Shulou(Shulou.com)05/31 Report--

How to achieve C++ program after the release of the use of vulnerability analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, hope you can get something.

1. Use after release

When dynamically allocated memory is released, the contents of the memory are uncertain and may remain intact and accessible, because when to reallocate or reclaim the released memory blocks is determined by the memory manager, however, it is also possible that the contents of the memory have been changed, resulting in unexpected program behavior. Therefore, when memory is freed, it is guaranteed that it will not be written or read again.

2. Harm of use after release

Problems caused by improper memory management are common vulnerabilities in the CumberCraft + program. Use after release can lead to potential risks that can be exploited, including abnormal program termination, arbitrary code execution, and denial of service attacks. From January to November 2018, there were 134 vulnerabilities related to CVE. Some of the vulnerabilities are as follows:

Overview of CVE vulnerabilities A post-release use vulnerability exists in the CVE-2018-1000051Artifex Mupdf version of fz_keep_key_storable, which can lead to a denial of service or code execution issues. This vulnerability can be exploited by deceiving the victim into opening a specially constructed PDF file. CVE-2018-17474 there is a post-release use vulnerability in HTMLImportsController of the Blink engine in Google Chrome browser prior to 70.0.3538.67, which could lead to remote attackers exploiting heap corruption via a specially constructed HTML page. A post-release use vulnerability exists in CVE-2018-15924Adobe Acrobat and Reader 2018.011.20063 and earlier, 2017.011.30102 and earlier, 2015.006.30452 and earlier. Remote attackers can exploit this vulnerability to execute arbitrary code. 3. Sample code

The example is derived from Samate Juliet TestSuite for Cinning + v1.3 (https://samate.nist.gov/SARD/testsuite.php), source file name: CWE416_Use_After_Free__malloc_free_char_01.c.

3.1 defect code

Using 360 Code Guardian to detect the above sample code, you can detect "use after release" defects, the display level is high. As shown in figure 1:

Figure 1: example of using detection after release

3.2 fix the code

In the above fix code, Samate gives a fix by allocating memory with malloc () on line 30 and releasing it with free () at line 36, with no other operations on that memory after release.

Using the 360 Code Guardian to detect the repaired code, you can see that there is no "use after release" defect. Figure 2:

Figure 2: test results after repair

4. How to avoid using after release

To avoid post-release use, you need to pay attention to the following:

(1) be sure to empty the pointer when freeing memory, although this method is limited for the use of multiple or complex data structures, it can avoid some of the problems to some extent.

(2) when allocating or releasing memory in a loop statement, you need to be careful to confirm whether there is a problem.

(3) using the source code static analysis tool for automatic detection, we can effectively find the post-release problems in the source code.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.