Linux 程序保護機制

RELRO (RELocation Read Only)

RELRO 說明 gcc 編譯參數
No GOT writable, link_map writable gcc -Wl,-z,norelro code.c
Partial GOT writable, link_map readonly DEFAULT
Full GOT read only, no link_map and dl_resolver pointer gcc -Wl,-z,relro,-z,now code.c

CANARY

stack overflow - gcc generate canary or not

Canary gcc 編譯參數
Enable DEFAULT (when buffer large enough)
Disable gcc -fno-stack-protector code.c

NX (No-Execute) / DEP (Data Execution Prevention)

可以寫的地方不能執行

NX / DEP gcc 編譯參數 execstack
Enable DEFAULT execstack -s code
Disable gcc -z execstack code.c execstack -c code

ASLR (Address Space Layout Randomization)

Configuring ASLR with randomize_va_space

1
2
3
0 - 表示關閉進程地址空間隨機化。
1 - 表示 mmap, stack, vdso 隨機化。
2 - 表示比 1 多了 heap 隨機化。
1
2
sudo -s echo 0 > /proc/sys/kernel/randomize_va_space
sudo sysctl -w kernel.randomize_va_space=0

PIE (Position Independent Executables)

PIE gcc 編譯參數
Enable gcc -fpie -pie code.c
Disable DEFAULT

FRAME POINTER

有開的話是

1
2
leave
ret

沒開的話是

1
2
add rsp, 0x18
ret
Canary gcc 編譯參數
Enable DEFAULT
Disable gcc -fomit-frame-pointer code.c

checksec

checksec 是一個用來查看上述所說的保護機制的 bash script

1
2
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 65 Symbols No 0 1 ./hello

pwntools 也有內建一個名字和功能都一樣的指令

1
2
3
4
5
Arch:     amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×