南京大学：《软件安全 Software Security》课程教学资源（PPT课件讲稿）Use-after-free.pptx_大学文库

文档信息

资源类别：文库
文档格式：PPTX
文档页数：24
文件大小：1.16MB
团购合买：点击进入团购

内容简介

南京大学：《软件安全 Software Security》课程教学资源（PPT课件讲稿）Use-after-free

刷新页面文档预览

Use-after-free 2016-12-08

Papers younan,Yves."FreeSentry:protecting against use- after-free vulnerabilities due to dangling pointers."NDSS.2015. Lee,B.,Song,C.,Jang,y.,Wang,T.,Kim,T.,Lu,L., Lee,W.(2015,February).Preventing Use-after-free with Dangling Pointers Nullification.NDSS.2015 5

5 Papers • Younan, Yves. "FreeSentry: protecting against useafter-free vulnerabilities due to dangling pointers." NDSS. 2015. • Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., & Lee, W. (2015, February). Preventing Use-after-free with Dangling Pointers Nullification. NDSS.2015

Use-after-free vulnerabilities ·A dangling pointer -A pointer points to a freed memory region Using a dangling pointer leads to undefined program states Easy to achieve arbitrary code executions -so called use-after-free 6

Use-after-free vulnerabilities 6

Use-after-free vulnerabilities object A f0: integer1 p=(struct A*) integer2 malloc(16); integer3 free(p); q=(struct B*) integer4 malloc(16); p->integer1 value; q->function_ptr1(); P Pointer to A

Use-after-free vulnerabilities 7

Use-after-free vulnerabilities object A f0: integer1; p=(struct A*) integer2; malloc(16); integer3; free(p); q=(struct B*) integer4; malloc(16); p->integer1 value; q->function_ptr1(): P Pointer to A 8

Use-after-free vulnerabilities 8

Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); IP free(p); char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(); f1: P Pointer to A f2: Q Pointer to B 9

Use-after-free vulnerabilities 9

Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); free(p); char_array q=(struct B*) IP malloc(16): p->integer1 value; q->function_ptr1(): f1: attacker P Pointer to A code: 2: Q Pointer to B 10

Use-after-free vulnerabilities 10

Use-after-free vulnerabilities object B f0: function ptr1 p=(struct A*) function_ptr2 malloc(16): free(p): char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(): f1: attacker P Pointer to A code: f2: Q Pointer to B 11

Use-after-free vulnerabilities 11

Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); free(p): char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(): f1: IP attacker P Pointer to A code: f2: Pointer to B 12

Use-after-free vulnerabilities 12

Use-after-free vulnerabilities class Doc:public Element Doc *doc new Doc(): Body *body=new Body(): Element *child; }: doc->child body: class Body:public Element delete body; Element *child: if (doc->child) doc->child->getAlign() 13

Use-after-free vulnerabilities 13

共24页，试读已结束，阅读完整版请下载

刷新页面下载完整文档

VIP每日下载上限内不扣除下载券和下载次数；
按次数下载不扣除下载券；
注册用户24小时内重复下载只扣除一次；
顺序：VIP每日次数-->可用次数-->下载券；