4

I wondered if C or C++ has a way to find where the operating system operates in RAM and free that place. I know that I can use free() to free up memory place. I wonder if I can shut down my computer by freeing my operating system's RAM space.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
ExperiencedSoup
  • 97
  • 1
  • 7
  • Why do you want to do that? – Fantastic Mr Fox Jul 14 '20 at 17:01
  • 1
    OS's memory is not necessary in a single place. Your definition for OS is way too vague – uIM7AI9S Jul 14 '20 at 17:02
  • @FantasticMrFox we were arguing with my friend whether if we can do such thing. No ill intend, I just want to see how powerful these languages are – ExperiencedSoup Jul 14 '20 at 17:02
  • @uIM7AI9S I can take a chunk in ram using malloc or calloc and free that – ExperiencedSoup Jul 14 '20 at 17:03
  • 12
    No modern OS will allow you access to its address space. – Taekahn Jul 14 '20 at 17:03
  • 2
    Are you familiar with [virtual memory](https://stackoverflow.com/questions/14347206/what-are-the-differences-between-virtual-memory-and-physical-memory)? – Brian61354270 Jul 14 '20 at 17:04
  • @Brian no, I am not. I will check it out, thanks! – ExperiencedSoup Jul 14 '20 at 17:04
  • Modern operating systems don't work this way. Also free() would not work. You would need the kernel version. And the OS would prevent it anyways. – drescherjm Jul 14 '20 at 17:05
  • 2
    In a big view your OS is split into processes. These have their virtual space. If you manage to fetch all processes and terminate them one by one, most likely the system will crash rather than shutdown – uIM7AI9S Jul 14 '20 at 17:05
  • 4
    If you *can* shut down your computer this easily, you might want to investigate using a new Operating System. – Scott Hunter Jul 14 '20 at 17:05
  • @uIM7AI9S thank you! – ExperiencedSoup Jul 14 '20 at 17:06
  • 4
    None of the memory addresses that you work with in a program are actual RAM addresses. They are all virtual addresses which require the OS's memory management subsystem that map these virtual addresses to their actual physical (RAM) addresses. – Amal K Jul 14 '20 at 17:07
  • 1
    It's not because the language is not powerful. It's just because how the OS is written, it has complete control over all your programs which run in a virtual address space. Interaction with the operating system is possible through predefined protocols called system calls. – Amal K Jul 14 '20 at 17:11
  • Yes, the operating system is located in memory. **All of it** is under the control of the operating system. – tadman Jul 14 '20 at 17:17
  • 5
    On early operating systems on computers without memory protection (e.g. MS-DOS or AmigaDOS) a program could indeed do this sort of thing, and programs that wanted full control of the computer (e.g. video games) would often start by blowing away the OS so they could get exclusive use of all hardware resources. Even back then, it was considered slightly rude to do this, since it would destroy any unsaved data the user had in other running programs. Modern computers use memory protection to prohibit nuking the OS, of course. – Jeremy Friesner Jul 14 '20 at 17:21
  • 1
    The only way to be sure is to take off and nuke the entire OS from orbit. – user4581301 Jul 14 '20 at 17:34

2 Answers2

12

Before protected memory was a thing you could just access any bit of memory using its physical address and manipulate it. This was how DOS and DOS-based Windows (pre Windows 95, like 3.1) worked.

Protected memory, or virtualized memory, means you can do things like swap out parts of memory to disk, in effect pretending to have more memory than the computer physically has. Chunks of memory can be swapped around as necessary, paged in and paged out, with the running program being none the wiser. These addresses are all virtual, or "fake" as in they don't physically exist, but as far as the CPU is concerned, they are real and work exactly as you'd expect, something accomplished by integrated Memory Management Unit (MMU) in the CPU.

After protected memory your "user space" program no longer sees physical memory addresses, but instead virtual addresses that the operating system itself manages. On Intel-type systems the kernel, the core of the operating system, runs within a special protection ring that prevents user programs from directly accessing or manipulating memory.

Any multi-user system must implement this kind of memory and kernel protection or there would be no way to prevent one user from accessing the memory of another user's processes.

Within the kernel there is no "malloc" or "free" in the conventional sense, the kernel has its own special allocation mechanisms. These are completely separate from the traditional malloc() and free() functions in the C standard library and are not in any way inter-compatible. Each kernel, be it Linux or BSD or Windows or otherwise, does this in a different way even if they can all support user-space code that uses the exact same malloc() function.

There should be no way that you can, through simple memory allocation calls, crash the system. If you can, congratulations, you've found an exploit and should document it and forward it to the appropriate parties for further analysis. Keep in mind this kind of thing is heavily researched so the likelihood of you discovering one by chance is very low. Competitions like pwn2own show just how much work is involved in bypassing all this security.

It's also important to remember that the operating system does not necessarily live in a fixed location. Address Space Layout Randomization is a technique to scramble the addresses of various functions and data to ensure that an exploit can't use hard-coded values. Before this was common you could predict where various things would live in memory and do blind manipulation through a tiny bug, but that's made much harder now as you must not only find an exploit to manipulate, but another to discover the address in the first place.

All that being said, there's nothing special about C or C++ in terms of "power" that makes it able to do things no other language can do. Any program that is able to bind against the operating system functions has the same equivalent "power" in terms of control. This includes Python, Perl, Ruby, Node.js, C# and long, long, list of others that can bind to C libraries and make arbitrary function calls.

People prototype "exploits" in whatever language is the most convenient, and often that's Perl or Python as often as C. It really depends on what you're trying to accomplish. Some bugs, once discovered, are so easy to reproduce you could do it with something as mundane as browser JavaScript, as was the case with Row Hammer.

tadman
  • 208,517
  • 23
  • 234
  • 262
5

You mention free() as a means to free memory which is correct but too simplified. Its counterparts malloc() and calloc() merely translate to a system call which requests the operating system for a chunk of memory. When you call free(), you relinquish ownership of the memory you asked for and return it to the operating system. Your C/C++ program runs in a virtual address space which the operating system's memory management subsystem maps to actual RAM addresses. No matter what address you access, it can never be out of this virtual address space which is entirely under the control of the operating system.

A user application can never access the operating system's memory in case of modern operating systems. All memory it uses is granted to it by the operating system. The OS acts a bridge/abstraction between your user applications and hardware, that's their whole purpose, to prevent direct interaction with the hardware, in your case, RAM. RAM was once upon a time directly accessible before the advent of virtual memory. It was exactly due to this vulnerability, along with the need to run programs larger than the system memory, that virtual memory was introduced.

The only way you can mess with the operating system in user space is to make system calls with malignant arguments.

Amal K
  • 4,359
  • 2
  • 22
  • 44
  • 1
    Can I ask for more RAM than my operation system offers to me? – ExperiencedSoup Jul 14 '20 at 17:38
  • 2
    @ExperiencedSoup — no. The o/s is in charge of memory allocation. – Jonathan Leffler Jul 14 '20 at 17:38
  • 3
    ***Can I ask for more RAM than my operation system offers to me?*** You can ask for more memory than the system has physical ram. Operating Systems allow for this using swap space (page file on windows). If your OS grants this request it still won't give you any access to the virtual memory allocated to other programs running on the same computer so you can't do anything to harm other process using this. Other than causing the system to slow down because it's using a hard drive or even SSD for virtual memory. – drescherjm Jul 14 '20 at 19:46