《软件安全编码和件软安全检测培训》由会员分享,可在线阅读,更多相关《软件安全编码和件软安全检测培训(26页珍藏版)》请在金锄头文库上搜索。
1、软件安全编码和软件安全测试 培训四川分行信息技术管理部 2007.10Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.目录简介缓冲区溢出SQL注入Evaluation only.Evalu
2、ation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.20062006年全行互联网应用系统安全渗透性测试结果年全行互联网应用系统安全渗透性测试结果测试结果综述(续)技术成因分析:l 大部分漏洞为注入式漏洞和弱口令。l漏洞技术成因分布较广
3、泛。SQL注入漏洞 39%弱口令 23%目录遍历 8%存在未经验证 访问未授权 3%跨站 5%网银客户端 5%网银系统防重放 2%其他 15%渗透性测试漏洞的技术成因分析渗透性测试漏洞的管理成因分析管理成因分析:l 管理成因包括政策遵循、开发过程和运行 维护三个方面。通过上图可以看出,漏洞成 因在这三方面分布较平均。Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Clien
4、t Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.代码安全检测结果代码安全检测结果项目名称规模(代码 行数)高危险漏洞警告性漏洞提示性漏洞测试用时( 分)EAIB143505653325391ERP5290750143784825CCMIS60382246498947利用FORTIFY工具软件检测出的三个应用系统的漏洞情况Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 C
5、lient Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.只要有利益,就有人研究和利用漏洞Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .
6、NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.系统安全编程 冯.诺伊曼结构 存储程序计算机 指令和指令所操作的数据都一起放在内存中 计算机设计的基本原则Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Pr
7、ofile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.用户的输入 所有用户输入都是非法的,除非被证明 不是 一半以上的程序安全问题源于缺乏对用户可 控数据的处理,WEB程序尤甚 所谓用户输入,就是所有可能从客户端接收 的数据,而不仅是我们提供给用户的输入框Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspos
8、e.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.缓冲区溢出内存中缓冲区用来存放数据缓冲区自身缺乏相关的机制来防止在保留空 间中放入过多的数据Char name4;Strcpy(name,”AAAAAAAAAAA”);.Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Cre
9、ated with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.缓冲区溢出原理 缓冲区溢出原理 内存映像 栈溢出 堆溢出 其它溢出Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5
10、Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.缓冲区溢出利用原理 栈溢出利用原理 进入函数构造栈帧 call指令相当于有个push eip操作 ret指令相当于pop eip操作Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Clie
11、nt Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.Char name4;Strcpy(name,”AAAAAAAAAAA”);.在内存中的结构;name溢出可能覆盖ebp 、 eip(返回地址)值;随机填充会引起 段错误表现 为coredump;精确的计算填充可控制程序走向 。Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.
12、Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.缓冲区溢出利用原理 栈溢出利用原理 覆盖返回地址 Win32还可以覆盖SEH结构Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for
13、 .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.缓冲区溢出利用原理 堆溢出利用原理 堆缓冲区通过malloc、new等分配 溢出的目标缓冲区是堆 两个相邻块可以分配并保存数据,第一块溢出回覆 盖第二块(如果第二块正好是重要数据) 各操作系统的堆实现都不相同,利用的难度也大大 增加 很多操作系统可以获得一次或多次任意地址4字节 的写操作,从而获得控制Evaluation only.Evaluation only. Created with
14、 Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.导致缓冲区溢出的几种方式 错误的比较目标缓冲区 演示程序cmpdst.c 正确的做法应该是比较源数据的长度,小于 目标缓冲区才进行拷贝操作 ms06-040的windows 2000出现过此类错误Evaluation only.E
15、valuation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd./cmpdst.cVoid demo(char *str) char buf16;if(strlen(buf)16 /strcpy(buf,str);strncpy(buf,
16、str,strlen(str);Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0. Copyright 2004-2011 Aspose Pty Ltd.Copyright 2004-2011 Aspose Pty Ltd.导致缓冲区溢出的几种方式 用源字符串长度做拷贝限制 貌似用了带长度限制的安全拷贝函数,实际 上等于没用Evaluation only.Evaluation only. Created with Aspose.Slides for .NET 3.5 Client Profile 5.2.0.0.Created with Aspose.Slides for .NET 3.
