Download - Memory Protection Mechanism of Linux
![Page 1: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/1.jpg)
Memory Protection Mechanism of Linux
TEAM PWN&PLAYYIS of KSIA
comfb.com/xodnr631
![Page 2: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/2.jpg)
YIS
![Page 3: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/3.jpg)
TEAM PWN&PLAY
![Page 4: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/4.jpg)
SYSTEM HACKINGMemory Protection Mechanismof Linux
![Page 5: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/5.jpg)
Buffer Overflow (1)
• 사용자가 입력한 데이터의 크기가 너무 과하여 제한된 버퍼의 용량을 넘쳐버렸을때 생기는 버그를 이용해 해킹하는 기술
• 버퍼 : 컴퓨터의 주기억 장치와 주변장치 사이에서 데이터를 주고받을때 정보를 임시로 기억해두는 임시저장공간
![Page 6: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/6.jpg)
Buffer Overflow (1)
• 사용자가 입력한 데이터의 크기가 너무 과하여 제한된 버퍼의 용량을 넘쳐버렸을때 생기는 버그를 이용해 해킹하는 기술
• 버퍼 : 컴퓨터의 주기억 장치와 주변장치 사이에서 데이터를 주고받을때 정보를 임시로 기억해두는 임시저장공간
![Page 7: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/7.jpg)
Buffer Overflow (2)
낮은 주소
CODE 컴파일 된 기계어 코드
DATA 전역 / 정적 및 각종 변수
HEAP 프로그래머가 직접 할당한 공간
STACK 지역 변수 , 함수 인자 , 환경 변수
높은 주소
![Page 8: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/8.jpg)
Buffer Overflow (2)
낮은 주소
CODE 컴파일 된 기계어 코드
DATA 전역 / 정적 및 각종 변수
HEAP 프로그래머가 직접 할당한 공간
STACK 지역 변수 , 함수 인자 , 환경 변수
높은 주소
![Page 9: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/9.jpg)
Buffer Overflow (3)
BUFFER SFP RET
BUFFER – SFP – RET – Argc/Argv – 환경변수 - 파일명
![Page 10: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/10.jpg)
Buffer Overflow (3)
BUFFER SFP RET
BUFFER – SFP – RET – Argc/Argv – 환경변수 - 파일명
A A A A A A A A A A A A A A A A A A A
![Page 11: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/11.jpg)
Stack
낮은 주소
CODE 컴파일 된 기계어 코드
DATA 전역 / 정적 및 각종 변수
HEAP 프로그래머가 직접 할당한 공간
STACK 지역 변수 , 함수 인자 , 환경 변수
높은 주소
![Page 12: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/12.jpg)
Stack
낮은 주소
CODE 컴파일 된 기계어 코드
DATA 전역 / 정적 및 각종 변수
HEAP 프로그래머가 직접 할당한 공간
STACK 지역 변수 , 함수 인자 , 환경 변수
높은 주소
유저영역
![Page 13: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/13.jpg)
Memory
커널 유저HIGH LOW
![Page 14: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/14.jpg)
Memory
커널 유저HIGH LOW
STACK | HEAP | DATA | CODE
![Page 15: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/15.jpg)
Buffer Overflow (5)
<BOF 문제풀이 유형 >
![Page 16: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/16.jpg)
Buffer Overflow (5)int main(int argc, char *argv[]){ char buffer[256]; if(argc < 2){ printf("argv error\n”); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer);}
![Page 17: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/17.jpg)
Buffer Overflow (5)
![Page 18: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/18.jpg)
Buffer Overflow (5)int main(){ char buffer[16]; gets(buffer); printf("%s\n", buffer);}
![Page 19: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/19.jpg)
Buffer Overflow (5) // here is changed! // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0,
strlen(environ[i]));
![Page 20: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/20.jpg)
Buffer Overflow (5) // here is changed! if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0); }
![Page 21: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/21.jpg)
BUT
![Page 22: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/22.jpg)
![Page 23: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/23.jpg)
![Page 24: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/24.jpg)
![Page 25: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/25.jpg)
![Page 26: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/26.jpg)
![Page 27: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/27.jpg)
Memory Protection (1)DEP(Data Execution Prevention)
![Page 28: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/28.jpg)
Memory Protection (1)DEP(Data Execution Prevention)
STACKBUFFER SFP RET 인자 환경변수 파일명
![Page 29: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/29.jpg)
Memory Protection (1)DEP(Data Execution Prevention)
STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 30: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/30.jpg)
Memory Protection (1)DEP(Data Execution Prevention)
STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 31: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/31.jpg)
Memory Protection (1)RTL(Return-to-libc)
STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 32: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/32.jpg)
Memory Protection (1)
RTL(Return-to-libc)
BUFFER SFP RET
A A A A A A A A A A A A A A A A A A A
![Page 33: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/33.jpg)
Memory Protection (1)RTL(Return-to-libc)
BUFFER SFP RET
A A A A A A A A A A A A A A A A A A A
&system() &execl() &/bin/sh
![Page 34: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/34.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)
![Page 35: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/35.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACK
![Page 36: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/36.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 37: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/37.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 38: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/38.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 39: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/39.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 40: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/40.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 41: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/41.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 42: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/42.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 43: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/43.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커
![Page 44: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/44.jpg)
Memory Protection (2)ASLR(Address Space Layout Random-
ization)STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
난짱해커똑같은주소
![Page 45: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/45.jpg)
![Page 46: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/46.jpg)
↑ 계속해서 바뀌는 주소↑ 고정 된 주소
![Page 47: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/47.jpg)
↑ 계속해서 바뀌는 주소↑ 고정 된 주소
![Page 48: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/48.jpg)
Memory Protection (3)ASCII Armor
![Page 49: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/49.jpg)
Memory Protection (3)ASCII Armor
STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 50: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/50.jpg)
Memory Protection (3)ASCII Armor
STACKBUFFER SFP RET 인자 환경변수 파일명
LOW HIGH
![Page 51: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/51.jpg)
Memory Protection (4)Canary
BUFFER SFP RET
![Page 52: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/52.jpg)
Memory Protection (4)Canary
BUFFER SFP CANARY RET
![Page 53: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/53.jpg)
Memory Protection (4)Canary
BUFFER SFP CANARY RET
A A A A A A A A A A ? ! # $ A A A A A
![Page 54: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/54.jpg)
Memory Protection (4)Canary
CANARY RANDOM
![Page 55: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/55.jpg)
Memory Protection (4)Canary
CANARY RANDOM
TERMINATOR
![Page 56: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/56.jpg)
Memory Protection (4)Canary
CANARY RANDOM
TERMINATOR
NULL
![Page 57: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/57.jpg)
DEP
![Page 58: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/58.jpg)
DEP + ASLR
![Page 59: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/59.jpg)
DEP + ASLR+ ASCII Armor
![Page 60: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/60.jpg)
DEP + ASLR+ ASCII Ar-mor+ Canary
![Page 61: Memory Protection Mechanism of Linux](https://reader038.vdocuments.net/reader038/viewer/2022102619/56814340550346895dafb585/html5/thumbnails/61.jpg)