part i the basic idea
Post on 01-Jan-2016
24 Views
Preview:
DESCRIPTION
TRANSCRIPT
Part IThe Basic Idea
software
• sequence of instructions in memory• logically divided in functions that call
each other– function ‘IE’ calls function ‘getURL’ to read
the corresponding page• in CPU, the program counter contains
the address in memory of the next instruction to execute– normally this is the next address
(instruction 100 is followed by instruction 101, etc)
– not so with function call
200
201
202
203
204
100
101
102
103
IEge
tUR
L
104
call getURL
return result
software
• sequence of instructions in memory• logically divided in functions that call
each other– function ‘IE’ calls function ‘getURL’ to read
the corresponding page• in CPU, the program counter contains
the address in memory of the next instruction to execute– normally this is the next address
(instruction 100 is followed by instruction 101, etc)
– not so with function call
return result
call getURL
200
201
202
203
204
100
101
102
103
104
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
IEge
tUR
L
1020
1021
1022
1023
1024
software
• so how does our CPU know where to return?– it keeps administration– on a ‘stack’
200
201
202
203
204
100
101
102
103
104
stac
kPC
PCcall getURL
return result
103
PC
PC
PC
PC
PC
PC
PC IEge
tUR
L
stack pointer (SP)
Points to last added entry
on the stack
real functions variables
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
real functions variables
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
real functions variables
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
stac
k
103
1022
1023
1024
1019
1021
1020
old FP
1018
1017
1016
1015
1014
1013
1012
1011
1010
frame pointer (FP)
Points to start of this
function’s stack frame
real functions variables
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
stac
k
103
1022
1023
1024
1019
1021
1020
old FP
1018
1017
1016
1015
1014
1013
1012
1011
1010
real functions variables old FP
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018 buf
1017
1016
1015
1014
1013
1012
1011
1010
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1009
1008
1007ge
tUR
L
300
301
302
303 return
read
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
64
(buf)
fd
old FP
1009
1008
1007
buf
getU
RL
stac
k
300
301
302
303 return
read
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
1009
1008
1007
64
(buf)
fdbu
f
getU
RL
202
300
301
302
303 return
read
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
frame pointer (FP)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fdon “return
from read”
getU
RL
300
301
302
303 return
read
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
POP
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
RET
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
Where is the vulnerability?
Exploit 103
1022
1023
1024
1019
1021
1020
1018 buf
1017
1016
1015
1014
1013
1012
1011
1010
getURL (){
char buf[10]; read(keyboard, buf, 64);get_webpage (buf);
}IE (){
getURL ();}
1013
You may also overwrite other things
• For instance: – Other variables that are also on the stack– Other addresses– Etc.
Memory CorruptionFinal words Part I• We have sketched only the most common memory
corruption attack– many variations, e.g.:
• heap stack• more complex overflows• off-by-one
• But there are others also– integer overflows– format string attacks– double free– etc.
• Not now, perhaps later…
*different kinds
top related