No, there is no such function. This paper http://security.ece.cmu.edu/aeg/aeg-current.pdf discusses the problem in detail.
Paul On 10 Sep 2014, at 14:34, Jonathan Neuschäfer <[email protected]> wrote: > On Wed, Sep 10, 2014 at 09:56:19AM +0800, 高凤娟 wrote: >> Hi, >> Is there any function that gives us the distance between the buffer and the >> return address?I'm trying to detect buffer overflow.In order to make sure >> the buffer overflow detected is a dangerous one,I want to know if the >> overflowed string overlap the return address.For >> example,//////////////////////////.....(other code)char a[2];char >> b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know >> the distance between a[1] and the return address.Sorry for my poor >> english...Anyone can help me? >> Many thanks in advance. >> ------------------------------- >> Richel Gao > > I am not very familiar with KLEE, but the distance of a stack variable > to the return address depends on the compiler, the CPU architecture and > maybe the operating system. Furthermore, today's compilers may use stack > canaries[1] to make exploitation harder in case the return address is > overwritten. > > If you've found a buffer overflow and want to know if it will be able to > overwrite the return address you should probably disassemble the > compiled program (or ask the compiler to give you the intermediate > assembler code), and then check this yourself. A debugger may also help. > > If you've found a bunch of buffer overflows and are thinking about which > of them you will fix, please fix all of them. > > > Hope that helps, > Jonathan Neuschäfer > > [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection > > _______________________________________________ > klee-dev mailing list > [email protected] > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
_______________________________________________ klee-dev mailing list [email protected] https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
