Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho03.tex
changeset 395 60f64793266f
parent 391 a612dd3ddc81
child 396 2f4296a0ab21
equal deleted inserted replaced
394:ea1ee786d5a7 395:60f64793266f 
    47   table [x=Year,y=Percentage] {bufferoverflows.data};
 
    47   table [x=Year,y=Percentage] {bufferoverflows.data};
 
    48 \end{axis}
 
    48 \end{axis}
 
    49 \end{tikzpicture}
 
    49 \end{tikzpicture}
 
    50 \end{center}
 
    50 \end{center}
 
    51 
    51 
    52 \noindent This statistics indicates that in the last
 
    52 \noindent This statistics shows that in the last seven years
 
    53 five years or so the number of buffer overflow attacks is
 
    53 or so the number of buffer overflow attacks is around 10\% of
 
    54 around 10\% of all attacks (whereby the absolute numbers of
 
    54 all attacks (whereby the absolute numbers of attacks grow each
 
    55 attacks grow each year).
 
    55 year). So you can see buffer overflow attacks are very
 
       
    56 relevant today.
 
    56 
    57 
    57 
    58 
    58 To understand how buffer overflow attacks work, we have to have
 
    59 To understand how buffer overflow attacks work, we have to have
 
    59 a look at how computers work ``under the hood'' (on the
 
    60 a look at how computers work ``under the hood'' (on the
 
    60 machine level) and also understand some aspects of the C/C++
 
    61 machine level) and also understand some aspects of the C/C++
 
    65 even knowing what the underlying ideas are. If you want to be
 
    66 even knowing what the underlying ideas are. If you want to be
 
    66 a good security engineer who needs to defend against such attacks, 
    67 a good security engineer who needs to defend against such attacks, 
    67 then better you get to know the details too.
 
    68 then better you get to know the details too.
 
    68  
    69  
    69 For buffer overflow attacks to work, a number of innocent
 
    70 For buffer overflow attacks to work, a number of innocent
 
    70 design decisions, which are really benign on their own, need
 
    71 design decisions, which are really benign on their own, have
 
    71 to conspire against you. All these decisions were taken at a
 
    72 to come together. All these decisions were taken at a time
 
    72 time when there was no Internet: C was introduced around 1973;
 
    73 when there was no Internet: C was introduced around 1973; the
 
    73 the Internet TCP/IP protocol was standardised in 1982 by which
 
    74 Internet TCP/IP protocol was standardised in 1982 by which
 
    74 time there were maybe 500 servers connected (and all users
 
    75 time there were maybe 500 servers connected (and all users
 
    75 were well-behaved, mostly academics); Intel's first 8086 CPUs
 
    76 were well-behaved, mostly academics); Intel's first 8086 CPUs
 
    76 arrived around 1977. So nobody of the ``forefathers'' can
 
    77 arrived around 1977. So nobody of the ``forefathers'' can
 
    77 really be blamed, but as mentioned above we should already be
 
    78 really be blamed, but as mentioned above we should already be
 
    78 way beyond the point that buffer overflow attacks are worth a
 
    79 way beyond the point that buffer overflow attacks are worth a
 
   108 programmer explicitly allocates. For us the most interesting
 
   109 programmer explicitly allocates. For us the most interesting
 
   109 region is the stack, which contains data mostly associated
 
   110 region is the stack, which contains data mostly associated
 
   110 with the control flow of the program. Notice that the stack
 
   111 with the control flow of the program. Notice that the stack
 
   111 grows from higher addresses to lower addresses (i.e.~from the
 
   112 grows from higher addresses to lower addresses (i.e.~from the
 
   112 back to the front). That means that older items on the stack
 
   113 back to the front). That means that older items on the stack
 
   113 will be stored behind, or after, newer items. Let's look a bit
 
   114 are stored behind, or after, newer items. Let's look a bit
 
   114 closer what happens with the stack when a program is running.
 
   115 closer what happens with the stack when a program is running.
 
   115 Consider the following simple C program.
 
   116 Consider the following simple C program.
 
   116  
   117  
   117 \lstinputlisting[language=C]{../progs/example1.c} 
   118 \lstinputlisting[language=C]{../progs/example1.c} 
   118  
   119  
   119 \noindent The \code{main} function calls in Line 7 the
 
   120 \noindent The \code{main} function calls in Line 7 the
 
   120 function \code{foo} with three arguments. \code{Foo} creates
 
   121 function \code{foo} with three arguments. \code{Foo} creates
 
   121 two (local) buffers, but does not do anything interesting with
 
   122 two (local) buffers, but does not do anything interesting with
 
   122 them. The only purpose of this program is to illustrate what
 
   123 them. The only purpose of this program is to illustrate what
 
   123 happens behind the scenes with the stack. The interesting
 
   124 happens behind the scenes with the stack. The interesting
 
   124 question is what will the stack be after Line 3 has been
 
   125 question is what will the stack look like after Line 3 has
 
   125 executed? The answer can be illustrated as follows:
 
   126 been executed? The answer can be illustrated as follows:
 
   126  
   127  
   127 \begin{center} 
   128 \begin{center} 
   128  \begin{tikzpicture}[scale=0.65]
 
   129  \begin{tikzpicture}[scale=0.65]
 
   129   \draw[gray!20,fill=gray!20] (-5, 0) rectangle (-3,-1);
 
   130   \draw[gray!20,fill=gray!20] (-5, 0) rectangle (-3,-1);
 
   130   \draw[line width=1mm] (-5,-1.2) -- (-5,0.2);
 
   131   \draw[line width=1mm] (-5,-1.2) -- (-5,0.2);
 
   186 with the \pcode{-S} option, for example \pcode{gcc -S out
 
   187 with the \pcode{-S} option, for example \pcode{gcc -S out
 
   187 in.c}\;. Or you can look at this code by using the debugger.
 
   188 in.c}\;. Or you can look at this code by using the debugger.
 
   188 How to do this will be explained later.}
 
   189 How to do this will be explained later.}
 
   189 
   190 
   190 \begin{center}\small
 
   191 \begin{center}\small
 
   191 \begin{tabular}[t]{@{}c@{\hspace{8mm}}c@{}}
 
   192 \begin{tabular}[t]{p{10cm}}
 
   192 {\lstinputlisting[language={[x86masm]Assembler},
 
   193 {\lstinputlisting[language={[x86masm]Assembler},
 
   193   morekeywords={movl},xleftmargin=5mm]
 
   194   morekeywords={movl},xleftmargin=5mm]
 
   194   {../progs/example1a.s}} &
 
   195   {../progs/example1a.s}}
 
       
   196 \end{tabular}
 
       
   197 \end{center}
 
       
   198 \begin{center}\small
 
       
   199 \begin{tabular}[t]{p{10cm}}
 
   195 {\lstinputlisting[language={[x86masm]Assembler},
 
   200 {\lstinputlisting[language={[x86masm]Assembler},
 
   196   morekeywords={movl,movw},xleftmargin=5mm]
 
   201   morekeywords={movl,movw},xleftmargin=5mm]
 
   197   {../progs/example1b.s}}  
   202   {../progs/example1b.s}}  
   198 \end{tabular}
 
   203 \end{tabular}
 
   199 \end{center}
 
   204 \end{center}
sen-material