Linux 程序保護機制

cybersecurity
2 min read

RELRO (RELocation Read Only)

RELRO說明gcc 編譯參數
NoGOT writable, link_map writablegcc -Wl,-z,norelro code.c
PartialGOT writable, link_map readonlyDEFAULT
FullGOT read only, no link_map and dl_resolver pointergcc -Wl,-z,relro,-z,now code.c

CANARY

stack overflow - gcc generate canary or not

Canarygcc 編譯參數
EnableDEFAULT (when buffer large enough)
Disablegcc -fno-stack-protector code.c

NX (No-Execute) / DEP (Data Execution Prevention)

可以寫的地方不能執行

NX / DEPgcc 編譯參數execstack
EnableDEFAULTexecstack -s code
Disablegcc -z execstack code.cexecstack -c code

ASLR (Address Space Layout Randomization)

Configuring ASLR with randomize_va_space

0 - 表示關閉進程地址空間隨機化。
1 - 表示 mmap, stack, vdso 隨機化。
2 - 表示比 1 多了 heap 隨機化。

sudo -s echo 0 > /proc/sys/kernel/randomize_va_space
sudo sysctl -w kernel.randomize_va_space=0

PIE (Position Independent Executables)

PIEgcc 編譯參數
Enablegcc -fpie -pie code.c
DisableDEFAULT

FRAME POINTER

有開的話是

leave
ret

沒開的話是

add rsp, 0x18
ret
Canarygcc 編譯參數
EnableDEFAULT
Disablegcc -fomit-frame-pointer code.c

checksec

checksec 是一個用來查看上述所說的保護機制的 bash script

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   65 Symbols     No       0               1       ./hello

pwntools 也有內建一個名字和功能都一樣的指令

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
#cybersecurity#ctf#linux#pwn