Buffer overflow.docx
- 文档编号:2779799
- 上传时间:2022-11-15
- 格式:DOCX
- 页数:10
- 大小:25.51KB
Buffer overflow.docx
《Buffer overflow.docx》由会员分享,可在线阅读,更多相关《Buffer overflow.docx(10页珍藏版)》请在冰豆网上搜索。
Bufferoverflow
Bufferoverflow
FromWikipedia,thefreeencyclopedia
Incomputersecurityandprogramming,abufferoverflow,orbufferoverrun,isananomalywhereaprogram,whilewritingdatatoabuffer,overrunsthebuffer'sboundaryandoverwritesadjacentmemory.Thisisaspecialcaseofviolationofmemorysafety.
Bufferoverflowscanbetriggeredbyinputsthataredesignedtoexecutecode,oralterthewaytheprogramoperates.Thismayresultinerraticprogrambehavior,includingmemoryaccesserrors,incorrectresults,acrash,orabreachofsystemsecurity.Thus,theyarethebasisofmanysoftwarevulnerabilitiesandcanbemaliciouslyexploited.
ProgramminglanguagescommonlyassociatedwithbufferoverflowsincludeCandC++,whichprovidenobuilt-inprotectionagainstaccessingoroverwritingdatainanypartofmemoryanddonotautomaticallycheckthatdatawrittentoanarray(thebuilt-inbuffertype)iswithintheboundariesofthatarray.Boundscheckingcanpreventbufferoverflows.
Contents
∙1Technicaldescription
o1.1Example
∙2Exploitation
o2.1Stack-basedexploitation
o2.2Heap-basedexploitation
o2.3Barrierstoexploitation
o2.4Practicalitiesofexploitation
▪2.4.1NOPsledtechnique
▪2.4.2Thejumptoaddressstoredinaregistertechnique
∙3Protectivecountermeasures
o3.1Choiceofprogramminglanguage
o3.2Useofsafelibraries
o3.3Bufferoverflowprotection
o3.4Pointerprotection
o3.5Executablespaceprotection
o3.6Addressspacelayoutrandomization
o3.7Deeppacketinspection
∙4History
∙5Seealso
∙6References
∙7Externallinks
Technicaldescription
Abufferoverflowoccurswhendatawrittentoabufferalsocorruptsdatavaluesinmemoryaddressesadjacenttothedestinationbufferduetoinsufficientboundschecking.Thiscanoccurwhencopyingdatafromonebuffertoanotherwithoutfirstcheckingthatthedatafitswithinthedestinationbuffer.
Example
Formoredetailsonstack-basedoverflows,seeStackbufferoverflow.
Inthefollowingexample,aprogramhastwodataitemswhichareadjacentinmemory:
an8-byte-longstringbuffer,A,andatwo-bytebig-endianinteger,B.
charA[8]="";unsignedshortB=1979;
Initially,Acontainsnothingbutzerobytes,andBcontainsthenumber1979.
variablename
A
B
value
[nullstring]
1979
hexvalue
00
00
00
00
00
00
00
00
07
BB
Now,theprogramattemptstostorethenull-terminatedstring"excessive"withASCIIencodingintheAbuffer.
strcpy(A,"excessive");
"excessive"is9characterslongandencodesto10bytesincludingtheterminator,butAcantakeonly8bytes.Byfailingtocheckthelengthofthestring,italsooverwritesthevalueofB:
variablename
A
B
value
'e'
'x'
'c'
'e'
's'
's'
'i'
'v'
25856
hex
65
78
63
65
73
73
69
76
65
00
B'svaluehasnowbeeninadvertentlyreplacedbyanumberformedfrompartofthecharacterstring.Inthisexample"e"followedbyazerobytewouldbecome25856.
Writingdatapasttheendofallocatedmemorycansometimesbedetectedbytheoperatingsystemtogenerateasegmentationfaulterrorthatterminatestheprocess.
Exploitation
Thetechniquestoexploitabufferoverflowvulnerabilityvarybyarchitecture,byoperatingsystemandbymemoryregion.Forexample,exploitationontheheap(usedfordynamicallyallocatedmemory),differsmarkedlyfromexploitationonthecallstack.
Stack-basedexploitation
Mainarticle:
Stackbufferoverflow
Atechnicallyinclinedusermayexploitstack-basedbufferoverflowstomanipulatetheprogramtotheiradvantageinoneofseveralways:
∙byoverwritingalocalvariablethatisnearthebufferinmemoryonthestacktochangethebehavioroftheprogram-whichmaybenefittheattacker.
∙byoverwritingthereturnaddressinastackframe.Oncethefunctionreturns,executionwillresumeatthereturnaddressasspecifiedbytheattacker,usuallyauser-inputfilledbuffer.
∙byoverwritingafunctionpointer[1]orexceptionhandler,whichissubsequentlyexecuted
∙byoverwritingaparameterofadifferentstackframeoranon-localaddresspointedtointhecurrentstackcontext[2]
Withamethodcalled"trampolining",iftheaddressoftheuser-supplieddataisunknown,butthelocationisstoredinaregister,thenthereturnaddresscanbeoverwrittenwiththeaddressofanopcodewhichwillcauseexecutiontojumptotheusersupplieddata.IfthelocationisstoredinaregisterR,thenajumptothelocationcontainingtheopcodeforajumpR,callRorsimilarinstruction,willcauseexecutionofuser-supplieddata.Thelocationsofsuitableopcodes,orbytesinmemory,canbefoundinDLLsorintheexecutableitself.Howevertheaddressoftheopcodetypicallycannotcontainanynullcharactersandthelocationsoftheseopcodescanvarybetweenapplications
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Buffer overflow