[关闭]
@romangol 2017-10-22T05:23:04.000000Z 字数 1865 阅读 1060

动态分配的内存信息泄漏安全问题

research security

测试代码

  1. #include<cstdlib>
  2. #include<cstdio>
  4. typedef unsigned char uint8_t;
  5. const static unsigned int len = 2048;
  6. const static unsigned int outLen = 128;
  8. int main()
  9. {
  10.     uint8_t * pointer = (uint8_t *)malloc(len);
  12.     if (NULL == pointer)
  13.         return -1;
  15.     for( size_t i = 0; i < len; ++i ) 
  16.         pointer[i] = (i + 0x17) * 0x11;
  18.     for( size_t i = 0; i < outLen; ++i ) 
  19.         printf( "%02x ", pointer[i] );
  20.     puts("");
  21.     free(pointer);
  23.     for( size_t i = 0; i < outLen; ++i ) 
  24.         printf( "%02x ", pointer[i] );
  25.     puts("");
  27.     return 0;
  28. }

测试结果

  1. windows 10 x64 VC 2015
  2. C:\Users\Admin\Desktop>f
  3. 87 98 a9 ba cb dc ed fe 0f 20 31 42 53 64 75 86 97 a8 b9 ca db ec fd 0e 1f 30 41 52 63 74 85 96 a7 b8 c9 da eb fc 0d 1e 2f 40 51 62 73 84 95 a6 b7 c8 d9 ea fb 0c 1d 2e 3f 50 61 72 83 94 a5 b6 c7 d8 e9 fa 0b 1c 2d 3e 4f 60 71 82 93 a4 b5 c6 d7 e8 f9 0a 1b 2c 3d 4e 5f 70 81 92 a3 b4 c5 d6 e7 f8 09 1a 2b 3c 4d 5e 6f 80 91 a2 b3 c4 d5 e6 f7 08 19 2a 3b 4c 5d 6e 7f 90 a1 b2 c3 d4 e5 f6
  4. 90 b0 d9 00 c0 00 d9 00 0f 20 31 42 53 64 75 86 97 a8 b9 ca db ec fd 0e 1f 30 41 52 63 74 85 96 a7 b8 c9 da eb fc 0d 1e 2f 40 51 62 73 84 95 a6 b7 c8 d9 ea fb 0c 1d 2e 3f 50 61 72 83 94 a5 b6 c7 d8 e9 fa 0b 1c 2d 3e 4f 60 71 82 93 a4 b5 c6 d7 e8 f9 0a 1b 2c 3d 4e 5f 70 81 92 a3 b4 c5 d6 e7 f8 09 1a 2b 3c 4d 5e 6f 80 91 a2 b3 c4 d5 e6 f7 08 19 2a 3b 4c 5d 6e 7f 90 a1 b2 c3 d4 e5 f6
  7. Fedora 26 x64 for both Clang 4.0.1 and GCC 7.1.1
  8. [root@localhost ~]# ./a.out
  9. 87 98 a9 ba cb dc ed fe 0f 20 31 42 53 64 75 86 97 a8 b9 ca db ec fd 0e 1f 30 41 52 63 74 85 96 a7 b8 c9 da eb fc 0d 1e 2f 40 51 62 73 84 95 a6 b7 c8 d9 ea fb 0c 1d 2e 3f 50 61 72 83 94 a5 b6 c7 d8 e9 fa 0b 1c 2d 3e 4f 60 71 82 93 a4 b5 c6 d7 e8 f9 0a 1b 2c 3d 4e 5f 70 81 92 a3 b4 c5 d6 e7 f8 09 1a 2b 3c 4d 5e 6f 80 91 a2 b3 c4 d5 e6 f7 08 19 2a 3b 4c 5d 6e 7f 90 a1 b2 c3 d4 e5 f6
  10. 38 6b 99 11 36 7f 00 00 38 6b 99 11 36 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a7 b8 c9 da eb fc 0d 1e 2f 40 51 62 73 84 95 a6 b7 c8 d9 ea fb 0c 1d 2e 3f 50 61 72 83 94 a5 b6 c7 d8 e9 fa 0b 1c 2d 3e 4f 60 71 82 93 a4 b5 c6 d7 e8 f9 0a 1b 2c 3d 4e 5f 70 81 92 a3 b4 c5 d6 e7 f8 09 1a 2b 3c 4d 5e 6f 80 91 a2 b3 c4 d5 e6 f7 08 19 2a 3b 4c 5d 6e 7f 90 a1 b2 c3 d4 e5 f6

测试结论

free并不会把一段较长的分配的内存清理掉,这导致了诸如AES round key这样的敏感数据如果被分配到heap上,在free之前没有zeroMemory,就会产生信息泄漏的风险

Links:

Zeroing buffers is insufficient
http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html

Is free() zeroing out memory?
https://stackoverflow.com/questions/30683519/is-free-zeroing-out-memory

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注