Memory Mitigations on Linux and Windows
There are lots of memory mitigations on operation system like linux and windows. There are ASLR, NX, SSP(Stack Canary), PIE, etc...
- On Linux
1. ASLR(Address Space Layout Randomize)
Enables randomization of memory allocation segments like stack, heap, vsdo, mmap, etc... So those base addresses will be randomize each every time. And we can set the value that means kind of strength of ASLR. It locates at /proc/sys/kernel/randomize_va_space.
1 2 | zero@ubuntu:~/Desktop/pwn/Mitigations$ cat /proc/sys/kernel/randomize_va_space 2 | cs |
1 2 3 | 0 - ASLR is turned OFF 1 - ASLR is turned ON (only stack randomization) 2 - ASLR is turned ON (stack, heap, mmap randomization) | cs |
By using ASLR, we can protect exploits which use fixed address like buffer(stack), libc(system).
2. NX(Non eXecutable)
It just blocks execution from marked memory pages/segments like stack. If it is enabled, even if there is a shellcode on stack, it would not be executed because there is no execution permission at stack.
1 2 3 4 5 6 7 8 | zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -z execstack -o nx-on ./mitigation.c zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -l nx-on | grep GNU_STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 10 zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -z noexecstack -o nx-off ./mitigation.c zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -l nx-off | grep GNU_STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 10 | cs |
3. SSP(Stack Smashing Protection)
It can detect stack based overflow by locating another variable(stack canary) at the end of the user's variables. At the end of the source code, it just check itself so the value is changed. If there was stack based buffer overflow, stack canary would be overwritten with some values. then comparing with previous value, if not same, error message would be printed by calling __stack_chk_fail(). Of course stack canary is a random value usually staring with 0x00 byte. And it can be enabled and disabled by compile options.
1 2 3 4 | -fstack-protector - enable check for functions with buffers of size(0x8b) or higher -fstack-protector-all - enable checks for all functions -fno-stack-protecotr - disable SSP --parm=ssp-buffer-size=<byte> - modifies the default buffer length(0x8b) | cs |
1 2 3 4 5 6 | zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -fstack-protector-all -o ssp-on ./mitigation.c zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -r ./ssp-on | grep __stack_chk_fail 000000200fd0 000300000006 R_X86_64_GLOB_DAT 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0 zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -fno-stack-protector -o ssp-off ./mitigation.c zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -r ./ssp-off | grep __stack_chk_fail zero@ubuntu:~/Desktop/pwn/Mitigations$ | cs |
SSP is a default option on gcc version over 4.x.
4. Ascii Armor
Normally, '\x00' or escaping characters means end-of-string. Also means, if there is null-byte in my exploit payload, there is lots of possibility to fail exploitation. So this techniques make whole library functions' address to start with \x00 byte like 0x002f738771. For using this protection, your kernel needs to support this protection.
5. PIE(Positive Independent Executable)
When PIE is enabled, the binary base address is randomized. Simply, ASLR is for memory, then PIE is for binary. we can enable and disable PIE on gcc with following options. -fPIC -pie, -no-pie.
6. RELRO(RELocation Read-Only)
All dynamic symbol resolutions have to be carried out before the binary execution begins. After this process is done, GOT could be marked as read-only. So it can prevent any runtime modification. And there are 2 modes of RELRO, 'Partial RELRO' and 'Full RELRO'.
1 2 3 4 5 6 7 | - Partial RELRO some sections are initialized by the dynamic loader(lazy-binding). non-PLT GOT is read-only. GOT is still writable. - Full RELRO Partial RELRO + Entire GOT is mapped as read-only lazy-binding is disabled. Means all imported symbols are resolved at starts. | cs |
1 2 3 | -Wl, -z, norelro - disble relro -Wl, -z, relro - enable partial relro -Wl, -z, relro -z, now - enable full relro | cs |
7. FORTIFY_SOURCE
It can block stack overflow and format string bug by adding fortifying checks like __gets_chk(). It just replaces functions to more safer functions. For example, printf() to __printf_chk().
1 2 | -D_FORTIFY_SOURCE=1 - enables checks against buffer overflow attacks -D_FORTIFY_SOURCE=2 - enables checks against buffer overflow and format string attacks | cs |
- On Windows
1. ASLR(Address Space Layout Randomize)
Same as Linux.
2. DEP(Data Execution Prevention)
Same as Linux NX.
3. SafeSEH(Safe Structured Exception Handler)
SEH(Structured Exception Handler) is for handling exception.
4. GS(Stack Cookie)
Same as Linux SSP.
'Security > System Hacking' 카테고리의 다른 글
| [System Hacking] 6. SigReturn Oriented Programming (0) | 2016.12.27 |
|---|---|
| [System Hacking] 5. Return Oriented Programming (0) | 2016.12.27 |
| [System Hacking] 3. Return To Library(RTL) (0) | 2016.12.24 |
| [System Hacking] 2. Basic Format String Bug (0) | 2016.12.23 |
| [System Hacking] 1. Basic Buffer Over Flow Exploit (0) | 2016.12.23 |