函数指针取消引用安全性 [英] Function pointer dereference security

问题描述

我有以下代码：


联合指针{

void * objp;

void（* funcp）（） ;

};


指针p = ...;


....


p（）;


---


现在，假设p实际上不是真正的函数指针但

任意或恶意数据，这样的代码理论上可以用来劫持程序执行，或者C运行时检查

一个函数打电话给合法的地址？

I have following code:

union Pointer {
void *objp;
void (*funcp)();
};

Pointer p = ... ;

....

p();

---

Now, supposing that p were actually not a genuine function pointer but
arbitrary or malicious data, could such code be theoretically
exploited to hijack program execution, or does the C runtime check
that a function call is made to a legitimate address?

推荐答案

Nyang A. Phra说：


< snip>

Nyang A. Phra said:

<snip>

p（）;


---


现在，假设p实际上不是一个真正的函数指针

p();

---

Now, supposing that p were actually not a genuine function pointer

....那么将它视为愚蠢的高度就是愚蠢。


-

Richard Heathfield< http://www.cpax.org.uk>

E mail：-http：// www。 + rjh @

谷歌用户：< http://www.cpax.org.uk/prg/writings/googly.php>

Usenet是一个奇怪的放置" - dmr 1999年7月29日

....then it would be the height of folly to treat it as if it were.

--
Richard Heathfield <http://www.cpax.org.uk>
Email: -http://www. +rjh@
Google users: <http://www.cpax.org.uk/prg/writings/googly.php>
"Usenet is a strange place" - dmr 29 July 1999

现在，假设p实际上不是真正的函数指针

Now, supposing that p were actually not a genuine function pointer

>

...然后将它视为愚蠢的高度就好了。

>
...then it would be the height of folly to treat it as if it were.

是的，有点想，但后果是什么？运行时

是否会遇到这样的错误并且只是死亡或理论上可能出现异常程序

执行后如何执行？


Nyang

>我有以下代码：

>I have following code:

>
union指针{

void * objp;

void（* funcp）（）;
};

指针p = ...;



p（）;

---

现在，假设p实际上不是真正的功能指针但是任意或恶意的数据，理论上这些代码是否可以被利用来劫持程序执行，或者C运行时检查是否对合法地址进行了函数调用？

>
union Pointer {
void *objp;
void (*funcp)();
};

Pointer p = ... ;

...

p();

---

Now, supposing that p were actually not a genuine function pointer but
arbitrary or malicious data, could such code be theoretically
exploited to hijack program execution, or does the C runtime check
that a function call is made to a legitimate address?

假设指针指向未映射到

进程的内存或者根本不存在，那么你的程序可能会只是

崩溃。有些操作系统会在每次执行时随机改变程序的加载地址

，因此很难猜出

地址可用。


假设指针指向一个缓冲区，攻击者管理它可以填充他自己选择的代码，可能是缓冲区溢出，

你陷入了深深的麻烦。 （想想'病毒''和''僵尸网络''）。

攻击者可以执行您的程序所能做的任何事情。如果你的程序是以管理权限运行的，那么你真的搞砸了。

缓冲区溢出是很多病毒使用的技术。


有些操作系统有条款你不能执行可写的内存
内存，这使得通过写入函数返回地址实际执行代码更难实现
溢出一个自动的

数组。这不是万无一失，但确实有帮助。该程序只需要很快崩溃。


假设指针从预期的例程重定向到

删除文件的C库，可能没什么可以做的，因为它*是*合法代码，

和函数参数也可能是合法的。

Assuming that the pointer is to memory that is not mapped into the
process or simply doesn''t exist, your program will probably just
crash. Some operating systems vary the load address of a program
randomly each time it is executed so it''s harder to guess what
addresses will be available.

Assuming that the pointer is to a buffer that the attacker managed
to fill with code of his own choosing, possibly by buffer overflow,
you''re in deep, deep trouble. (Think ''virus'' and ''botnet''). The
attacker can do anything your program could. If your program was
running with administrative privileges, you''re really screwed.
Buffer overflow is a technique used by a lot of viruses.

Some operating systems have provisions that you cannot execute
memory that is writable, making it harder to actually execute code
by writing over function return addresses when overflowing an auto
array. This isn''t foolproof, but it does help. The program just
quickly crashes.

Assuming that the pointer is redirected from the expected routine to
an existing routine in the C library that deletes files, there''s
probably not much that can be done, since it *is* legitimate code,
and the function arguments might be legitimate also.

这篇关于函数指针取消引用安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！