◼ What Is a Format String ◼ Format Functions ◼ Ellipsis and va_args ◼ Summary ◼ Using Format Strings ◼ Format Tokens ◼ Types of Format Specifiers ◼ Summary ◼ Format String Vulnerability ◼ Abusing Format Strings ◼ Reading Memory ◼ Writing to Memory ◼ Summary ◼ Finding Format String Bugs ◼ FlawFinder

• Threat Model • Control Flow Graph • Control Flow Integrity basic implementation – Build CFG – Instrumentation – Evaluation – Security and Adversary • Binary-CFI(CCFIR) – Introduce – Implementation – Context-Sensitive CFI

南京大学：《软件安全 Software Security》课程教学资源（PPT课件讲稿）Redundant dynamic Canary

Background Control Flow Hijack Control Flow Hijack Defense Canary Defense StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR

Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example

• Background • Software Security: Control-flow Hijack Attack ➢ Memory Layout , Stack frame, & Procedure ➢ Buffer Overflow: Vulnerability, & Defenses ➢ RILC, Return-Oriented Programming ➢ ASLR & CFI • Software Security: Non-control Data Attack ➢ Data Oriented Programming • Summary

Software Security Course Overview Description Goal Text Books Course Schedule Prerequisites Tentative Course Project Teaching Assistant Contact Information Introduction to Software Security Background Root Cause of the Security Problems Vulnerability Exploits

 9.1 基本概念  9.2 网检和机检  9.3 特征检测  9.4 统计分析  9.5 行为推理  9.6 诱饵系统

 8.1 病毒  8.2 蠕虫  8.3 病毒防御  8.4 特洛伊木马  8.5 网络骗局  8.6 点对点安全  8.7 Web安全  8.8 分布式拒绝服务攻击

 7.1 一般框架  7.2 分组过滤  7.3 电路网关  7.4 应用网关  7.5可信系统和堡垒主机  7.6 防火墙配置  7.7网络地址转换  7.8 配置防火墙