CSP class bits and pieces of notes

Source: Internet
Author: User
Tags taint

This article records some of the lessons in the CSP class recorded in the notes, although it is unlikely to see the future, but the direct deletion of the pity, for the time being on this side

------------------------------------------------

12-6

Why do I read a file? Write: Writes the last Open time, and in node there is access times. You can disable

Write File: Foo node write:modify time: Last written

Bar node Write:mtime, block number, size


Input parameter Current-track

Ignoring unsigned int->int conversions can be negative

Constructs the header, obtains the arbitrary write permission


All devices are considered files

IOCTLs

In order to resolve the operation of the file except open close Read Write

Parameters: CMD data

int type needs to be judged to be greater than a certain number (negative number)

EIP becomes any value that you want to set


Integral type Overflow

Change the assignment operation to an if judgment and then assign a value

Side-channel


Java is not counted on the heap and is computed on the stack


Play and re-record, bypass taint

Files are downloaded by placing them on the web, and some of the properties disappear



Jump instruction every 5 lines assembly has one, basic block 5 Line Assembly

Indirect CALL:ECX

Shadow stack:

Record function Call stack

BTS: Very useful debug

Call Set

longjmp

Reference monitor: reference monitors; file descriptor is a classic instance



Stream-sensitive ( flow-sensitive refers to the order in which program statements are executed, for example, in a pointer alias (Pointer alias) analysis in Data flow analysis, a non-flow-sensitive pointer alias analysis may conclude that "variables x and Y may point to the same location", while the flow-sensitive pointer alias analysis results in a similar conclusion as " After executing the 20th instruction, the variable x and Y may point to the same position. Therefore, a non-flow-sensitive pointer alias analysis does not consider the control flow and considers that the found aliases are established in all locations of the program.

path-sensitive ( path-sensitive ) refers to different predicates that are based on conditional branching statements that calculate different profiling information, that is, path sensitivity tracks each branch of the program flow to record the different program states of the two branch paths. Accordingly, non-path sensitivity does not take into account the differences between branches. Simple path sensitivity exists for the problem of "path explosion" (Paths explosion) or "Infinite Search space" (infinite search spaces).

Context Sensitive ( context-sensitive ) refers to the context information for a function call when analyzing between processes (Interprocedural analysis).


1, the flow sensitivity/flow is not sensitive to whether or not to consider the control flow in the process, the process of control flow graph will have branches, loops and so on, flow-sensitive refers to the process (called process or function) in the control flow situation; Conversely, the flow is not sensitive to the process is not to consider the flow of the situation, only consider the

2, context-sensitive/context-insensitive is for the consideration of the different call points of the function, because a child procedure or function may be called by more than one procedure, then when the different procedures call it, for the actual parameters passed to it or the current global variables may be different, which is called the context, Context sensitivity is the consideration of these differences, and the context is insensitive to the analysis of a sub-procedure or function in a single case.


Q1: The problem of coarse-grained CFI is essentially a collection of individual targets

In a context-sensitive manner, this attack should not be used


Paper2

CFG generates disassembly for binary files first.

CFG for coarse granularity or fine-grained, or all can.

Optimize CFG, remove unused edges, then add back = =

Tune ABC, but this time there is no call, the removal of the other, is equal to the dynamic execution of the time optimization.

Static Analysis: All enumerations,



Taint

Taint Tracking Dift difc Similar

Focus only on the flow of data and where staining is needed. Taint's spread. How to intercept in the exit area. The hardest thing to do is spread. Performance

Visit instructions



Java is type-safe


Return to Libs execution function system () execs ()

-Issue 1: Do not call these two functions

-Question 2: Do not want to perform this function

Only applies to the exact invocation of these two functions.


Write the stack. The attacker completes the write operation with a series of pop operations


Caller callee

Canaries: The canary is sensitive to gas


Restart after Respawns:crash

Dup2 (sock,0)



Cpi

Sensitive pointer

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.