 64K)
 A memory location within a memory segment is referenced by
specifying its offset from the start of the segment. Hence the first
word in a segment has an offset of 0 while the last one has an offset
of FFFFh
 To reference a memory location its logical address has to be
specified. The logical address is written as:
 Segment number:offset
 For example, A43F:3487h means offset 3487h within segment
A43Fh.

17
 02/03/2019

Program Segments

 Machine language programs usually have 3 different parts stored

in different memory segments:
 Instructions: This is the code part and is stored in the code segment
 Data: This is the data part which is manipulated by the code and is stored
in the data segment
 Stack: The stack is a special memory buffer organized as Last-In-First-
Out (LIFO) structure used by the CPU to implement procedure calls and as
a temporary holding area for addresses and data. This data structure is
stored in the stack segment
 The segment numbers for the code segment, the data segment,
and the stack segment are stored in the segment registers CS, DS,
and SS, respectively.
 Program segments do not need to occupy the whole 64K
locations in a segment

Real Address Mode

 A program can access up to six segments at any time

 Code segment
 Stack segment
 Data segment
 Extra segments (up to 3)
 Each segment is 64 KB
 Logical address
 Segment = 16 bits
 Offset = 16 bits
 Linear (physical) address = 20 bits

18
 02/03/2019

Logical to Linear Address Translation

Linear address = Segment × 10 (hex) + Offset

Example:
segment = A1F0 (hex)
offset = 04C0 (hex)
logical address = A1F0:04C0 (hex)
what is the linear address?
Solution:
A1F00 (add 0 to segment in hex)
+ 04C0 (offset in hex)
A23C0 (20-bit linear address in hex)

Segment Overlap

 There is a lot of overlapping

between segments in the main
memory.
 A new segment starts every
10h locations (i.e. every 16
locations).
 Starting address of a segment
always has a 0h LSD.
 Due to segments overlapping
logical addresses are not
unique .

19
 02/03/2019

Flat Memory Model

 Modern operating systems turn segmentation off

 Each program uses one 32-bit linear address space
 Up to 232 = 4 GB of memory can be addressed
 Segment registers are defined by the operating system
 All segments are mapped to the same linear address space
 In assembly language, we use .MODEL flat directive
 To indicate the Flat memory model
 A linear address is also called a virtual address
 Operating system maps virtual address onto physical addresses
 Using a technique called paging

Programmer View of Flat Memory

 Same base address for all segments Linear address space of a

 All segments are mapped to the same program (up to 4 GB)
linear address space 32-bit address
ESI
 EIP Register EDI DATA
 Points at next instruction 32-bit address
EIP
CODE
 ESI and EDI Registers
32-bit address
 Contain data addresses EBP STACK
ESP
 Used also to index arrays
CS
 ESP and EBP Registers DS Unused
SS
 ESP points at top of stack ES
 EBP is used to address parameters and base address = 0 for
all segments
variables on the stack

20
 02/03/2019

Protected Mode Architecture

 Logical address consists of

 16-bit segment selector (CS, SS, DS, ES, FS, GS)
 32-bit offset (EIP, ESP, EBP, ESI ,EDI, EAX, EBX, ECX,
EDX)
 Segment unit translates logical address to linear address
 Using a segment descriptor table
 Linear address is 32 bits (called also a virtual address)
 Paging unit translates linear address to physical address
 Using a page directory and a page table

Logical to Linear Address Translation

Upper 13 bits of
segment selector are
used to index the
descriptor table

TI = Table Indicator
Select the descriptor table
0 = Global Descriptor Table
1 = Local Descriptor Table

21
 02/03/2019

Segment Descriptor Tables

 Global descriptor table (GDT)

 Only one GDT table is provided by the operating system
 GDT table contains segment descriptors for all programs
 Also used by the operating system itself
 Table is initialized during boot up
 GDT table address is stored in the GDTR register
 Modern operating systems (Windows-XP) use one GDT table
 Local descriptor table (LDT)
 Another choice is to have a unique LDT table for each program
 LDT table contains segment descriptors for only one program
 LDT table address is stored in the LDTR register

Segment Descriptor Details

 Base Address
 32-bit number that defines the starting location of the segment
 32-bit Base Address + 32-bit Offset = 32-bit Linear Address
 Segment Limit
 20-bit number that specifies the size of the segment
 The size is specified either in bytes or multiple of 4 KB pages
 Using 4 KB pages, segment size can range from 4 KB to 4 GB
 Access Rights
 Whether the segment contains code or data
 Whether the data can be read-only or read & written
 Privilege level of the segment to protect its access

22
 02/03/2019

Segment Visible and Invisible Parts

 Visible part = 16-bit Segment Register

 CS, SS, DS, ES, FS, and GS are visible to the programmer
 Invisible Part = Segment Descriptor (64 bits)
 Automatically loaded from the descriptor table

Paging

 Paging divides the linear address space into …

 Fixed-sized blocks called pages, Intel IA-32 uses 4 KB pages
 Operating system allocates main memory for pages
 Pages can be spread all over main memory
 Pages in main memory can belong to different programs
 If main memory is full then pages are stored on the hard disk
 OS has a Virtual Memory Manager (VMM)
 Uses page tables to map the pages of each running program
 Manages the loading and unloading of pages
 As a program is running, CPU does address translation
 Page fault: issued by CPU when page is not in memory

23
 02/03/2019

Paging – cont’d

The operating
system uses

linear virtual address

linear virtual address

space of Program 2
space of Program 1
Page m ... Page n
page tables to ... ...
map the pages
in the linear Page 2 Page 2
virtual address Page 1 Page 1
space onto Page 0 Page 0
main memory
Hard Disk
The operating
Pages that cannot system swaps pages
Each running
fit in main memory between memory
program has its
are stored on the and the hard disk
own page table
hard disk

As a program is running, the processor translates the linear virtual addresses

onto real memory (called also physical) addresses

x86 Assembly Language Syntax

 An assembly statement
 3 essentials: opcode, operands
(dest, src)
 E.g.,: add a, b,c => c = a+b  AT&T Syntax

 Intel Syntax  opcode src dest

 opcode dest src  has suffix for opcode

 no suffix for opcode  b/w/l/q, 8|16|32|64-bits

 immed. val. is number  immediate value has $

 Plain register name  Register name has %

 [ ] for memory oprand  ( ) for memory oprand

 Example :  Example :

MOV EAX, 5 MOVL $5, %EAX

MOV EAX, [EBX+4] MOV 4(%EBX), %EAX

24
 02/03/2019

x86 Operand Addressing Modes

 Addressing mode is about where the oprands are.
 Immediate Operands – operand values are part of the
instruction
 movl $5, %eax
 Register Operands – operand values are in registers
 add %ebx, %eax
 Memory Operands – operand values are in memory
 Addressed with
 Specifying the segment
 Explicitly specify segments: movl %eax, %es:(%ebx)
 Implicitly specify segments

 Implicity specify segment

25
 02/03/2019

 Specifying the offset

 Offset = Base + Displacement + (Index * scale)
Base Disp Index Scale
EAX
EBX 8-BIT EAX 1
ECX EBX
ECX 2
EDX + X
16-BIT EDX
ESP
EBP 4
EBP ESI
ESI 32-BIT EDI 8
EDI
 Displacement is a number
 Special rules about ESP and EBP
 Any component can be NULL

Example memory operands

 Writing the memory operand
 Intel syntax: segreg:[base+index*scale+disp]
 AT&T syntax: %segreg:disp(base, index, scale)
 Example:
 int a[2][10]; and move a[1][2] into EAX
 Intel syntax
mov ebx, a;
mov ecx, 2;
mov eax, ds:[ebx + ecx * 4h + 40]
 AT&T syntax
movl &a, %ebx;
movl $2, %ecx;
movl %ds:40(%ebx, %ecx, 0x4),%eax

26
 02/03/2019

From Assembly Language to Instructions

 Assembly language is for human
 Instructions are for machine
 One assembly language statement translates into
one instruction
 Why this translation is important
 x86 is CISC, i.e., instructions have variable lengths
 To properly deliver/inspect malicious code at the
correct memory location, attackers/defenders should be
aware of the length of the instructions

Summary of addressing modes

Assembler converts a variable name into a

constant offset (called also a displacement)

For indirect addressing, a base/index

register contains an address/index

CPU computes the effective

address of a memory operand

27