A random number canary is generated when the program is executed. So the attacker cannot get the "canary" value by searching the binary of the program. If / dev / uraandom exists, the random number is there. Otherwise, it is obtained by coding the current time. Its randomness is sufficient to prevent most of the predictive attacks. The Immunix system is RED HAT Linux compiled with StackGuard, but the protection provided by StackGuard is not absolute security, which can break through the limit: if you override a function pointer, may exist () or _exit () system call address, GOT, etc. StackGuard official link: http://immunix.org/ ◆ StackShield StackShield uses another different technique. Its approach is to create a special stack used to store a copy of the function returns the address. It adds a piece of code in the beginning and end of the protected function, and the code at the beginning is used to copy the function to a special table, and the code at the end is used to copy the return address from the table. Therefore, the function execution process will not change, and will always return to the main modulation function. Some new protection measures have been added in the new version, and when an address is called, the execution of the function is terminated when the function pointer within the non-text segment is called. StackShield cannot defend only the single-byte overflow that covers the% EBP, and we can also bypass the restrictions by overwriting other ELF structures. Www.angelfire.com/sk/stackshield/download.html ------------------ Second, Library function link protection ------------- ----- ◆ FormatGuard formatGuard is a GLIBC patch, follows GPL, which uses special CPP (GCC pre-compiled programs) macro to replace the original * printf () parameter statistics, it will pass to * Printf parameters The number of numbers and formats, if the number of formats is greater than the number of actual parameters, it is determined as an attack behavior, sending a message to Syslogd and terminating the process. If the weakness program is called the library other than glibc, formatGuard cannot protect. Www.immunix.org ◆ libsafe libsafe is a dynamic link library that is loaded before the standard C library, mainly reinforced with Gets (), structf (), strcat (), sprintf () ... etc. Easy security problem. Function, it is designed to attack only for Stack Smashing && Format String type. Alert7 has also written on how to bypass libsafe protection articles. Http://www.research.avayalabs.com/project/libsafe/ -------------- Three, stacks must not be implemented -------------- ◆ Solar Designer's Nonexec Kernel Patch It can be seen from the name. This is a kernel patch on Linux. The most important feature of this patch is: user area stack is not executable [Non-Executable User Stack] Due to the page (Page) due to X86 CPU The Bit bit is executed, so the patch distinguishes the data segment and code segment by reducing the virtual address of the code segment. The program executes the flow returns 0xC0000000 The following user stack space is considered to be a buffer overflow attack behavior, and then generate a general purpose Protect exceptions and terminate the process. This will invalidize SHELLCODE in the buffer or environment variable (all in the stack segment). Of course, the security is not absolute, and the attack method of breaking the patch is described in detail by using the PLT return library function.
There are still some other features: dynamic link librarging to address low-end (0x00 start), limit symbolic link attack, / TMP directory limit, / proc directory limit, Execve system call reinforcement, etc. Www.openwall.com ◆ Solaris / SPARC NONEXEC-Stack Protection Can prohibit the stack segment by removing the execution permission of the stack, the method is prohibited by removing the execution permission of the stack, and two statements are added to / etc / system: set noExec_user_stack = 1 set NOEXEC_USER_STACK_LOG = 1 The first strip is prohibited from execution, and the second records record all activities attempts to run code in the stack segment. After Reboot, it will take effect. All remodeling protection is limited. Return-to-libc, Fake Frame can break through the limit, but the stack is not implemented by the stack has greatly improved the difficulty of attack. ------------------ Four, data segment is not available ------------------ ◆ Knox Linux kernel patch, function: The page of the data segment cannot be executed, revoked shared memory, enhances the restrictions on the EXECVE system call, the special processing of the file descriptor 0, 1, 2, / PROC directory, FIFO limit, symbolic link limit, this patch only 2.2 Kernel. http://isec.pl/projects/knox/knox.html ◆ RSX Linux kernel module, data segment (stack, heap) is not executable. http://www.starzetz.com/software/rsx/ ◆ Exec SHIELD EXEC-SHIELD The maximum virtual address of the executable image contained in the internal nuclear state display, the dynamic address of the executable virtual address Maximum value "is called" executable limiting ", and each time the schedule process will use this value to update the code segment descriptor to write GDT, Exec-Shield dynamic tracking each application, so each program is running There are different "executable limits" because the executable limit is usually a very low virtual address, so the space except the mmap () maps outside the STACK and the space allocated by the malloc () are in the executable limits, so It is not executable. Of course, Exec-Shield cannot defend the attack to the low 16M address space and Return-to-libc attack, but it can still block the vast majority of attacks of the SHELLCODE in the data segment. Http://redhat.com/~mingo/exec-shield/ --------------------------------- Five, Enhanced buffer overflow protection and kernel Mac ------------------------------- ◆ Openbsd security feature openbsd and hardened gentoo Adamantix, SELINUX is a very high-default security operating system. OpenBSD passes the code audit and the vulnerability is very small. Similarly, he has a lot of security features: * Use strlcpy () and strlcat () functions to replace the original hazard function * Memap protection: W ^ x, read-only data segment, page protection, mmap () random map, malloc () random map Atexit () and stdio protection, * Privilege Separation * Privilege Recycling * BSD Chroot Jail * Other Many Features where W ^ X has many content: Stack, MMAP random map, read-only GOT / PLT / .ctor / .dtor, etc. . Although theoretical OpenBSD cannot block all types of attacks, many attack methods have been blocked.
◆ Pax Pax is a very bt thing, it seems that he is born is a dead end of the buffer overflow, and he severely examines every attack method and blocks. * Data segments based on X86-segment memory management * Pages Based on page-based memory management Data segments * Core read-only {-const Structure read-only - System call table read-only - Partial Description Table (IDT) ) Read-only-global segment descriptor table (GDT) read-only-data page read-only - This feature cannot coexist with normal LKM functions} * Full address space random map {- Nuclear stack random map of each system call - User Stack Random Mapping - ALF Optical Image Random Mapping - BRK () Assignment Heap Random Mapping - MMap () Management HEAP Random Mapping - Dynamic Link Library Random Mapping} * There are also low addresses that map dynamic link libraries to 0x00 Other features here By the way, the << The Advanced Return-Into-lib (C) Exploits> written on Phrack58 is mentioned, which is mentioned in this masterpiece to break through the fake stack (Fakeframe) and DL-Resolve () technology. Several protection methods, this is possible * NIX application layer Exploit technology's most advanced technology, Nergal solves several problems: Stack / Heap / BSS is not executable, MMAP random maps, clearly this advanced technology is still unable to unconditionally Breakthrough PAX, so on a Linux running full version of Pax, you want to start buffer overflows, there is no chance! ! ! Pax Team http://pax.grsecurity.net ◆ GrSecurity GrSec contains Pax (this more BT ?? Khan ~), and LIDS, GRSEC supports kernel Mac (Madatory Access Control, forced access control), has a lot of features, See http://grsecurity.net/features.php www.grsecurity.net ------------------ 6, hardware level protection -------- ---------- x86 CPU is used 4GB flat mode, the linear address of the data segment and the code segment is overlapping, and the page can be executed as long as readable, so many kernel patches mentioned above will be made Various methods are designed to make data segments are not executable. Both Alpha, PPC, PA-RISC, SPARC, SPARC64, AMD64, and IA64 are now available for page execution BIT bit. Intel and AMD new page execution ratios are called NX security technology, Windows XP SP2 and Linux Kernel 2.6 support NX, although this hardware-level page protection is not as strong as PAX, but the hardware level support has undoubtedly increased software And the compatibility of the operating system, it is possible to get the protection of the buffer overflow. -------- CONCLUSION ---------- Safety and ease of use Always stand on the opposite side, the protection technology mentioned above can cause a small amount of performance loss, the designers already Optimize their work from the perspective of performance. However, people are more concerned about compatibility. Maybe you will find these things at all, yes, another safety of people want to have errors, that is, stable operation, use these Additional protection will cause psychological disappointment, I believe that with the popularity of NX and the development of the protection technology itself will be resolved.
Maybe you often see such an article telling how to break through the advanced Exploit technology of buffer overflow protection. In fact, many content is only suitable as teaching, or the technology itself is still in the research phase, in actual attacks, using advanced BYPASS Techniques usually need to meet some conditions, not simply spending the length of the exploit code to achieve the purpose, and the attack will become very difficult to use the buffer overflow protection, and sometimes it is impossible, especially Many technologies will turn into paper. Use a patch similar to PAX, iptables rules, combined with kernel Mac, want to invade shell almost impossible, but unfortunately no money, don't put a Linux box on the Internet beta, let the people to play, ha ~ In the buffer overflow, it has not yet become a history today. It is always remembered. This is certainly not pessimistic, and the dying of the old technology must be with the birth of new technologies. If there is no evil hacking, what do we sit in front of the computer? ? If so, I will open a small supermarket with silly billy, and tell adam, why they don't do it. . Let those who don't know how to do safety, you will do it ~~ PST, pH4NT0M security team http://www.ph4nt0m.org A group of unfettered young people, although most of the network security work, because of advocating Black Hat And together. Reference: Various paper & source free from Internet, most of them were listed above ._________________ ay4z3ro http://overflow.nease.net http://www.ph4nt0m.org The future is still unpredictable Last stage of delirium, defeating anyone who stop US
