How to find security vulnerabilities-how hackers exploit vulnerabilities

See the title of this article you will not be a tiger body earthquake it. Feel--it ' s imposible!,but it's so easy to get in ...
We always hear "digging holes", "a certain company has a right to raise loopholes", we will ask "How do you know this is a loophole." How do you know where the leak is? "Of course it's easy to answer, because the bugs are in the code, but millions of lines of code who know where there are vulnerabilities. Well, what about this? People can't do the software to get everything done. Of course, the premise of the exploit is that you have to know how to launch an overflow attack, or how to raise the power. There are also a few commonly used command statements. The most important thing is that you need to know what kind of code is vulnerable. In this way, after a long time we can customize the syntax format, those hackers are the custom of a set of Common Vulnerability code database. We can also build Oh ~ ~
Therefore, this article is to say is a few special tools used to analyze the code, but also the software engineers to do security evaluation tools. These things are used well is the security evaluation tool, the loophole mining tool, use is not good. Loophole excavator, Hacker sword.
The tool to prevent formatting string attacks under Formatguard:linux is an enhancement to glibc. The number of parameters in the class printf function is counted by the macro function provided by preprocessing, and the conversion descriptor is counted by the Parse_printf_format function provided by GLIBC. If the number of conversion specifiers is greater than the number of parameters supplied to printf, the _PROTECED_PRINTF function considers that it may be subject to a format string attack, warning. However, the tool cannot parse the class vprintf function, which is a large number of such functions.
Libformat:unix provides a useful environment variable ld_preload that allows us to define a dynamic link library that is loaded prior to the program's permission. The main idea is to insert yourself into the program through a dynamic connector, terminating the program if a format string containing%n is found in writable memory after the program runs. But the reading operation is powerless, and encountered any%n format string, will terminate the program, False report high.
ANTLR: Recognizing and processing programming languages is the primary task of ANTLR, the processing of programming language is a heavy and complicated task, in order to simplify processing, the general compilation technology divides the language processing work into the front-end and the back end two parts. The front-end includes lexical analysis, syntax analysis, semantic analysis, intermediate code generation and other steps, the backend includes target code generation and code optimization steps. ANTLR is committed to solving all the work of compiling the front-end. The lexical and grammatical rules of the target language can be defined by using ANLTR syntax, ANTLR the lexical analyzer and parser of the target language automatically; In addition, if you specify rules for an abstract syntax tree in a grammar rule, ANTLR can also generate an abstract syntax tree while generating the parser Finally, the tree Analyzer is used to traverse the abstract syntax tree to complete semantic analysis and intermediate code generation. The whole work will be very relaxed and enjoyable with the strong support of anltr. In addition, ANTLR's lexical analyzer Builder can easily accomplish all the work that regular expressions can do, and in addition to using ANLTR, you can accomplish some of the hard work of regular expressions, such as identifying matching pairs of opening and closing brackets.
GOLD: It is a more complex parser that supports many languages, including: Assembly–intel x86, ANSI C, C #, D, Delphi, Java, Pascal, Python, Visual Basic, Visual Basic. NET , Visual C + +, all. NET language, all ActiveX languages. It's a free software.
ITS4: read one or more C + + source programs, separate each source program into a function flag stream, and then check whether the generated flag exists in the vulnerability database, so that all the source program error warning list, with the relevant description. Its rule base vulns.i4d defines the risk level, description and so on of various functions, and reports the risk through rule matching, but it cannot understand the meaning of program context, and there are large false positives.
Flawfinder: Lexical scanning and analysis, embedded a number of vulnerable databases, such as buffer overflow, format string vulnerabilities, scanning fast, according to the vulnerability of the code in the risk level of the vulnerability division, you can quickly find existing problems, false positives higher
Rats: Scans for potential vulnerabilities in source programs developed by C, C + +, Perl, PHP, and Python, and the scanning rules are rough
The above is common C/s + + commonly used code analysis tools, loopholes in the code, dug up is our results, we work together Oh ~
Of course, there are a lot of useful things, such as: Pc-lint, Splin these two tools. In short, we can use the static analysis tools, dynamic analysis tools are used, the loophole is so dug out, so some people say that the hole excavation is boring, but there are many people really enjoy.
Accompanying drawings: (Grammar analysis process)