★ Buffer overflow depth defense system under Unix --inside the defense framework of unix bufferflow text / ayazero www.ph4nt0m.org Contact: zhaoyan@nsfocus.com Version: 2004/10/05 Draft ------- ----- Talking to the defense before ------------ First briefly review the attacking between the buffer overflow: ◆ Stack smashing is not checked in the input buffer length, resulting in array of crosses The stack pointer% EBP and the function return on the local variable space in the stack return address Retdr. When the function returns to execute the RET instruction, Retadd is popped up from the stack. When the address of the next instruction is assigned to the% EIP register, then change the original The execution process of the program points to our shellcode. ◆ Malloc / Free Heap Corruption is the same as the traditional stack overflow, and when the input beyond Malloc () is pre-allocated, it will overwrite this space. A storage area, if the storage area has an important variable such as EUID, then I can use it to attack. The other is a typical Double-Free Pile Corruption. In the memory recycling operation, there will be a write 4 byte memory operation when the combined neighbor empty block is re-inserted in the two-way linked list. If the weakness program is not "the programming error free () The existing block, we can carefully fake this block, cover any value we want: the return address of the function, the library function .plt address, etc. ◆ Format string vulnerability If the format is customized Attackers can arbitrarily forged formats, using the characteristics of the * Printf () series function to see the contents of the stack space, and the extraordinary input can trigger the traditional buffer overflow, or with "% N" override the pointer, return the address, etc. . ◆ Integer variable overflow triggers security vulnerabilities with an integer range, symbol, etc., most shaping overflows cannot be used directly, but if the shaping variable determines the operation of memory allocation, we may indirectly use the vulnerability. ◆ Other attack methods (others) can only be considered, cannot be considered a separate category. By using the features of the ELF file format, such as: override .plt (process connection table), DTOR (destructive function pointer) ,. GOT (global offset table), Return-to-libc (return library function), etc. . ---------------- First, Compilation Protection Technology ---------------- ◆ StackGuard is usually overwriting the function return because the buffer overflows usually STACKGUARD is a compiler patch, which produces a beanary "value (a single word) to the front of the return address, if the function is changed, it is proved that someone is trying to make the buffer overflow Attack, the program will respond immediately, send an intrusion warning message to syslogd, then terminate the process. "Canary" contains: null (0x00), Cr (0x0D), LF (0x0a), and EOF (0xFF) four characters, they should be Block most of the string operations, so that the overflow attack is invalid.
A random number canary is generated when the program is executed. So the attacker cannot get the "canary" value by searching the binary of the program. If / dev / uraandom exists, the random number is there. Otherwise, it is obtained by coding the current time. Its randomness is sufficient to prevent most of the predictive attacks. The Immunix system is RED HAT Linux compiled with StackGuard, but the protection provided by StackGuard is not absolute security, which can break through the limit: if you override a function pointer, may exist () or _exit () system call address, GOT, etc. StackGuard official link: http://immunix.org/ ◆ StackShield StackShield uses another different technique. Its approach is to create a special stack used to store a copy of the function returns the address. It adds a piece of code in the beginning and end of the protected function, and the code at the beginning is used to copy the function to a special table, and the code at the end is used to copy the return address from the table. Therefore, the function execution process will not change, and will always return to the main modulation function. Some new protection measures have been added in the new version, and when an address is called, the execution of the function is terminated when the function pointer within the non-text segment is called. StackShield cannot defend only the single-byte overflow that covers the% EBP, and we can also bypass the restrictions by overwriting other ELF structures. Www.angelfire.com/sk/stackshield/download.html ------------------ Second, Library function link protection ------------- ----- ◆ FormatGuard formatGuard is a GLIBC patch, follows GPL, which uses special CPP (GCC pre-compiled programs) macro to replace the original * printf () parameter statistics, it will pass to * Printf parameters The number of numbers and formats, if the number of formats is greater than the number of actual parameters, it is determined as an attack behavior, sending a message to Syslogd and terminating the process. If the weakness program is called the library other than glibc, formatGuard cannot protect. Www.immunix.org ◆ libsafe libsafe is a dynamic link library that is loaded before the standard C library, mainly reinforced with Gets (), structf (), strcat (), sprintf () ... etc. Easy security problem. Function, it is designed to attack only for Stack Smashing && Format String type. Alert7 has also written on how to bypass libsafe protection articles. Http://www.research.avayalabs.com/project/libsafe/ -------------- Three, stacks must not be implemented -------------- ◆ Solar Designer's Nonexec Kernel Patch It can be seen from the name. This is a kernel patch on Linux. The most important feature of this patch is: user area stack is not executable [Non-Executable User Stack] Due to the page (Page) due to X86 CPU The Bit bit is executed, so the patch distinguishes the data segment and code segment by reducing the virtual address of the code segment. The program executes the flow returns 0xC0000000 The following user stack space is considered to be a buffer overflow attack behavior, and then generate a general purpose Protect exceptions and terminate the process. This will invalidize SHELLCODE in the buffer or environment variable (all in the stack segment). Of course, the security is not absolute, and the attack method of breaking the patch is described in detail by using the PLT return library function.
There are still some other features: dynamic link librarging to address low-end (0x00 start), limit symbolic link attack, / TMP directory limit, / proc directory limit, Execve system call reinforcement, etc. Www.openwall.com ◆ Solaris / SPARC NONEXEC-Stack Protection Can prohibit the stack segment by removing the execution permission of the stack, the method is prohibited by removing the execution permission of the stack, and two statements are added to / etc / system: set noExec_user_stack = 1 set NOEXEC_USER_STACK_LOG = 1 The first strip is prohibited from execution, and the second records record all activities attempts to run code in the stack segment. After Reboot, it will take effect. All remodeling protection is limited. Return-to-libc, Fake Frame can break through the limit, but the stack is not implemented by the stack has greatly improved the difficulty of attack. ------------------ Four, data segment is not available ------------------ ◆ Knox Linux kernel patch, function: The page of the data segment cannot be executed, revoked shared memory, enhances the restrictions on the EXECVE system call, the special processing of the file descriptor 0, 1, 2, / PROC directory, FIFO limit, symbolic link limit, this patch only 2.2 Kernel. http://isec.pl/projects/knox/knox.html ◆ RSX Linux kernel module, data segment (stack, heap) is not executable. http://www.starzetz.com/software/rsx/ ◆ Exec SHIELD EXEC-SHIELD The maximum virtual address of the executable image contained in the internal nuclear state display, the dynamic address of the executable virtual address Maximum value "is called" executable limiting ", and each time the schedule process will use this value to update the code segment descriptor to write GDT, Exec-Shield dynamic tracking each application, so each program is running There are different "executable limits" because the executable limit is usually a very low virtual address, so the space except the mmap () maps outside the STACK and the space allocated by the malloc () are in the executable limits, so It is not executable. Of course, Exec-Shield cannot defend the attack to the low 16M address space and Return-to-libc attack, but it can still block the vast majority of attacks of the SHELLCODE in the data segment. Http://redhat.com/~mingo/exec-shield/ --------------------------------- Five, Enhanced buffer overflow protection and kernel Mac ------------------------------- ◆ Openbsd security feature openbsd and hardened gentoo Adamantix, SELINUX is a very high-default security operating system. OpenBSD passes the code audit and the vulnerability is very small. Similarly, he has a lot of security features: * Use strlcpy () and strlcat () functions to replace the original hazard function * Memap protection: W ^ x, read-only data segment, page protection, mmap () random map, malloc () random map Atexit () and stdio protection, * Privilege Separation * Privilege Recycling * BSD Chroot Jail * Other Many Features where W ^ X has many content: Stack, MMAP random map, read-only GOT / PLT / .ctor / .dtor, etc. . Although theoretical OpenBSD cannot block all types of attacks, many attack methods have been blocked.
◆ Pax Pax is a very bt thing, it seems that he is born is a dead end of the buffer overflow, and he severely examines every attack method and blocks. * Data segments based on X86-segment memory management * Pages Based on page-based memory management Data segments * Core read-only {-const Structure read-only - System call table read-only - Partial Description Table (IDT) ) Read-only-global segment descriptor table (GDT) read-only-data page read-only - This feature cannot coexist with normal LKM functions} * Full address space random map {- Nuclear stack random map of each system call - User Stack Random Mapping - ALF Optical Image Random Mapping - BRK () Assignment Heap Random Mapping - MMap () Management HEAP Random Mapping - Dynamic Link Library Random Mapping} * There are also low addresses that map dynamic link libraries to 0x00 Other features here By the way, please mention the <> written on Phrack58, this masterpiece refers to the use of counterfeit stacks.
(Fakeframe) and DL-Resolve () Breakthrough in several protection of PAX, which is possible * NIX application layer Exploit technology's most advanced technology, NERGAL
Solved a few questions: Stack / Heap / BSS is not executable, mmap random maps, obviously this advanced technology is still unable to break through the PAX, so in one
Run the full version of PAX's Linux, you want to start buffer overflows, there is no chance! ! !
Pax Team
http://pax.grsecurity.net
◆ GrSecurity
GrSec contains Pax (this more BT ?? Sweat ~), and LIDS, GRSEC supports kernel Mac (Madatory Access Control, forced access control),
With a lot of features, please refer to http://grsecurity.net/features.php
Www.grsecurity.net
------------------
Six, hardware level protection
------------------
The 4GB flat mode is used on the X86 CPU, the linear address of the data segment and the code segment is overlap, and the page can be executed as long as readable, so many mentioned above
The kernel patches will be designed to design various methods to make data segments. Now Alpha, PPC, PA-RISC, SPARC, SPARC64, AMD64, IA64
For page execution BIT bit. Intel and AMD Added Page Perform Bit is called Nx security technology, Windows XP SP2 and Linux Kernel 2.6 support NX, although
This hardware-level page protection is not as strong as PAX, but the hardware level support has undoubtedly increase the compatibility of the software and operating system, which can make the buffer overflow protection
Get popularity.
------------
Conclusion
------------
Safety and ease of use always stand on the opposite side, and the above mentioned protection technologies will cause a small amount of performance loss, and designers have been optimized from the perspective of performance.
Their works. However, people are more concerned about compatibility. Maybe you will find that you can't see these things on those operating-grade BOXs, yes, people hope
Another security does not have errors, that is, stable operation, using these additional protection will cause psychological disappointment, I believe that with NX's popularity and protection technology itself
These issues will be resolved. Maybe you often see that such an article tells how to break through the advanced Exploit technology of buffer overflow protection, in fact
Many content is only suitable as teaching, or the technology itself is still in the research phase. In actual attacks, high-level BYPASS technology usually needs to meet some conditions.
It is not a simple multi-flowers to grow the length of the Exploit code to achieve the purpose. At the system using buffer overflow protection, the attack will become very difficult, and sometimes it is impossible, especially in remote can't accurately get necessary. Many technologies will become a paper in the ELF symbolic address.
Using a patch similar to PAX, iptables rules, combined with kernel Mac, want to invading shell is almost impossible, but unfortunately no money, don't take a Linux Box
Put it on the Internet, let the people have fun, ha ~
Today, where the buffer overflow has not yet become a history, it is time to remember, this is certainly not pessimistic argument, and the dying of the old technology must be accompanied by new technologies.
Birth, if there is no evil hacking, what do we sit in front of the computer? If so, I will open a small supermarket with silly billy, and tell adam, why
They also don't do it. . Let those people who don't know how to do safety, let's get to do it ~~
PST,
PH4NT0M Security Team
http://www.ph4nt0m.org
A group of unfained young people, although most of the network security work, they are gathered together because of advocating Black Hat.
REFERENCE:
Various Paper & Source Free from Internet, Most of Them Were Listed Above.
