ECE-422 - HackMD

# ECE-422 [![hackmd-github-sync-badge](https://hackmd.io/Z1ZgjJSrQ2S88dIMFga9Yg/badge)](https://hackmd.io/Z1ZgjJSrQ2S88dIMFga9Yg) ## Lecture1: Introduction - 4*2 Homework - 2 person team - Online Exams with books open ## Lecture2: Moral ## Lecture3: Buffer Overflow ### By the end of this chapter you should: - Recall stack, calling convention basics - Be able to demonstrate simple buffer overflow attacks - Be able to build shellcode ### Assembly ![](https://i.imgur.com/JQqvnks.png) ![](https://i.imgur.com/Bz6ap2w.png) ![](https://i.imgur.com/4CiQZIv.png) ### Buffer overflow FTW - Success! Program crashed! - Exploit: any string longer than buffer size - Success! Execute arbitrary code! - Exploit: injected code + address of buffer - Success! Open a shell! - Exploit: nop sled + shellcode + guesses of buffer ### First lesson: avoid unsafe functions - Unsafe functions: - strcpy and friends (str*) - sprintf - gets - Safe versions: - strncpy and friends (strn*) - snprintf - fgets - Does not solve all problem ### First lesson: avoid unsafe functions - Unsafe functions: - strcpy and friends (str*) - sprintf - gets - Safe versions: - strncpy and friends (strn*) - snprintf - fgets - Does not solve all problem ## Lecture 4: Control Flow Hijacking ### Hack detect 1. push $CANARY in stack 2. check the position 3. If the 0(position) is not $CANARY, Congratulations! ### Control Flow Hijacking ![](https://i.imgur.com/evb9faz.png) ![](https://i.imgur.com/h82aiA1.png) (Screenshot from Compiler Principle) 可以注意到，如果替换 function address, 或者说,想办法改变 PC 的值，就可以想干什么干什么，这就是 Control Flow Hijacking #### CounterAttack 1. distinguish code and data - Data should not be executable, Code need not be writable - W^X (write xor execute) #### Return-to-libc Attacks 借刀杀人 ### Return-Oriented Programming (ROP) - Workflow - Dump executable portions of target program - Identify byte sequences ending in 0xC3 (**ret**) - Such a code fragment is called a gadget - Figure out what each gadget does — use a dissembler, e.g., https://onlinedisassembler.com/ - Chain together useful gadgets ![](https://i.imgur.com/enUdoRQ.png) ### -fPIE 地址偏移的安全加固漏洞: - 一个个实验 (i386) - 狂喷 - ![](https://i.imgur.com/t9cEruc.png) - 浏览器是重灾区 ## Lecture 6: Malware Defenses ### Security By Design Principles - Minimize the Trusted Computing Base (TCB) - Minimize the Attack Surface - Principle of Least Privilege - Principle of Defense in Depth - Fail Secure - Avoid Security by Obscurity - Keep Security Simple ### INTRUSION DETECTION - Signatures - Polymorphic Code - Metamorphic Code - Detecting Metamorphic Viruses - ... - N-Grams: Building the Model by Training ### Chapter 07 – Web Security #### CORS & CSRF & XSS