Zer0 day

[System Hacking] 4. Memory Mitigations on Linux and Windows 본문

Security/System Hacking

[System Hacking] 4. Memory Mitigations on Linux and Windows

Zero Day 2016. 12. 25. 21:13

Memory Mitigations on Linux and Windows

There are lots of memory mitigations on operation system like linux and windows. There are ASLR, NX, SSP(Stack Canary), PIE, etc...


- On Linux

1. ASLR(Address Space Layout Randomize)

Enables randomization of memory allocation segments like stack, heap, vsdo, mmap, etc... So those base addresses will be randomize each every time. And we can set the value that means kind of strength of ASLR. It locates at /proc/sys/kernel/randomize_va_space.

1
2
zero@ubuntu:~/Desktop/pwn/Mitigations$ cat /proc/sys/kernel/randomize_va_space
2
cs
1
2
3
0 - ASLR is turned OFF
1 - ASLR is turned ON (only stack randomization)
2 - ASLR is turned ON (stack, heap, mmap randomization)
cs

By using ASLR, we can protect exploits which use fixed address like buffer(stack), libc(system).


2. NX(Non eXecutable)

It just blocks execution from marked memory pages/segments like stack. If it is enabled, even if there is a shellcode on stack, it would not be executed because there is no execution permission at stack.

1
2
3
4
5
6
7
8
zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -z execstack -o nx-on ./mitigation.c
zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -l nx-on | grep GNU_STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RWE    10
zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -z noexecstack -o nx-off ./mitigation.c
zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -l nx-off | grep GNU_STACK
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     10
cs


3. SSP(Stack Smashing Protection)

It can detect stack based overflow by locating another variable(stack canary) at the end of the user's variables. At the end of the source code, it just check itself so the value is changed. If there was stack based buffer overflow, stack canary would be overwritten with some values. then comparing with previous value, if not same, error message would be printed by calling __stack_chk_fail(). Of course stack canary is a random value usually staring with 0x00 byte. And it can be enabled and disabled by compile options.

1
2
3
4
-fstack-protector             - enable check for functions with buffers of size(0x8b) or higher
-fstack-protector-all         - enable checks for all functions
-fno-stack-protecotr          - disable SSP
--parm=ssp-buffer-size=<byte> - modifies the default buffer length(0x8b)
cs
1
2
3
4
5
6
zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -fstack-protector-all -o ssp-on ./mitigation.c
zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -r ./ssp-on | grep __stack_chk_fail
000000200fd0  000300000006 R_X86_64_GLOB_DAT 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0
zero@ubuntu:~/Desktop/pwn/Mitigations$ gcc -fno-stack-protector -o ssp-off ./mitigation.c
zero@ubuntu:~/Desktop/pwn/Mitigations$ readelf -r ./ssp-off | grep __stack_chk_fail
zero@ubuntu:~/Desktop/pwn/Mitigations$
cs

SSP is a default option on gcc version over 4.x.


4. Ascii Armor

Normally, '\x00' or escaping characters means end-of-string. Also means, if there is null-byte in my exploit payload, there is lots of possibility to fail exploitation. So this techniques make whole library functions' address to start with \x00 byte like 0x002f738771. For using this protection, your kernel needs to support this protection.


5. PIE(Positive Independent Executable)

When PIE is enabled, the binary base address is randomized. Simply, ASLR is for memory, then PIE is for binary. we can enable and disable PIE on gcc with following options. -fPIC -pie, -no-pie.



6. RELRO(RELocation Read-Only)

All dynamic symbol resolutions have to be carried out before the binary execution begins. After this process is done, GOT could be marked as read-only. So it can prevent any runtime modification. And there are 2 modes of RELRO, 'Partial RELRO' and 'Full RELRO'.

1
2
3
4
5
6
7
- Partial RELRO
some sections are initialized by the dynamic loader(lazy-binding).
non-PLT GOT is read-only.
GOT is still writable.
- Full RELRO
Partial RELRO + Entire GOT is mapped as read-only
lazy-binding is disabled. Means all imported symbols are resolved at starts.
cs
1
2
3
-Wl, -z, norelro       - disble relro
-Wl, -z, relro         - enable partial relro
-Wl, -z, relro -z, now - enable full relro
cs


7. FORTIFY_SOURCE

It can block stack overflow and format string bug by adding fortifying checks like __gets_chk(). It just replaces functions to more safer functions. For example, printf() to __printf_chk().

1
2
-D_FORTIFY_SOURCE=1 - enables checks against buffer overflow attacks
-D_FORTIFY_SOURCE=2 - enables checks against buffer overflow and format string attacks
cs


- On Windows

1. ASLR(Address Space Layout Randomize)

Same as Linux.


2. DEP(Data Execution Prevention)

Same as Linux NX.


3. SafeSEH(Safe Structured Exception Handler)

SEH(Structured Exception Handler) is for handling exception.


4. GS(Stack Cookie)

Same as Linux SSP.

0 Comments
댓글쓰기 폼
Prev 1 2 3 4 5 6 7 8 9 10 Next