1 / 22

Part I The Basic Idea

Part I The Basic Idea. return result. getURL. call getURL. IE. software. sequence of instructions in memory logically divided in functions that call each other function ‘IE’ calls function ‘ getURL ’ to read the corresponding page

paki-irwin
Download Presentation

Part I The Basic Idea

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Part IThe BasicIdea

  2. return result getURL call getURL IE software • sequence of instructions in memory • logically divided in functions that call each other • function ‘IE’ calls function ‘getURL’ to read the corresponding page • in CPU, the program counter contains the address in memory of the next instruction to execute • normally this is the next address (instruction 100 is followed by instruction 101, etc) • not so with function call 204 203 202 201 200 104 103 102 101 100

  3. PC PC PC PC PC PC PC PC PC PC software • sequence of instructions in memory • logically divided in functions that call each other • function ‘IE’ calls function ‘getURL’ to read the corresponding page • in CPU, the program counter contains the address in memory of the next instruction to execute • normally this is the next address (instruction 100 is followed by instruction 101, etc) • not so with function call return result 204 203 202 getURL 201 200 104 103 call getURL 102 IE 101 100

  4. PC PC PC PC PC PC PC PC PC 1024 software 103 1023 • stack pointer (SP) • Points to last added entry • on the stack 1022 stack 1021 1020 • so how does our CPU know where to return? • it keeps administration • on a ‘stack’ return result 204 203 202 getURL 201 200 104 103 call getURL 102 IE 101 100

  5. real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () {getURL (); }

  6. real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () {getURL (); } 203 return result 202 getURL call read 201 200 104 103 call getURL 102 101 IE 100

  7. real functions  variables 103 1024 • frame pointer (FP) • Points to start of this function’s stack frame stack 1023 old FP 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 1012 103 1011 call getURL 102 1010 101 IE 100

  8. real functions  variables 103 1024 stack 1023 old FP 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 1012 103 1011 call getURL 102 1010 101 IE 100

  9. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result buf 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 1012 103 1011 call getURL 102 1010 101 1009 IE 1008 100 1007

  10. real functions  variables 103 1024 303 return stack stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result buf 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 101 1009 IE 1008 100 1007

  11. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result buf 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 101 202 1009 IE 1008 100 1007

  12. real functions  variables 103 1024 303 return frame pointer (FP) stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 202 101 1009 IE 1023 1008 100 1007

  13. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 on “return from read” 1011 fd call getURL 102 1010 202 101 1009 IE 1023 1008 100 1007

  14. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 POP 202 101 1009 IE 1023 1008 100 1007

  15. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 202 101 1009 IE 1023 1008 100 1007

  16. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 202 101 1009 IE RET 1023 1008 100 1007

  17. real functions  variables 103 1024 303 return stack 1023 old FP 302 read 301 1022 getURL () { char buf[10]; read(keyboard,buf,64);get_webpage(buf); } IE () {getURL (); } 1021 300 1020 1019 203 return result 1018 202 1017 getURL call read 201 1016 200 1015 1014 1013 104 64 1012 (buf) 103 1011 fd call getURL 102 1010 202 101 1009 IE 1023 1008 100 1007

  18. Where is the vulnerability?

  19. 1013 Exploit 103 1024 1023 1022 getURL () { char buf[10]; read(keyboard, buf, 64);get_webpage (buf); } IE () {getURL (); } 1021 1020 1019 buf 1018 1017 1016 1015 1014 1013 1012 1011 1010

  20. Youmayalsooverwriteotherthings • For instance: • Other variables that are alsoon the stack • Otheraddresses • Etc.

  21. Memory CorruptionFinal words Part I • We have sketched only the most common memory corruption attack • many variations, e.g.: • heap   stack • more complex overflows • off-by-one • But there are others also • integer overflows • format string attacks • double free • etc. • Not now, perhaps later… *different kinds

More Related