【Bug】缓冲区溢出检查_security_cookie

###Date:2018-2-10

================================================================

1、原理

当应用程序启动时，程序的cookie（4字节（dword），无符号整型）被计算出来（伪随机数）并保存在

加载模块的.data节中,在函数的开头这个cookie被拷贝到栈中，位于EBP和返回地址的正前方（位于返

回地址和局部变量的中间）。

[buffer][cookie][savedEBP][savedEIP]

在函数的结尾处，程序会把这个cookie和保存在.data节中的cookie进行比较。

如果不相等，就说明进程栈被破坏，进程被终止。

在典型的缓冲区溢出中，栈上的返回地址会被数据所覆盖，但在返回地址被覆盖之前，cookie早已经被

覆盖了，因此在函数的结尾程序会发现cookie已经被破坏，接着应用程序会被结束。

/GS 异常

/GS (0xc0000409=STATUS_STACK_BUFFER_OVERRUN) 异常是指当 Windows 检测到保护返回地址的安全 Cookie 遭到篡改时所引发的异常。由于 /GS 的目标是将导致代码执行的缓冲区溢出转换成拒绝服务攻击，因此无论何时检测到这类故障，您都可以确定存在安全 bug。（遗憾的是，由于存在错误的内存、时钟超过的母板、有故障的硬件和其他问题，有时候验证 Cookie 的代码会在没有真正缓冲区溢出的情况下犯错。）

在 Windows Vista^®中，当检测到 STATUS_STACK_BUFFER_OVERRUN 时（假设存在调试器），操作系统会引发一个 int 3 异常。在较早的 Windows 版本中，断点应放在 kernel32!UnhandledExceptionFilter中以检测安全 Cookie 是否遭到了篡改（否则，进程会被终止，并且用户不会获得通知）。

在图 3 中，函数 foo 通过将过多的数据复制到堆栈缓冲区来溢出缓冲区，这样会导致 /GS Cookie 被覆盖。

Avoiding Buffer Overruns

A buffer overrun is one of the most common sources of security risk. A buffer overrun is essentially caused by treating unchecked, external input as trustworthy data. The act of copying this data, using operations such as CopyMemory, strcat, strcpy, or wcscpy, can create unanticipated results, which allows for system corruption. In the best of cases, your application will abort with a core dump, segmentation fault, or access violation. In the worst of cases, an attacker can exploit the buffer overrun by introducing and executing other malicious code in your process. Copying unchecked, input data into a stack-based buffer is the most common cause of exploitable faults.

Buffer overruns can occur in a variety of ways. The following list provides a brief introduction to a few types of buffer overrun situations and offers some ideas and resources to help you avoid creating new risks and mitigate existing ones:

Static buffer overruns

A static buffer overrun occurs when a buffer, which has been declared on the stack, is written to with more data than it was allocated to hold. The less apparent versions of this error occur when unverified user input data is copied directly to a static variable, causing potential stack corruption.

Heap overruns

Heap overruns, like static buffer overruns, can lead to memory and stack corruption. Because heap overruns occur in heap memory rather than on the stack, some people consider them to be less able to cause serious problems; nevertheless, heap overruns require real programming care and are just as able to allow system risks as static buffer overruns.

Array indexing errors

Array indexing errors also are a source of memory overruns. Careful bounds checking and index management will help prevent this type of memory overrun.

参考：

http://blog.csdn.net/zhuobattle/article/details/17373521

http://blog.csdn.net/liushu1231/article/details/24231909

https://msdn.microsoft.com/en-us/library/windows/desktop/ms717795(v=vs.85).aspx