缓冲区过读

https://zh.wikipedia.org/wiki/缓冲区过读

在计算机安全和程序设计中，缓冲区过读^[1]是一类程序错误，即程序从缓冲器读出数据时超出了边界，而读取了（或试图读取）相邻的内存。这是有违内存安全的一个例子。

通过构造恶意输入，使得缺乏边界检查的程序读取不该访问到的内存，可以触发缓冲区过读，如在心脏出血漏洞里的那样。引发的原因也可能仅仅是编程中的错误。这可能会导致异常的程序行为，包括内存访问错误、不正确的结果、崩溃或系统安全性损害。因而，有许多漏洞都因其而生，还可能被恶意利用以访问特权信息。

通常与缓冲区过读相联系的编程语言语言包括C和C++，这些语言都没有提供内置的保护机制，以防止使用指针访问虚拟内存任意位置的数据，并且不会自动检查读取该内存块的数据是否安全；对应的例子如试图读取比数组更多的元素，以及没有向空终止字符串末尾追加终止符。边界检查可以防止缓冲区过读^[2]，而模糊测试有助于检测出这些错误。

参见[编辑]

参考[编辑]

^ CWE – CWE-126: Buffer Over-read (2.6). Cwe.mitre.org. February 18, 2014 [April 10, 2014].
^ Yves Younan; Wouter Joosen; Frank Piessens. Efficient protection against heap-based buffer overflows without resorting to magic (PDF). Dept. of Computer Science, Katholieke Universiteit Leuven. 2013-02-25 [2014-04-24].

外部链接[编辑]

[隐藏] 查论编存储器管理

操作系统的内存管理功能

手动内存管理	静态内存分配 C动态内存分配 new (C++) delete (C++)

虚拟内存	按需分页标签页表标签页虚拟内存压缩

硬件	内存管理单元转译后备缓冲器

垃圾回收	贝姆垃圾收集器终结器垃圾标记压缩算法引用计数强引用弱引用

存储器分段	保护模式实模式虚拟8086模式 X86存储器区块

内存安全	缓冲区溢出缓冲区过读迷途指针堆栈溢出

问题	碎片内存泄漏不可访问内存

其它	自动变量内存管理国际研讨会基于区域内存管理

Buffer over-read

From Wikipedia, the free encyclopedia

Jump to navigation Jump to search

In computer security and programming, a buffer over-read^[1]^[2] is an anomaly where a program, while reading data from a buffer, overruns the buffer's boundary and reads (or tries to read) adjacent memory. This is a special case of violation of memory safety.

Buffer over-reads can be triggered, as in the Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploitedto access privileged information.

Programming languages commonly associated with buffer over-reads include C and C++, which provide no built-in protection against using pointers to access data in any part of virtual memory, and which do not automatically check that reading data from a block of memory is safe; respective examples are attempting to read more elements than contained in an array, or failing to append a trailing terminator to a null-terminated string. Bounds checking can prevent buffer over-reads,^[3] while fuzz testing can help detect them.

References[edit]

^ "CWE – CWE-126: Buffer Over-read (2.6)". Cwe.mitre.org. February 18, 2014. Retrieved April 10, 2014.
^ Strackx, Raoul; Younan, Yves; Philippaerts, Pieter; Piessens, Frank; Lachmund, Sven; Walter, Thomas (2009-01-01). "Breaking the Memory Secrecy Assumption". Proceedings of the Second European Workshop on System Security. EUROSEC '09. New York, NY, USA: ACM: 1–8. doi:10.1145/1519144.1519145. ISBN 9781605584720.
^ Yves Younan; Wouter Joosen; Frank Piessens (2013-02-25). "Efficient protection against heap-based buffer overflows without resorting to magic" (PDF). Dept. of Computer Science, Katholieke Universiteit Leuven. Retrieved 2014-04-24.

External links[edit]

hide v t e Memory management
Memory management as a function of an operating system
Manual memory management	Static memory allocation C dynamic memory allocation new and delete (C++)
Virtual memory	Demand paging Page table Paging Virtual memory compression
Hardware	Memory management unit Translation lookaside buffer
Garbage collection	Boehm garbage collector Concurrent mark sweep collector Finalizer Garbage Garbage-first collector Mark-compact algorithm Reference counting Tracing garbage collection Strong reference Weak reference
Memory segmentation	Protected mode Real mode Virtual 8086 mode x86 memory segmentation
Memory safety	Buffer overflow Buffer over-read Dangling pointer Stack overflow
Issues	Fragmentation Memory leak Unreachable memory
Other	Automatic variable International Symposium on Memory Management Region-based memory management

原文地址：https://www.cnblogs.com/rsapaper/p/10477222.html