part i the basic idea
DESCRIPTION
Part I The Basic Idea. return result. getURL. call getURL. IE. software. sequence of instructions in memory logically divided in functions that call each other function ‘IE’ calls function ‘ getURL ’ to read the corresponding page - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/1.jpg)
![Page 2: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/2.jpg)
Part IThe Basic Idea
![Page 3: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/3.jpg)
software
• sequence of instructions in memory• logically divided in functions that call
each other– function ‘IE’ calls function ‘getURL’ to read
the corresponding page• in CPU, the program counter contains
the address in memory of the next instruction to execute– normally this is the next address
(instruction 100 is followed by instruction 101, etc)
– not so with function call
200
201
202
203
204
100
101
102
103
IEge
tUR
L
104
call getURL
return result
![Page 4: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/4.jpg)
software
• sequence of instructions in memory• logically divided in functions that call
each other– function ‘IE’ calls function ‘getURL’ to read
the corresponding page• in CPU, the program counter contains
the address in memory of the next instruction to execute– normally this is the next address
(instruction 100 is followed by instruction 101, etc)
– not so with function call
return result
call getURL
200
201
202
203
204
100
101
102
103
104
PC
PC
PC
PC
PC
PC
PC
PC
PC
PC
IEge
tUR
L
![Page 5: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/5.jpg)
1020
1021
1022
1023
1024
software
• so how does our CPU know where to return?– it keeps administration– on a ‘stack’
200
201
202
203
204
100
101
102
103
104
stac
kPC
PCcall getURL
return result
103
PC
PC
PC
PC
PC
PC
PC IEge
tUR
L
stack pointer (SP)
Points to last added entry
on the stack
![Page 6: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/6.jpg)
real functions variables
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
![Page 7: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/7.jpg)
real functions variables
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
![Page 8: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/8.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
stac
k
103
1022
1023
1024
1019
1021
1020
old FP
1018
1017
1016
1015
1014
1013
1012
1011
1010
frame pointer (FP)
Points to start of this
function’s stack frame
![Page 9: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/9.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IEge
tUR
L
104
call getURL
return result
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
stac
k
103
1022
1023
1024
1019
1021
1020
old FP
1018
1017
1016
1015
1014
1013
1012
1011
1010
![Page 10: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/10.jpg)
real functions variables old FP
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018 buf
1017
1016
1015
1014
1013
1012
1011
1010
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1009
1008
1007ge
tUR
L
300
301
302
303 return
read
![Page 11: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/11.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
64
(buf)
fd
old FP
1009
1008
1007
buf
getU
RL
stac
k
300
301
302
303 return
read
![Page 12: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/12.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
1009
1008
1007
64
(buf)
fdbu
f
getU
RL
202
300
301
302
303 return
read
![Page 13: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/13.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
frame pointer (FP)
![Page 14: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/14.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fdon “return
from read”
getU
RL
300
301
302
303 return
read
![Page 15: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/15.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
POP
![Page 16: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/16.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
![Page 17: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/17.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
RET
![Page 18: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/18.jpg)
real functions variables
call read
200
201
202
203
100
101
102
103
IE
104
call getURL
return result
stac
k
103
1022
1023
1024
1019
1021
1020
1018
1017
1016
1015
getURL (){
char buf[10]; read(keyboard,buf,64);get_webpage (buf);
}IE (){
getURL ();}
1014
1013
1012
1011
1010
old FP
202
10231009
1008
1007
64
(buf)
fd
getU
RL
300
301
302
303 return
read
![Page 19: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/19.jpg)
Where is the vulnerability?
![Page 20: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/20.jpg)
Exploit 103
1022
1023
1024
1019
1021
1020
1018 buf
1017
1016
1015
1014
1013
1012
1011
1010
getURL (){
char buf[10]; read(keyboard, buf, 64);get_webpage (buf);
}IE (){
getURL ();}
1013
![Page 21: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/21.jpg)
You may also overwrite other things
• For instance: – Other variables that are also on the stack– Other addresses– Etc.
![Page 22: Part I The Basic Idea](https://reader036.vdocuments.net/reader036/viewer/2022062422/56813294550346895d9929de/html5/thumbnails/22.jpg)
Memory CorruptionFinal words Part I• We have sketched only the most common memory
corruption attack– many variations, e.g.:
• heap stack• more complex overflows• off-by-one
• But there are others also– integer overflows– format string attacks– double free– etc.
• Not now, perhaps later…
*different kinds