[System Hacking] 4. Memory Mitigations on Linux and Windows 본문
[System Hacking] 4. Memory Mitigations on Linux and WindowsZero Day 2016. 12. 25. 21:13
Memory Mitigations on Linux and Windows
There are lots of memory mitigations on operation system like linux and windows. There are ASLR, NX, SSP(Stack Canary), PIE, etc...
- On Linux
1. ASLR(Address Space Layout Randomize)
Enables randomization of memory allocation segments like stack, heap, vsdo, mmap, etc... So those base addresses will be randomize each every time. And we can set the value that means kind of strength of ASLR. It locates at /proc/sys/kernel/randomize_va_space.
zero@ubuntu:~/Desktop/pwn/Mitigations$ cat /proc/sys/kernel/randomize_va_space
0 - ASLR is turned OFF
1 - ASLR is turned ON (only stack randomization)
2 - ASLR is turned ON (stack, heap, mmap randomization)
By using ASLR, we can protect exploits which use fixed address like buffer(stack), libc(system).
2. NX(Non eXecutable)
It just blocks execution from marked memory pages/segments like stack. If it is enabled, even if there is a shellcode on stack, it would not be executed because there is no execution permission at stack.
3. SSP(Stack Smashing Protection)
It can detect stack based overflow by locating another variable(stack canary) at the end of the user's variables. At the end of the source code, it just check itself so the value is changed. If there was stack based buffer overflow, stack canary would be overwritten with some values. then comparing with previous value, if not same, error message would be printed by calling __stack_chk_fail(). Of course stack canary is a random value usually staring with 0x00 byte. And it can be enabled and disabled by compile options.
-fstack-protector - enable check for functions with buffers of size(0x8b) or higher
-fstack-protector-all - enable checks for all functions
-fno-stack-protecotr - disable SSP
--parm=ssp-buffer-size=<byte> - modifies the default buffer length(0x8b)
SSP is a default option on gcc version over 4.x.
4. Ascii Armor
Normally, '\x00' or escaping characters means end-of-string. Also means, if there is null-byte in my exploit payload, there is lots of possibility to fail exploitation. So this techniques make whole library functions' address to start with \x00 byte like 0x002f738771. For using this protection, your kernel needs to support this protection.
5. PIE(Positive Independent Executable)
When PIE is enabled, the binary base address is randomized. Simply, ASLR is for memory, then PIE is for binary. we can enable and disable PIE on gcc with following options. -fPIC -pie, -no-pie.
6. RELRO(RELocation Read-Only)
All dynamic symbol resolutions have to be carried out before the binary execution begins. After this process is done, GOT could be marked as read-only. So it can prevent any runtime modification. And there are 2 modes of RELRO, 'Partial RELRO' and 'Full RELRO'.
-Wl, -z, norelro - disble relro
-Wl, -z, relro - enable partial relro
-Wl, -z, relro -z, now - enable full relro
It can block stack overflow and format string bug by adding fortifying checks like __gets_chk(). It just replaces functions to more safer functions. For example, printf() to __printf_chk().
-D_FORTIFY_SOURCE=1 - enables checks against buffer overflow attacks
-D_FORTIFY_SOURCE=2 - enables checks against buffer overflow and format string attacks
- On Windows
1. ASLR(Address Space Layout Randomize)
Same as Linux.
2. DEP(Data Execution Prevention)
Same as Linux NX.
3. SafeSEH(Safe Structured Exception Handler)
SEH(Structured Exception Handler) is for handling exception.
4. GS(Stack Cookie)
Same as Linux SSP.
'Security > System Hacking' 카테고리의 다른 글
|[System Hacking] 6. SigReturn Oriented Programming (0)||2016.12.27|
|[System Hacking] 5. Return Oriented Programming (0)||2016.12.27|
|[System Hacking] 4. Memory Mitigations on Linux and Windows (0)||2016.12.25|
|[System Hacking] 3. Return To Library(RTL) (0)||2016.12.24|
|[System Hacking] 2. Basic Format String Bug (0)||2016.12.23|
|[System Hacking] 1. Basic Buffer Over Flow Exploit (0)||2016.12.23|