3. Memory Security Vulnerabilities

提供: 炎上まとめwiki
ナビゲーションに移動 検索に移動


We’ll begin our discussion of vulnerabilities with one among the most typical forms of errors - buffer overflow (also referred to as buffer overrun) vulnerabilities. Buffer overflow vulnerabilities are a selected risk in C, and since C is an particularly widely used systems programming language, you may not be stunned to listen to that buffer overflows are one of the vital pervasive sort of implementation flaws around. Objective-C both undergo from these vulnerabilities as properly. C is a low-degree language, that means that the programmer is all the time exposed to the bare machine, one of many the explanation why C is such a preferred systems language. Furthermore, C can be a very outdated language, which means that there are several legacy techniques, MemoryWave Official that are previous codebases written in C that are still maintained and up to date. A selected weakness that we will focus on is the absence of automated bounds-checking for array or pointer accesses. It's the programmer’s responsibility to rigorously verify that each memory entry is in bounds.



This could get difficult as your code will get an increasing number of sophisticated (e.g. for loops, consumer inputs, multi-threaded programs). It is thru this absence of automated bounds-checking that buffer overflows take advantage of. A buffer overflow bug is one where the programmer fails to perform enough bounds checks, triggering an out-of-bounds memory access that writes past the bounds of some memory area. Attackers can use these out-of-bounds memory accesses to corrupt the program’s intended habits. Allow us to begin with a simple example. If the enter comprises more than 8 bytes of information, then gets() will write previous the tip of buf, overwriting another part of memory. This is a bug. In C, static memory is stuffed in the order that variables are outlined, so authenticated is at a higher address in memory than buf (since static memory grows upward and buf was outlined first, buf is at a decrease memory address). Imagine that elsewhere within the code, there's a login routine that sets the authenticated flag provided that the user proves information of the password.



Unfortunately, the authenticated flag is saved in memory proper after buf. Be aware that we use "after" right here to imply "at a better memory address". If the attacker can write 9 bytes of information to buf (with the 9th byte set to a non-zero value), then this can set the authenticated flag to true, and the attacker shall be ready to achieve access. The program above allows that to occur, because the will get operate does no bounds-checking; it will write as a lot knowledge to buf as is equipped to it by the person. In different words, the code above is susceptible: an attacker who can control the input to the program can bypass the password checks. In memory, this can be a 4-byte worth that shops the tackle of a perform. In other phrases, calling fnptr will trigger this system to dereference the pointer and begin executing directions at that handle. Like authenticated within the previous instance, fnptr is stored instantly above buf in memory.



Suppose the perform pointer fnptr is called elsewhere in the program (not proven). This enables a extra serious assault: the attacker can overwrite fnptr with any tackle of their selecting, redirecting program execution to some other memory location. Notice that in this assault, the attacker can select to overwrite fnptr with any handle of their choosing-so, for example, they will select to overwrite fnptr with an tackle where some malicious machine instructions are saved. It is a malicious code injection assault. In fact, many variations on this attack are doable: the attacker might retailer malicious code anywhere in memory and redirect execution to that deal with. Malicious code injection assaults permit an attacker to seize management of this system. At the conclusion of the assault, this system remains to be running, however now it is executing code chosen by the attacker, reasonably than the original code. For example, consider an online server that receives requests from shoppers across the network and processes them.



If the online server contains a buffer overrun in the code that processes such requests, a malicious client can be able to seize control of the web server course of. If the net server is working as root, as soon as the attacker seizes management, the attacker can do anything that root can do; as an illustration, the attacker can leave a backdoor MemoryWave Official that permits them to log in as root later. At that time, the system has been "owned"1. The attacks illustrated above are only doable when the code satisfies sure special conditions: the buffer that can be overflowed should be followed in memory by some security-important data (e.g., a perform pointer, or a flag that has a vital affect on the following movement of execution of this system). Because these situations happen solely not often in follow, attackers have developed more practical methods of malicious code injection. One powerful technique for exploiting buffer overrun vulnerabilities takes advantage of the way in which native variables are laid out on the stack.

https://plamosoku.com/enjyo/index.php?title=3._Memory_Security_Vulnerabilities&oldid=2018222」から取得