计算机网络安全与管理：第16讲 缓冲溢出.pptVIP

Return to System Call stack overflow variant 返回系统函数 针对 non-executable stack defences attacker 再返回地址之上构建恰当的参数 函数返回类函数执行 e.g. system(“shell commands”) attacker 需要精确的地址 甚至可以练两个库 Heap Overflow 也可攻击 heap 通常放置在 program code上 有程序请求用于动态数据类型的内存请求, e.g. linked lists 无返回 不已转移控制 可能可利用函数指针 或操作管理数据结构 defenses: non executable or random heap Heap Overflow Example Heap Overflow Example Global Data Overflow 可以攻击global数据 may be located above program code if has function pointer and vulnerable buffer or adjacent process management tables aim to overwrite function pointer later called defenses: non executable or random global data region, move function pointers, guard pages Global Data Overflow Example Summary introduced basic buffer overflow attacks stack buffer overflow details shellcode defenses compile-time, run-time other related forms of attack replacement stack frame, return to system call, heap overflow, global data overflow * * * * * * * * * * Given the problems that can occur in C with unsafe array and pointer references, there have been a number of proposals to augment compilers to automatically insert range checks on such references. Whilst this is fairly easy for statically allocated arrays, handling dynamically allocated memory is more problematic, and requires an extension to the semantics of a pointer to include bounds information, and the use of library routines to ensure these values are set correctly. Several such approaches exist. However, there is generally a performance penalty with the use of such techniques that may or may not be acceptable. It also requires all programs and libraries that require these safety features to be re-compiled with the modified compiler. A common concern with C comes from the use of unsafe standard library routines, especially some of the string manipulation routines. One approach to improving the safety of systems has been to replace these with safer variants, eg. strlcpy() which requires rewriting the source to conform to the new s