信息安全技术2近现代黑客历史教学幻灯片

2025/1/111信息安全技术2025/1/112近现代黑客历史2025/1/113近现代黑客历史史前:1875-19691870’s:贝尔电话网络公司的接线生第一、二次世界大战期间:Enigma/Turing…1962:MIT分时系统（TSS）的诞生…RichardStallman:自由软件的创始人…Hackingreferstospiritsoffuninwhichweweredevelopingsoftware2025/1/115近现代黑客历史黄金时代:1980-1985PCs开始大规模进入北美和欧洲的普通家庭与企事业机构…好莱坞的电影：“WarGame”ARPANET的出现…2025/1/116近现代黑客历史计算机犯罪行为:1985-1990美国政府的“计算机欺诈与滥用法案”…与“老一代”黑客不同，新新一代并不关心软件“嬉戏”的愉悦或自由言论或自由通信的追求，而是更加关心如何能够通过这些新技术盈利…Nov.1988,RobertMorrisJr.2025/1/117近现代黑客历史世风日下:1990KevinMitnick：第一个上了美国联邦调查局追逃名单的黑客…黑客作为一种文化现象开始出现…2025/1/118近现代黑客历史黑客的今朝与明天CNN/YAHOO/E-Bay…“5.12”汶川大地震的启迪…2025/1/119缓冲区溢出攻击2025/1/1110BOF的历史VonNeumann’s体系结构…AlephOne:“SmashingTheStackForFunandProfit”,Phrack49(1989)/stf/smashstack.htmlCERT/CC年度报告(1997年之前尚无缓冲区溢出攻击的案例）2025/1/1111CERT/CC年度报告1997年度报告:28个漏洞中有8个缓冲区溢出的漏洞MIMEconversionbufferoverflowinsendmailversionsin8.8.3and8.8.4BufferoverflowinlibrariesusingNaturalLanguageService(NLS)BufferoverflowvulnerabilityinXtlibraryBufferoverflowprobleminxlockBufferoverflowinsuidperlBufferoverflowinat(1)programBufferoverflowproblemsinSGIIRISsystemsBufferoverflowprobleminrdist28.5%2025/1/1112BufferOverflowinNIS+(NetworkInformationServicePlus)BufferoverflowsinsomePOPserversBufferOverflowinSomeImplementationsofIMAP(InternetMessageAccessProtocol)ServersBufferOverflowinMIME-awareMailandNewsClientsRemotelyExploitableBufferOverflowVulnerabilityinmountd(UNIX,RemoteProcedureCall)38.4%1998年度报告:13个漏洞中有5个缓冲区溢出的漏洞CERT/CC年度报告2025/1/1113FTPBufferOverflowsIISBufferOverflowBufferOverflowVulnerabilityinCalendarManagerServiceDaemon,rpc.cmsdBufferOverflowinamdBufferOverflowsinSSHdaemonandRSAREF2LibraryBufferOverflowinSunSolsticeAdminSuiteDaemonsadmindSystemsCompromisedThroughaVulnerabilityinam-utils43.7%1999年度报告:16个漏洞中有7个缓冲区溢出的漏洞CERT/CC年度报告2025/1/1114MultipleBufferOverflowsinKerberosAuthenticatedServicesMITKerberosVulnerabletoDenial-of-ServiceAttacks9%2000年度报告:22个漏洞中有2个缓冲区溢出的漏洞CERT/CC年度报告2025/1/1115BufferOverflowVulnerabilityinMicrosoftIIS5.0BufferOverflowInIISIndexingServiceDLLBufferOverflowinSunSolarisin.lpdPrintDaemonOracle8icontainsbufferoverflowinTNSlistener"CodeRed"WormExploitingBufferOverflowInIISIndexingServiceBufferOverflowintelnetdContinuedThreatofthe"CodeRed"WormBufferOverflowinGauntletFirewallallowsintruderstoexecutearbitrarycodeOracle9iASWebCachevulnerabletobufferoverflowBufferOverflowinCDESubprocessControlServiceBufferOverflowinSystemV(UNIX)DerivedLoginBufferOverflowinUPnPServiceonMicrosoftWindows35.1%2001年度报告:37个漏洞中有13个缓冲区溢出的漏洞CERT/CC年度报告2025/1/1116ExploitationofVulnerabilityinCDESubprocessControlServiceBufferOverflowinAOLICQBufferOverflowinMicrosoftInternetExplorerMultipleVulnerabilitiesinOracleServersBufferOverflowinMicrosoft'sMSNChatActiveXControlBufferOverflowinMacromediaJRunBufferOverflowsinMultipleDNSResolverLibrariesMultipleVulnerabilitiesinOpenSSLIntegerOverflowInXDRLibraryBufferOverflowinCDEToolTalkBufferOverflowinKerberosAdministrationDaemonBufferOverflowinSolarisXWindowFontServiceBufferOverflowinMicrosoftWindowsShell35.1%2002年度报告:37个漏洞中有13个缓冲区溢出的漏洞CERT/CC年度报告2025/1/1117BufferOverflowsinISCDHCPDMiniresLibraryBufferOverflowinWindowsLocatorServiceRemoteBufferOverflowinSendmailBufferOverflowinCoreMicrosoftWindowsDLLIntegeroverflowinSunRPCXDRlibraryroutinesBufferOverflowinSendmailBufferOverflowinMicrosoftWindowsHTMLConversionLibraryBufferOverflowinMicrosoftRPCRPCSSVulnerabilitiesinMicrosoftWindowsBufferOverflowinWindowsWorkstationService35.7%2003年度报告:28个漏洞中有10个缓冲区溢出的漏洞CERT/CC年度报告2025/1/11182004AnnualReport:“Heavenhelpusifwestillhavebufferoverflowinoursoftwarein20years!”

--TomLongstaff,R&Dmanager,CERT/CCCERT/CC年度报告2025/1/1119CERT/CC关于缓冲区溢出漏洞的分析28.5%199738.4%199843.7%19999%200035.1%200135.1%200235.7%20032025/1/1120实验二#include<stdio.h>#include<string.h>voidhelloworld(charsbuff[],charlbuff[]);charlargebuff[]="1234512345123451234512345===ABCD";intmain(void){charsmallbuff[16];helloworld(smallbuff,largebuff);}voidhelloworld(charsbuff[],charlbuff[]){}2025/1/1121实验二：用GDB生成汇编进入gdb调试工具环境运行被调试程序生成main函数的汇编2025/1/1122

实验二：栈的变化push%ebpmov%esp,%ebpsub$0x18,%espsub$0x8,%esppush$0x8049478lea0xffffffe8(%ebp),%eaxpush%eaxcall0x80483ec<helloworld>add$0x10,%espleaveret···eip:0x80483d0

espebp

ebp8个字节（16字节对齐）16字节smallfuff[16]8个字节（为下一个对齐）*largebuff12345123451234512345===ABCDeaxeaxeip:0x80483ecpush%ebpmov%esp,%ebppop%ebpretebp

main函数的栈

2025/1/1123一些“危险”的C函数strcpy(char*dest,constchar*src)strcat(char*dest,constchar*src)getwd(char*buf)gets(char*s)[vf]scanf(constchar*format,...)realpath(char*path,charresolved_path[])[v]sprintf(char*str,constchar*format,...)…2025/1/1124实验三#include<stdio.h>#include<string.h>charlargebuff[]="1234512345123451234512345===ABCD";intmain(void){charsmallbuff[16];

strcpy(smallbuff,largebuff);}2025/1/1125实验三：用GDB生成汇编2025/1/1126

实验三：栈的变化push%ebpmov%esp,%ebpsub$0x18,%espsub$0x8,%esppush