Protection mechanisms in Linux
When writing exploit code, you need to pay special attention to whether the target process opens the NX, PIE and other mechanisms, such as the presence NX, then you can not perform direct data on the stack, each system call address exists PIE word is randomized.
A: Canary (stack protection)
Stack overflow protection is a buffer overflow attack mitigation means, when there is a function of buffer overflow vulnerabilities, an attacker can overwrite the return address on the stack to make shellcode can be implemented. When the stack protection is enabled, when the function will begin to insert cookie information to the stack when the function returns true cookie will verify the information is legitimate, if not legally stop running. An attacker overwrite the return address, it tends to cookie information will be overwritten, resulting stack protection check fails and prevent the execution of the shellcode. In Linux we will be called cookie information canary.
gcc added -fstack-protector and -fstack-protector-all compilation parameters in version 4.2 to support the stack protection,
Therefore, at compile time you can control whether to open the stack and the degree of protection, such as:
1, gcc -o test test.c // By default, no protection is turned Canary
2, gcc -fno-Stack-Protector -o the Test test.c // stack protection disabled
. 3, GCC -fstack-Protector -o Test test.c // stack protection is enabled, but only as a function of the local variables contained in the protection code inserted char array
. 4, GCC -fstack-All-Protector -o Test test.c // stack protection is enabled, inserting protection code for all functions
二:NX(no execute)
NX That No-eXecute (unenforceable) the meaning of the basic principles of NX (DEP) where the data is marked as non-executable memory pages, when the program successfully into the overflow shellcode, the program will try to execute commands on the data page, this when the CPU will throw an exception, rather than to execute malicious commands.
gcc compiler option is enabled by default NX, NX option if you need to close, can give execstack parameters gcc compiler adds -z. E.g:
1, gcc -o test test.c // By default, the open NX protection
2, gcc -z execstack -o test test.c // disable NX protection
3, gcc -z noexecstack -o test test.c // open NX protection
Under Windows, a similar concept for the DEP (Data Execution Prevention)
三:PIE(position-independent executables)
Separate location of the executable region . Oriented programming using return (return-oriented programming) such that the presence of other defects of memory corruption by the buffer overflow in the mobile operating systems and when process becomes much more difficult. Under normal circumstances NX (referred to on the Windows platform DEP) and address space randomization distribution (ASLR) will work simultaneously. Memory address randomization mechanism (address space layout randomization), the following three conditions:
0 - Close the process address space randomization.
1-- said it would mmap base address, stack and vdso page randomization.
2 - represents an increase randomization stack (heap) on the basis of 1.
PIE off under liunx command follows:
sudo -s echo 0 > /proc/sys/kernel/randomize_va_space
gcc compiler command:
1, gcc -o test test.c // by default, do not open the PIE
2, gcc -fpie -pie -o test test.c // open PIE, the strength of case 1
3, gcc -fPIE -pie -o test test.c // open PIE, in this case the highest intensity 2
4, gcc -fpic -o test test.c // open the PIC, the strength of case 1 without opening PIE
5, gcc -fPIC -o test test.c // open the PIC, the highest intensity in this case 2, is not open PIE
四:RELRO( read only relocation)
In the field of system security Linux, data can be written in the storage area will be the target of attacks, especially the function pointer storage area. So security standpoint to minimize the writable storage area of security will be of great benefit. GCC, with the GNU linker and Glibc-dynamic linker together to achieve a technique called relro of: Regional probably realize is specified by the linker binary piece through the dynamic linker treated after relocation is read-only. Symbols redirect set to read-only or on a table and resolve all dynamic binding symbols when the program starts, thus reducing the GOT (Global Offset Table) attack. RELRO as "Partial RELRO", that we have write permission on the GOT table.
gcc compiler:
Under test.c // default gcc -o test, is Partial RELRO
gcc -z norelro -o test test.c // closed, namely No RELRO
gcc -z lazy -o test test.c // partially open, ie Partial RELRO
gcc -z now -o test test.c // fully open
Five summary
A variety of security options compiler parameters are as follows:
- NX: -z execstack / -z noexecstack (Off / On)
- Canary: -fno-stack-protector / -fstack-protector / -fstack-protector-all (closed / open / fully-open)
- PIE: -no-pie / -pie (Off / On)
- RELRO: -z norelro / -z lazy / -z now (closed / partially open / fully open)
References:
https://www.cnblogs.com/Spider-spiders/p/8798628.html