Đang tải... (xem toàn văn)
Đây là bộ sách tiếng anh cho dân công nghệ thông tin chuyên về bảo mật,lập trình.Thích hợp cho những ai đam mê về công nghệ thông tin,tìm hiểu về bảo mật và lập trình.
[...]... Di Paola, Antonio Parata, Francesco Perna, Alfredo Pesoli, Gilad Bakas, David Jacoby, and Ceresoni Andrea for sending feedback and ideas about the book and helping to improve its overall quality (and, occasionally, providing a bed or a couch to crash on) We are sure we have forgotten others here (never has the sentence “you know who you are” been more appropriate)…sorry about that Last but not least,... throughout this book, gathering as much information about the target as possible is a mandatory first step toward a successful exploitation, and this task is much easier to perform if the attacker already has access to the machine The goal of a remote exploit is to give the attacker access to the remote machine Elevation of privileges may occur as a bonus if the targeted application is running with... preceding paragraph are self-explanatory and a detailed understanding of their meaning is not of key importance at this point in the book What is important to understand is that all the vulnerabilities that are part of the same category exhibit a common set of patterns and exploitation vectors Knowing these patterns and exploitation vectors (usually referred to as exploiting techniques) is of great help... that requires the attacker to already have access to the target machine The goal of a local exploit is to raise the attacker’s privileges and give him or her complete control over the system A remote exploit is an attack that targets a machine the attacker has no access to, but that he or she can reach through the network It is a more challenging (and, to some extent, more powerful) type of exploit As... access any valid memory address on the system, whereas code executing in user land is subject to all the limitations we described earlier This hardware- and software-based separation is mandatory to protect the kernel from accidental damage or tampering from a misbehaving or malicious user-land application Protecting the kernel from other running programs is a first step toward a secure and stable system,... world of exploitation and analyzes what has caused security researchers and attackers to change their focus from targeting user-land applications to exploiting the core of a running system, the kernel Chapter 2, A Taxonomy of Kernel Vulnerabilities, builds a classification of different types of vulnerabilities (bug classes), looking at common traits and exploitation approaches The more we can model... areas are supposed to contain data, there is no reason for the application to execute code from there Make it difficult for the attacker to find the loaded executable areas, since an attacker could always jump to some interesting sequence of instructions in your program In other words, you want to increase the number of random variables the attacker has to take care of so that brute forcing becomes as... allocator An example of a project that includes all of these kinds of patches is the ExecShield project by Red Hat/Fedora A For example, at compile time, the compiler knows the size of certain buffers and can use this information to take a call to an unsafe function such as strcpy and redirect it to a safe function such as strncpy 9 10 CHAPTER 1 From User-Land to Kernel- Land Attacks In addition to protecting... different user-land applications as well Consider a typical multiuser environment Different users expect to have a “private” area on the file system where they can store their data, and they expect that an application that they launch, such as their mail reader software, cannot be stopped, modified, or spied on by another user Also, for a system to be usable there must be some way to recognize, add, and remove... by performing pattern matching on the data that reaches the application that gets protected It is easy to imagine that a sequence of standard NOPs would not pass such a check You might have noticed that we made a pretty big assumption in our discussion so far: when the victim application is re-executed, its state will be exactly the same as it was before the attack Although an attacker can successfully . on what we have learned about kernel exploitation and look at what the future may hold. To be able to put s ome order to th e many aspects of attack and. Austin, Bas Albert, Igor Falcomata’, clint, Reina Alessandro, Giorgio Fedon, Matteo Meucci, Stefan o Di Paola, Antonio Parata , Franc esco Perna, Alfredo