信息安全技术2.ppt
2021/3/11,1,信息安全技术,向宏博士/教授重庆大学软件学院xianghong,2021/3/11,2,近现代黑客历史,2021/3/11,3,近现代黑客历史,史前1875-1969,1870’s贝尔电话网络公司的接线生,第一、二次世界大战期间Enigma/Turing,1962MIT分时系统(TSS)的诞生,RichardStallman自由软件的创始人,Hackingreferstospiritsoffuninwhichweweredevelopingsoftware,2021/3/11,4,近现代黑客历史,Phreakers1970’s,EsquireMagazinePhreakerFreakPhoneFree,当一个盲童给他祖母通话时的意外发现,Phreakers’targetRippingoffthephonecompanybecameaprotestfortheliberationoftechnology,当电话网络开始与计算机结合,CaptainCrunch,SteveWozniak苹果计算机的创始人,2021/3/11,5,近现代黑客历史,黄金时代1980-1985,PCs开始大规模进入北美和欧洲的普通家庭与企事业机构,好莱坞的电影“WarGame”,ARPANET的出现,2021/3/11,6,近现代黑客历史,计算机犯罪行为1985-1990,美国政府的“计算机欺诈与滥用法案”,与“老一代”黑客不同,新新一代并不关心软件“嬉戏”的愉悦或自由言论或自由通信的追求,而是更加关心如何能够通过这些新技术盈利,Nov.1988,RobertMorrisJr.,2021/3/11,7,近现代黑客历史,世风日下1990,KevinMitnick第一个上了美国联邦调查局追逃名单的黑客,黑客作为一种文化现象开始出现,2021/3/11,8,近现代黑客历史,黑客的今朝与明天,CNN/YAHOO/E-Bay,“5.12”汶川大地震的启迪,2021/3/11,9,缓冲区溢出攻击,2021/3/11,10,BOF的历史,VonNeumann’s体系结构,AlephOne“SmashingTheStackForFunandProfit”,Phrack491989http//insecure.org/stf/smashstack.html,CERT/CC年度报告1997年之前尚无缓冲区溢出攻击的案例),2021/3/11,11,CERT/CC年度报告,1997年度报告28个漏洞中有8个缓冲区溢出的漏洞,,MIMEconversionbufferoverflowinsendmailversionsin8.8.3and8.8.4,BufferoverflowinlibrariesusingNaturalLanguageServiceNLS,BufferoverflowvulnerabilityinXtlibrary,Bufferoverflowprobleminxlock,Bufferoverflowinsuidperl,Bufferoverflowinat1program,BufferoverflowproblemsinSGIIRISsystems,Bufferoverflowprobleminrdist,28.5,2021/3/11,12,,BufferOverflowinNISNetworkInationServicePlus,BufferoverflowsinsomePOPservers,BufferOverflowinSomeImplementationsofIMAPInternetMessageAccessProtocolServers,BufferOverflowinMIME-awareMailandNewsClients,RemotelyExploitableBufferOverflowVulnerabilityinmountdUNIX,RemoteProcedureCall,38.4,1998年度报告13个漏洞中有5个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,13,,FTPBufferOverflows,IISBufferOverflow,BufferOverflowVulnerabilityinCalendarManagerServiceDaemon,rpc.cmsd,BufferOverflowinamd,BufferOverflowsinSSHdaemonandRSAREF2Library,BufferOverflowinSunSolsticeAdminSuiteDaemonsadmind,SystemsCompromisedThroughaVulnerabilityinam-utils,43.7,1999年度报告16个漏洞中有7个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,14,,MultipleBufferOverflowsinKerberosAuthenticatedServices,MITKerberosVulnerabletoDenial-of-ServiceAttacks,9,2000年度报告22个漏洞中有2个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,15,,BufferOverflowVulnerabilityinMicrosoftIIS5.0,BufferOverflowInIISIndexingServiceDLL,BufferOverflowinSunSolarisin.lpdPrintDaemon,Oracle8icontainsbufferoverflowinTNSlistener,“CodeRed“WormExploitingBufferOverflowInIISIndexingService,BufferOverflowintelnetd,ContinuedThreatofthe“CodeRed“Worm,BufferOverflowinGauntletFirewallallowsintruderstocutearbitrarycode,Oracle9iASWebCachevulnerabletobufferoverflow,BufferOverflowinCDESubprocessControlService,BufferOverflowinSystemVUNIXDerivedLogin,BufferOverflowinUPnPServiceonMicrosoftWindows,35.1,2001年度报告37个漏洞中有13个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,16,,ExploitationofVulnerabilityinCDESubprocessControlService,BufferOverflowinAOLICQ,BufferOverflowinMicrosoftInternetExplorer,MultipleVulnerabilitiesinOracleServers,BufferOverflowinMicrosoftsMSNChatActiveXControl,BufferOverflowinMacromediaJRun,BufferOverflowsinMultipleDNSResolverLibraries,MultipleVulnerabilitiesinOpenSSL,IntegerOverflowInXDRLibrary,BufferOverflowinCDEToolTalk,BufferOverflowinKerberosAdministrationDaemon,BufferOverflowinSolarisXWindowFontService,BufferOverflowinMicrosoftWindowsShell,35.1,2002年度报告37个漏洞中有13个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,17,,BufferOverflowsinISCDHCPDMiniresLibrary,BufferOverflowinWindowsLocatorService,RemoteBufferOverflowinSendmail,BufferOverflowinCoreMicrosoftWindowsDLL,IntegeroverflowinSunRPCXDRlibraryroutines,BufferOverflowinSendmail,BufferOverflowinMicrosoftWindowsHTMLConversionLibrary,BufferOverflowinMicrosoftRPC,RPCSSVulnerabilitiesinMicrosoftWindows,BufferOverflowinWindowsWorkstationService,35.7,2003年度报告28个漏洞中有10个缓冲区溢出的漏洞,CERT/CC年度报告,2021/3/11,18,2004AnnualReport“Heavenhelpusifwestillhavebufferoverflowinoursoftwarein20years”--TomLongstaff,Rcharlargebuff[]“1234512345123451234512345ABCD“;intmainvoid{charsmallbuff[16];helloworldsmallbuff,largebuff;}voidhelloworldcharsbuff[],charlbuff[]{},2021/3/11,21,实验二用GDB生成汇编,,进入gdb调试工具环境,运行被调试程序,生成main函数的汇编,2021/3/11,22,实验二栈的变化,pushebpmovesp,ebpsub0 x18,espsub0 x8,esppush0 x8049478lea0 xffffffe8ebp,eaxpusheaxcall0 x80483ecadd0 x10,espleaveret,,eip0 x80483d0,ebp,8个字节(16字节对齐),16字节smallfuff[16],8个字节(为下一个对齐),*largebuff,eax,eax,eip0 x80483ec,pushebpmovesp,ebppopebpret,ebp,2021/3/11,23,一些“危险”的C函数,strcpychar*dest,constchar*srcstrcatchar*dest,constchar*srcgetwdchar*bufgetschar*s[vf]scanfconstchar*at,...realpathchar*path,charresolved_path[][v]sprintfchar*str,constchar*at,...,2021/3/11,24,实验三,includeincludecharlargebuff[]“1234512345123451234512345ABCD“;intmainvoid{charsmallbuff[16];strcpysmallbuff,largebuff;},2021/3/11,25,实验三用GDB生成汇编,2021/3/11,26,实验三栈的变化,pushebpmovesp,ebpsub0 x18,espsub0 x8,esppush0 x8049498lea0 xffffffe8ebp,eaxpusheaxcall0 x80482f0add0 x10,espleavret,,eip0 x8048400,ebp,8个字节向下对齐,8个字节准备与上面对齐,*largebuff,smallbuff[16],123451234512345ABCD,eax,eax,eip0 x80482f0,strcpy,4321,3215,2154,1543,5432,4321,5,DCBA,调用main函数之前的eip被覆盖,找不到回家的路,2021/3/11,27,实验四,includeincludevoidHelloWorld;charlargebuff[]“1234512345123451234512345\x82\x83\x04\x08“;intmainvoid{charsmallbuff[16];strcpysmallbuff,largebuff;}voidHelloWorld{printf“HelloWorld\n“;},