This article records some of the lessons in the CSP class recorded in the notes, although it is unlikely to see the future, but the direct deletion of the pity, for the time being on this side
------------------------------------------------
12-6
Why do I read a file? Write: Writes the last Open time, and in node there is access times. You can disable
Write File: Foo node write:modify time: Last written
Bar node Write:mtime, block number, size
Input parameter Current-track
Ignoring unsigned int->int conversions can be negative
Constructs the header, obtains the arbitrary write permission
All devices are considered files
IOCTLs
In order to resolve the operation of the file except open close Read Write
Parameters: CMD data
int type needs to be judged to be greater than a certain number (negative number)
EIP becomes any value that you want to set
Integral type Overflow
Change the assignment operation to an if judgment and then assign a value
Side-channel
Java is not counted on the heap and is computed on the stack
Play and re-record, bypass taint
Files are downloaded by placing them on the web, and some of the properties disappear
Jump instruction every 5 lines assembly has one, basic block 5 Line Assembly
Indirect CALL:ECX
Shadow stack:
Record function Call stack
BTS: Very useful debug
Call Set
longjmp
Reference monitor: reference monitors; file descriptor is a classic instance
Stream-sensitive ( flow-sensitive refers to the order in which program statements are executed, for example, in a pointer alias (Pointer alias) analysis in Data flow analysis, a non-flow-sensitive pointer alias analysis may conclude that "variables x and Y may point to the same location", while the flow-sensitive pointer alias analysis results in a similar conclusion as " After executing the 20th instruction, the variable x and Y may point to the same position. Therefore, a non-flow-sensitive pointer alias analysis does not consider the control flow and considers that the found aliases are established in all locations of the program.
path-sensitive ( path-sensitive ) refers to different predicates that are based on conditional branching statements that calculate different profiling information, that is, path sensitivity tracks each branch of the program flow to record the different program states of the two branch paths. Accordingly, non-path sensitivity does not take into account the differences between branches. Simple path sensitivity exists for the problem of "path explosion" (Paths explosion) or "Infinite Search space" (infinite search spaces).
Context Sensitive ( context-sensitive ) refers to the context information for a function call when analyzing between processes (Interprocedural analysis).
1, the flow sensitivity/flow is not sensitive to whether or not to consider the control flow in the process, the process of control flow graph will have branches, loops and so on, flow-sensitive refers to the process (called process or function) in the control flow situation; Conversely, the flow is not sensitive to the process is not to consider the flow of the situation, only consider the
2, context-sensitive/context-insensitive is for the consideration of the different call points of the function, because a child procedure or function may be called by more than one procedure, then when the different procedures call it, for the actual parameters passed to it or the current global variables may be different, which is called the context, Context sensitivity is the consideration of these differences, and the context is insensitive to the analysis of a sub-procedure or function in a single case.
Q1: The problem of coarse-grained CFI is essentially a collection of individual targets
In a context-sensitive manner, this attack should not be used
Paper2
CFG generates disassembly for binary files first.
CFG for coarse granularity or fine-grained, or all can.
Optimize CFG, remove unused edges, then add back = =
Tune ABC, but this time there is no call, the removal of the other, is equal to the dynamic execution of the time optimization.
Static Analysis: All enumerations,
Taint
Taint Tracking Dift difc Similar
Focus only on the flow of data and where staining is needed. Taint's spread. How to intercept in the exit area. The hardest thing to do is spread. Performance
Visit instructions
Java is type-safe
Return to Libs execution function system () execs ()
-Issue 1: Do not call these two functions
-Question 2: Do not want to perform this function
Only applies to the exact invocation of these two functions.
Write the stack. The attacker completes the write operation with a series of pop operations
Caller callee
Canaries: The canary is sensitive to gas
Restart after Respawns:crash
Dup2 (sock,0)
Cpi
Sensitive pointer