3. Buffer Overflow Exploits and Defenses

Рет қаралды 74,382

MIT OpenCourseWare

Күн бұрын

Пікірлер: 37

@BibendiYT 5 жыл бұрын

I was looking for videos about Return-oriented programming and I saw James Mickens in the thumbnail and I was ecstatic.

@abidahaque853 6 жыл бұрын

baggy bounds ends at 20:42

@anamoly7883 4 жыл бұрын

thank you ; )

@lastmanstanding5423 Жыл бұрын

hero

@ximinlin866 7 жыл бұрын

Question for the multiple calls to System("/bin/bash"). When we enter the System() function, the first thing the function did was to push %ebp into the stack, thus overwriting the address we saved for the pop-eax gadget. So there should be a 4 bytes or 8 bytes, depending on 32 bits system or 64 bits system you are using, empty space we reserve for the function to place the old ebp inside so not to mess up the address we placed there.

@corejake 2 жыл бұрын

It's just a different calling convention. I'm sure you figured it out by now.

@alvinchipmunk7959 Жыл бұрын

"Backward" string storage would allow transferring string data with no danger of buffer overflow, if scaled index addressing was used. For example, in the line of code below, edi would point to the start of the destination buffer, and ebx would (initially) contain its length. As each byte was transferred, ebx would be decremented. If decremented below zero, ebx would wrap around to 4 billion, which, when added to the buffer's start address during the next byte transfer, would exceed the size of any normal-sized data segment. mov byte ptr [edi + ebx], al I don't know if backward string storage would be practical, but it seemed like an interesting alternative to arranging for buffer over- runs to generate GPFs in the usual, RAM-wasting way (placing a buffer near the end of a dedicated segment).

@RoseSecurity_ 2 жыл бұрын

I didn't know Matt was teaching after finishing his Wii Sports career!

@dania_884 4 жыл бұрын

I am not familiar with x86 instruction, or the 'ebp, esp' here, it's frequently mentioned in video. For beginners probably we should study some material to warm-up for the Basics, which one?

@dewdop 3 жыл бұрын

For posterity: this is a graduate level course, meaning this is instruction intended for CS students who have already completed a bachelors or equivalent level of education. So the “basics” here is a bachelors degree in software or computer design and engineering.

@OramiIT 3 жыл бұрын

@@dewdop Eh CS / EE I would say my degree is in electronics engineering technologies and I can still understand the course, but I also independently study system security and exploits and enjoy coding so there is that. Luckily for me 8086 asm isn't too far off of the stuff we used on the 89C420 chips 20 years ago so it has a small bump, but we were taught in ASM / C++ so all the memory leaks and such I'm now understanding them more and what I can do with that.

@domaincontroller 2 жыл бұрын

00:25 alright, let's get started

@serhankars 5 жыл бұрын

Can we say that 1/16 of memory size is used (or reserved) for baggy bounds table in x86 systems ? (16 is the slot size of course)

@muntajhossain8173 6 жыл бұрын

very good lecture

@meudta293 6 жыл бұрын

in malloc(44) we are telink to alocate 44bytes of memory but it will alocate 64bytes why ?

@monikasingla1036 6 жыл бұрын

Because 2^ 5 = 32 and 2^ 6 = 64. and 44 is greater than 32, so it will allocate next higher size of memory.

@dewdop 3 жыл бұрын

@Borgilian wow, thanks for writing that.

@randomname7918 Жыл бұрын

@Borgilianso is it 48 bytes or 64 bytes in the end

@ITHunt- 4 жыл бұрын

Very nice thank you

@karim8242 5 жыл бұрын

ROP at 31:45

@ZepaniZeppos 7 жыл бұрын

Awesome

@Hawilabas 2 жыл бұрын

Thanks

@patricknm4217 7 жыл бұрын

good lecture :)

@shinkurt 2 жыл бұрын

thanks learnt a lot

@goldibollocks 4 жыл бұрын

What is the name of the paper that has the full attack mentioned in the second half of the lecture? Broth? Brawf? Edit: Ohhh, BROP! 😁

@HK-sw3vi 4 жыл бұрын

MIT lecture but I saved $60,000

@armandkruger911 4 жыл бұрын

gets(buf) is a horrible functions , rather use fgets(). If your web applications allows system() function commands from the public, you are in trouble.

@Nimitz_oceo 4 жыл бұрын

Is JavaScript still relevant? I think I just found my passion

@dewdop 3 жыл бұрын

Lol

@BIGSpendersFinancial 2 жыл бұрын

Hope you’ve been working to ignite your passion.

@SinangeLka Жыл бұрын

He should teach our lecturer how to teach

@dr.merlot1532 5 жыл бұрын

Jessy lee Peterson is a smart man.

@liamentt 3 жыл бұрын

thanks for turkish subtitle

@kenichimori8533 6 жыл бұрын

Dexploit E-1

@markuscwatson Жыл бұрын

Why would they spend so much time talking about baggy bounds if no one uses it in practice 🤔

@poolmoorang Жыл бұрын

I've been working on memory safety for years and working on/with arm, so I can tell. Baggy bounds introduced compact shadow space, which is adopted to widely used current memory safety solutions such as Google's sanitizer series. More importantly, its "relative location" using memory alignment inspired up to current on-going security projects to 128 bit Cheri and Morello. It is a "must know" concept if you work on memory safety area.