为什么缓冲区溢位是安全性问题?
事实上,缓冲区溢位正越来越普遍。
本专栏概述了缓冲区溢位问题。
This column gives an overview of the buffer overflow problem.
程序是否试图读取溢位期间被覆写的资料。
Whether the program attempts to read data that are overwritten during the overflow.
但是,缓冲区溢位问题并非已成古老的历史。
But the buffer overflow problem is far from ancient history.
这就是下面四个专栏将讨论缓冲区溢位的原因。
This is why our next four columns will deal with buffer overflow.
什么是缓冲区溢位?
发生缓冲区溢位时,会覆写下一个相邻的记忆体块。
When this happens, the next contiguous chunk of memory is overwritten.
很明显,至此您不会认为缓冲区溢位错误将是过时的。
Clearly, you would think by now that buffer overflow errors would be obsolete.
不要依靠动态指派所有一切,而遗忘缓冲区溢位问题。
Don't rely on dynamic allocation for everything and forget about the buffer overflow problem.
缓冲区溢位攻击是一种最恶名昭彰的软体安全问题。
Buffer overflow attacks are one of the most notorious software security problems.
而且,在此只有提到了堆叠溢位是如何产生的实质细节。
We also only hinted at the nitty-gritty details of how stack overflows work.
以上图表中,显示了可以直接归为缓冲区溢位的弱点数。
In chart above, the number of vulnerabilities that can be directly attributed to buffer overflows is displayed.
几十年来,缓冲区溢位一直引起许多严重的安全性问题。
Buffer overflows have been causing serious security problems for decades.
缓冲区溢位导致安全性问题的另一个方法是透过摧毁堆叠。
Another way in which buffer overflows cause security problems is through stack-smashing attacks.
因此,缓冲区溢位问题常常在标准测试期间是发现不了的。
As a result, buffer overflow problems are often invisible during standard testing.
当缓冲区已满并且溢位时,覆写了哪些资料(如果有的话)!
What data (if any) are overwritten when the buffer gets full and spills over!
我们将在缓冲区溢位的第三和第四专栏中详细讨论堆叠的摧毁。
We'll go into the details of stack smashing in our third and fourth columns on buffer overflows.
缓冲区溢位开始于每个程序都需要的一些情况︰放置位元的空间。
Buffer overflows begin with something every program needs: a place to put bits.
让我们更深入地了解某些缓冲区溢位会造成严重安全性隐患的原因。
Let's dig deeper into why some kinds of buffer overflows have big security implications.
他们通常是对的,因为没有多少人具有利用堆溢位所需的专门技术。
Often they are right, because there aren't many people who have the expertise required to exploit heap overflows.
目前,我们举的所有利用缓冲区溢位的范例都是针对UNIX系统的。
So far, all our examples of buffer overflow exploits have been for UNIX systems.
检视这个程序,攻击者更容易得出如何利用实际输入导致缓冲区溢位。
Looking at the program, it is also easier for an attacker to figure out how to cause a buffer overflow with real inputs.
在本专栏中,介绍了缓冲区溢位,它永远可能是最糟的软体安全性问题。
In this column we've introduced you to buffer overflows, which are probably the worst software security problem of all time.
而是用malloc或新增所有东西,并相信这样会防止出现溢位问题。
Instead, they malloc or new everything, and believe this will protect them from overflow problems.
最坏的情况是︰程序可能正发生缓冲区溢位,但根本没有任何副作用的迹像。
In the worst cases, a program may be overflowing a buffer and not showing any adverse side effects at all.
有些人认为在Windows程序中寻找缓冲区溢位比在UNIX程序中难。
Some people believe that it's harder to find buffer overflows in Windows programs than in UNIX programs.
堆积溢位的利用通常比堆叠溢位更困难(虽然存在一些成功的堆溢位攻击)。
Heap overflows are generally much harder to exploit than stack overflows (although successful heap overflow attacks do exist).
您可能会想︰「有什麽大不了,一点点水的溢位根本不会对任何人造成伤害。」
You may be thinking, "Big deal, a little spilled water never hurt anybody."
有创造力的攻击者会透过摧毁堆叠利用缓冲区溢位的弱点,然后执行任何程序码。
A creative attacker can take advantage of a buffer overflow vulnerability through stack-smashing and then run arbitrary code (anything at all).
应用推荐