2020/8/3,1,信息安全技术,2020/8/3,2,近现代黑客历史,2020/8/3,3,近现代黑客历史,史前: 1875-1969,1870s: 贝尔电话网络公司的接线生,第一、二次世界大战期间: Enigma/Turing,1962: MIT分时系统（TSS）的诞生,Richard Stallman: 自由软件的创始人,Hacking refers to spirits of fun in which we were developing software,2020/8/3,5,近现代黑客历史,黄金时代: 1980-1985,PCs 开始大规模进入北美和欧洲的普通 家庭与企事业机构,好莱坞的电影： “War Game”,ARPANET 的出现,2020/8/3,6,近现代黑客历史,计算机犯罪行为: 1985-1990,美国政府的“计算机欺诈与滥用法案”,与“老一代”黑客不同，新新一代并不关 心软件“嬉戏”的愉悦或自由言论或自由 通信的追求，而是更加关心如何能够通 过这些新技术盈利,Nov.1988, Robert Morris Jr.,2020/8/3,7,近现代黑客历史,世风日下: 1990,Kevin Mitnick：第一个上了美国联邦调 查局追逃名单的黑客,黑客作为一种文化现象开始出现,2020/8/3,8,近现代黑客历史,黑客的今朝与明天,CNN/YAHOO/E-Bay,“5.12” 汶川大地震的启迪,2020/8/3,9,缓冲区溢出攻击,2020/8/3,10,BOF 的历史,Von Neumanns 体系结构,Aleph One: “Smashing The Stack For Fun and Profit”, Phrack 49(1989) http:/insecure.org/stf/smashstack.html,CERT/CC 年度报告 (1997年之前尚无 缓冲区溢出攻击的案例）,2020/8/3,11,CERT/CC 年度报告,1997 年度报告:28个漏洞中有8个缓冲区溢出的漏洞,MIME conversion buffer overflow in sendmail versions in 8.8.3 and 8.8.4,Buffer overflow in libraries using Natural Language Service (NLS),Buffer overflow vulnerability in Xt library,Buffer overflow problem in xlock,Buffer overflow in suidperl,Buffer overflow in at(1) program,Buffer overflow problems in SGI IRIS systems,Buffer overflow problem in rdist,28.5%,2020/8/3,12,Buffer Overflow in NIS+ (Network Information Service Plus),Buffer overflows in some POP servers,Buffer Overflow in Some Implementations of IMAP(Internet Message Access Protocol) Servers,Buffer Overflow in MIME-aware Mail and News Clients,Remotely Exploitable Buffer Overflow Vulnerability in mountd(UNIX, Remote Procedure Call),38.4%,1998 年度报告:13个漏洞中有5个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,13,FTP Buffer Overflows,IIS Buffer Overflow,Buffer Overflow Vulnerability in Calendar Manager Service Daemon, rpc.cmsd,Buffer Overflow in amd,Buffer Overflows in SSH daemon and RSAREF2 Library,Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind,Systems Compromised Through a Vulnerability in am-utils,43.7%,1999 年度报告:16个漏洞中有7个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,14,Multiple Buffer Overflows in Kerberos Authenticated Services,MIT Kerberos Vulnerable to Denial-of-Service Attacks,9%,2000 年度报告:22个漏洞中有2个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,15,Buffer Overflow Vulnerability in Microsoft IIS 5.0,Buffer Overflow In IIS Indexing Service DLL,Buffer Overflow in Sun Solaris in.lpd Print Daemon,Oracle 8i contains buffer overflow in TNS listener,Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service,Buffer Overflow in telnetd,Continued Threat of the Code Red Worm,Buffer Overflow in Gauntlet Firewall allows intruders to execute arbitrary code,Oracle9iAS Web Cache vulnerable to buffer overflow,Buffer Overflow in CDE Subprocess Control Service,Buffer Overflow in System V(UNIX) Derived Login,Buffer Overflow in UPnP Service on Microsoft Windows,35.1%,2001 年度报告:37个漏洞中有13个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,16,Exploitation of Vulnerability in CDE Subprocess Control Service,Buffer Overflow in AOL ICQ,Buffer Overflow in Microsoft Internet Explorer,Multiple Vulnerabilities in Oracle Servers,Buffer Overflow in Microsofts MSN Chat ActiveX Control,Buffer Overflow in Macromedia JRun,Buffer Overflows in Multiple DNS Resolver Libraries,Multiple Vulnerabilities in OpenSSL,Integer Overflow In XDR Library,Buffer Overflow in CDE ToolTalk,Buffer Overflow in Kerberos Administration Daemon,Buffer Overflow in Solaris X Window Font Service,Buffer Overflow in Microsoft Windows Shell,35.1%,2002 年度报告:37个漏洞中有13个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,17,Buffer Overflows in ISC DHCPD Minires Library,Buffer Overflow in Windows Locator Service,Remote Buffer Overflow in Sendmail,Buffer Overflow in Core Microsoft Windows DLL,Integer overflow in Sun RPC XDR library routines,Buffer Overflow in Sendmail,Buffer Overflow in Microsoft Windows HTML Conversion Library,Buffer Overflow in Microsoft RPC,RPCSS Vulnerabilities in Microsoft Windows,Buffer Overflow in Windows Workstation Service,35.7%,2003 年度报告:28个漏洞中有10个缓冲区溢出的漏洞,CERT/CC 年度报告,2020/8/3,18,2004 Annual Report: “Heaven help us if we still have buffer overflow in our software in 20 years!” - Tom Longstaff,R char largebuff = 1234512345123451234512345=ABCD; int main (void) char smallbuff16; helloworld (smallbuff, largebuff); void helloworld (char sbuff,char lbuff),2020/8/3,21,实验二：用GDB生成汇编,进入gdb调试工具环境,运行被调试 程序,生成main 函数的汇编,2020/8/3,22,实验二：栈的变化,push %ebp mov %esp,%ebp sub $0 x18,%esp sub $0 x8,%esp push $0 x8049478 lea 0 xffffffe8(%ebp),%eax push %eax call 0 x80483ec add $0 x10,%esp leave ret,eip:0 x80483d0,ebp,8个字节 （16字节对齐）,16字节 smallfuff16,8个字节 （为下一个对齐）,*largebuff,eax,eax,eip:0 x80483ec,push %ebp mov %esp,%ebp pop %ebp ret,ebp,2020/8/3,23,一些“危险”的C函数,strcpy(char *dest, const char *src) strcat(char *dest, const char *src) getwd(char *buf) gets(char *s) vfscanf(const char *format, .) realpath(char *path, char resolved_path ) vsprintf(char *str, const char *format, .) ,2020/8/3,24,实验三,#include #include char largebuff = 1234512345123451234512345=ABCD; int main (void) char smallbuff16; strcpy (smallb