- Jun 17, 2005
- 927
- 1
- 81
Is there some way a CPU can decide if it's executing a virus? Or is it just protection against virii that try to damage the hardware?
I don't know much about the workings of hardware, but that all made sense somehow. :beer:Originally posted by: CTho9305
...
function readCaption() {
// look for the caption
while (readString() != "CAPTION") ;// keep looking for the string
captionLength = readNumber(); // get the length of the caption
buffer = createBuffer(20); // get a buffer that can hold the maximum size - 20 characters
nextWord = 0;
while (nextWord != "IMAGE") { // keep going until we hit the image
nextWord = readByte();
buffer = buffer + nextWord; // append the next word from the caption to the buffer
}
return buffer; // return the complete caption string
}
Everything works properly. The buffer can hold 20 characters, and we read a word at a time until we see "IMAGE". The caption is 20 characters long, so it fits in the buffer.CAPTION20A picture of my cat.IMAGE{rest of the image}
The program creates a buffer that can hold 8 characters, and starts copying the string into the buffer. Let's look at what the buffer contains after a few iterations:CAPTION20Ha Ha! This image is very evil! IMAGE{rest of the image}
When the program starts, it begins in the function main. From main, it needs to jump to the function doSomething. It does this, and prints the message. But how does doSomething know where to jump to when it finishes? After all, in a bigger program, doSomething could be called from lots of different places, and it needs to go back to the right spot after it finishes. The solution to this is a "stack" - just think of it like a stack of paper. You can put something new on the top, or take the top item off the stack. Each piece of paper can only hold 1 number (so, if you want store two numbers, use two items). When main calls doSomething(), it puts a new item on the stack, which says, "when you're done, go to line 3" (so, the piece of paper says, "3"). Now, when doSomething has finished, it takes the top item from the stack and goes to that line in the program. This works no matter how many functions we have. One thing I didn't tell you about stacks before is that you can read and edit items on the stack that aren't at the top of the stack (but you can't add or delete things other than at the top). In a computer the stack starts at the top of memory and grows downwards (it's not as stupid as it sounds ), so the older elements on the stack are at addresses that are higher numbered.function main () {
doSomething();
print("I did something!");
}
function doSomething() {
print("I'm doing something!");
return; // go back to whoever called doSomething()
}
then you can add two items to the stack for num1 and num2 for the first two lines, and the third line would be "read the first item on the stack, read the second item on the stack, add the results, and edit the first item to hold the result" at the assembly language level. When the function finishes, it has to clean the stack up by taking anything off that it added, so it would pull num1 and num2 off the stack, and return to whoever called doStuff.function doStuff() {
num1 = 5;
num2 = 6;
num2 = num1+num2;
return;
}
Now, the first two lines would put two items on the stack, and the third line would add 10 items (to hold the buffer's data). The fourth line would now translate to assembly language as "read the 11th item on the stack, read the 12th item, add them, and edit the 11th to hold the result". As before, when the function returns, it has to clean up the stack, so it takes the top 12 things off the stack (nu1, num2, and the 10-item buffer) and returns.function doStuff2() {
num1 = 5;
num2 = 6;
buffer = createBuffer(10);
num2 = num1+num2;
return;
}
Let's follow what's on the stack when this function gets called from somewhere. Pretend the return address happens to be 7.function bufferOverflow() {
buffer = createBuffer(4); //make space for 4 characters
buffer = "1a2e3"; // write 5 characters
return;
}
Next, the buffer is created by adding 4 blank items<- lower addresses, top of stack
7 - return address
<- higher addresses, bottom of stack
Let's watch the stack as each letter of the string gets written into the buffer, from low addresses to high addresses:<- lower addresses, top of stack
blank
blank
blank
blank
7 - return address
<- higher addresses, bottom of stack
<- lower addresses, top of stack
1
blank
blank
blank
7 - return address
<- higher addresses, bottom of stack
<- lower addresses, top of stack
1
a
blank
blank
7 - return address
<- higher addresses, bottom of stack
<- lower addresses, top of stack
1
a
2
blank
7 - return address
<- higher addresses, bottom of stack
What happens next? Well, the stack doesn't really care that you're about to write beyond the end of the buffer - it doesn't actually know what buffer is, it just writes things where you tell it to.<- lower addresses, top of stack
1
a
2
b
7 - return address
<- higher addresses, bottom of stack
We've finished copying the string. We're done, so clean up the stack by removing the 4 things we added to it...<- lower addresses, top of stack
1
a
2
b
3 <- uh oh!!!
<- higher addresses, bottom of stack
[/quote]<- lower addresses, top of stack
3
<- higher addresses, bottom of stack
As an attacker, we'd have 20 characters of junk in the caption name, and the 21st spot would actually be an address - the address where the buffer is. The rest of the string would be the exploit program, which might do something like overwrite your music folder or search all text files on your computer for credit card info, or whatever evil you'd like.function readCaption() {
// look for the caption
while (readString() != "CAPTION")
;// keep looking for the string
captionLength = readNumber(); // get the length of the caption
buffer = createBuffer(20); // get a buffer that can hold the maximum size - 20 characters
nextWord = 0;
while (nextWord != "IMAGE") { // keep going until we hit the image
nextWord = readByte();
buffer = buffer + nextWord; // append the next word from the caption to the buffer
}
return buffer; // return the complete caption string
}
Originally posted by: suszterpatt
Is there some way a CPU can decide if it's executing a virus? Or is it just protection against virii that try to damage the hardware?