Cirrus Logic CS485 Bedienungsanleitung PDF herunterladen (Seite 33)

CS485G Spring 2015 33

2. The limit program shows per-process limitations; by default, for in-

stance, the stack is limited to 8MB.

36 Buffer overﬂow

1. Underlying problem: library functions do not check sizes of param-

eters, because C array types don’t specify length.

2. Lecture 19, 3/11/2015

3. Which functions: gets(), strcpy(), strcat(), scanf(), fscanf(),

sscanf().

4. Effect of overﬂowing a local array (on the stack): overwriting return

address.

(a) If the return is to an address not in text or stack space, causes a

segmentation fault.

(b) The return address can be to code on the stack that is part of the

overﬂowing buffer, leading to execution of arbitrary code.

5. Internet worm (November 1988): the ﬁngerd program used gets()

to read a command-line parameter; by exploiting a buffer overﬂow,

the worm got ﬁngerd to run a root shell with a TCP connection to the

attacker.

6. There are hundreds of other examples.

7. Avoiding vulnerability

(a) Use library routines that limit lengths: fgets(), strncpy(),

scanf(...%ns...).

(b) Randomized stack offsets: allocate a random amount of stack

space as the program starts. Then the attacker cannot guess the

start of the buffer, so it is harder to fake the return address to

jump into the buffer.

ecutable, including the stack. On the x86 64, there is separate

executable permission.

(d) Stack canaries: put a canary value on stack just beyond each

buffer; check for corruption as part of linkage during return. In

1 2 ... 28 29 30 31 32 33 34 35 36 37 38 ... 66 67

Keine Kommentare

Cirrus Logic CS485 Bedienungsanleitung Seite 33