网站大量收购闲置独家精品文档,联系QQ:2885784924

复旦大学软件学院计算机系统课件 Pointers Buffer Overflow.ppt

复旦大学软件学院计算机系统课件 Pointers Buffer Overflow.ppt

  1. 1、本文档共36页,可阅读全部内容。
  2. 2、原创力文档(book118)网站文档一经付费(服务费),不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
  3. 3、本站所有内容均由合作方或网友上传,本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺!文档内容仅供研究参考,付费前请自行鉴别。如您付费,意味着您自己接受本站规则且自行承担风险,本站不退款、不进行额外附加服务;查看《如何避免下载的几个坑》。如果您已付费下载过本站文档,您可以点击 这里二次下载
  4. 4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“版权申诉”(推荐),也可以打举报电话:400-050-0827(电话支持时间:9:00-18:30)。
查看更多
* * * * * * * * * Stack Corruption Detection Return address Saved %ebp Saved %ebx Canary [7] [6] [5] [4] [3] [2] [1] [0] %ebp buf Stack frame for caller Stack frame for echo * Stack Corruption Detection 1 echo: 2 pushl %ebp 3 movl %esp, %ebp 4 pushl %ebx 5 subl $20, %esp 6 movl %gs:20, %eax Retrieve canary 7 movl %eax, -8(%ebp) Store on stack 8 xorl %eax, %eax Zero out register 9 leal -16(%ebp), %ebx Compute buf as %ebp-16 10 movl %ebx, (%esp) Store buf at top of stack 11 call gets Call gets 12 movl %ebx, (%esp) Store buf at top of stack 13 call puts Call puts * Stack Corruption Detection 14 movl -8(%ebp), %eax Retrieve canary 15 xorl %gs:20, %eax Compare to stored value 16 je .L19 If =, goto ok 17 call __stack_chk_fail Stack corrupted! 18 .L19: ok: 19 addl $20, %esp Normal return ... 20 popl %ebx 21 popl %ebp 22 ret %gs:20 Segmented addressing which appeared in 80286 and seldom used today It is marked as read only * Limiting Executable Code Regions Page 4k bytes As a protected unit by OS Should be marked as “readable”, “writable” and “executable” 3 bits are required Originally Intel merged the “readable” and “executable” into one The exploit code in the stack can be executed AMD introduced “NX” in X86-64 Now there 3 bits How about “JIT”? Code Reuse Attack Return-oriented Programming Find code gadgets in existed code base (e.g. libc) Push address of gadgets on the stack Leverage ‘ret’ to connect code gadgets No code injection Solutions Return-less kernels Heuristic means New Attacks: Jump-oriented Use gadget as dispatcher return addr saved ebp 0101011010 0101011010 0101011010 Address A Address B Address C 0101011010 A B C Motivation: Code Reuse Attack * * * * * * * * * * * * * * * * * * * * * * * * * * Compilers Autumn 2002 Compilers Autumn 2002 * Understanding Pointers Buffer Overflow * Outline Understanding Pointers Buffer Overflow Suggested reading Chap 3.10, 3.12 * Pointers Every po

文档评论(0)

ormition + 关注
实名认证
内容提供者

该用户很懒,什么也没介绍

1亿VIP精品文档

相关文档