All geek questions in one place

How to prevent arbitrary code vulnerability in our programs?

You always read in the change lists when your system or browser or any program updates fix an error that made it possible for an attacker to execute any code on your computer with a fake website or attack your computer with carefully forged packages, etc. ....

Because you read it so often, which means that any program can have similar vulnerabilities ... What causes this? How to develop our programs to prevent such problems?

+3
source share
4 answers

One example of how an error can create an opportunity to use:

Let's say you have a routine in a program that modifies data in an array of characters. Let's say it also contains an error when the array has a certain size or the array contains certain characters, the routine inadvertently writes over the end of the array of characters.

This in itself does not seem like a big opportunity, but depending on how the execution reaches the subroutine and other artifacts of how it is implemented and compiled, it can be used as a springboard to execute arbitrary code.

In traditional programming (C, C ++), character arrays (buffers) are often stored in the program stack. The stack is a very fast and easy memory allocation for small temporary data.

, , - - , .

, : , , , , , , , . , , "" (, ) Halt() Format() PhoneHome(). DLL, .

. .

- , . . , .

+4

- " ".

  • ( , ..).
  • , , ( , ..).
  • , , . . . . .

" ". , , , . , , , , . , . .

, . - - , .

+1

Shellcoder: , ISBN 978-0470080238, ( , , SQL- ..).

+1

"google", , , ( , ..) . Safe , , "eval" ..

The number of possible attacks is very large. You might want to read Bugtraq to make sure everything is in order.

Hope this helps!

0
source

Source: https://habr.com/ru/post/1739572/

More articles:


All Articles