1. Intro
memory corruption exploits
- 能绕过Address Space Layout Randomization(ASLR,地址空间布局随机化)和Data Execution Prevention(DEP, 数据执行保护)
- Code reuse attacks:
- corrupt control data + hijack the control flow,破坏函数数据后劫持程序控制流,例如破坏函数指针或者返回地址
- 例如: Return-Oriented Programming(ROP, 返回导向编程)
- Data-Oriented Programming(DOP, 面向数据编程):利用legal control-flow paths上面的指令破坏non-control data
Future direction of sanitizers:
- 现有工具未能捕获的bugs
- improve the compatibility with real-world programs,兼容真实程序
- 高效
2. Exploit mitigations vs. sanitizers
P1. 现有的exploit mitigations和sanitizers的区别
- Exploit Mitigations are to mitigate attacks in the release version of the software. Mitigations can only use a very limited resource, must tolerate benign errors, and cannot accept false alerts. The violation not usually triggered at the locations of bugs leads to termination.
- e.g:
- Control-Flow Integrity, CFI
- Data-Flow Integrity, DFI
- Write Integrity Testing, WIT
- e.g:
- Sanitizers are to find potential vulnerabilities in the pre-release version of the software. Sanitizers can use a relatively higher resource and usually do not tolerate benign errors and can tolerate some false alerts. The violation usually triggered at the locations of bugs does not always lead to termination.
- e.g:
- Bound-checking tools
- e.g: