Before talking about defense ------------ first briefly review the attacking between the buffer overflow: ◆ Stack smashing "does not check the length of the input buffer, causing the array of off-bounds, overlay in the stack The stack pointer% EBP and function returns the address Retdr above the variable space. When the function returns to execute the RET instruction, Retadd is popped from the stack. When the address of the next instruction is assigned to the% EIP register, then the execution process of the original program is changed. Our SHELLCODE. ◆ Malloc / Free Heap Corruption is the same as the traditional stack overflow, when the input beyond Malloc () pre-allocated space size, it will overwrite a storage area after this space, if This storage area has an important variable such as EUID, then I can use it to attack. The other is a typical Double-Free Pile Corruption. In the memory recycling operation, there will be a write 4 byte memory operation when the combined neighbor empty block is re-inserted in the two-way linked list. If the weakness program is not "the programming error free () The existing block, we can carefully fake this block, cover any value we want: the return address of the function, the library function .plt address, etc. ◆ Format string vulnerability If the format is customized Attackers can arbitrarily forged formats, using the characteristics of the * Printf () series function to see the contents of the stack space, and the extraordinary input can trigger the traditional buffer overflow, or with "% N" override the pointer, return the address, etc. . ◆ Integer variable overflow triggers security vulnerabilities with an integer range, symbol, etc., most shaping overflows cannot be used directly, but if the shaping variable determines the operation of memory allocation, we may indirectly use the vulnerability. ◆ Other attack methods (others) can only be considered, cannot be considered a separate category. By using the features of the ELF file format, such as: override .plt (process connection table), DTOR (destructive function pointer) ,. GOT (global offset table), Return-to-libc (return library function), etc. . ---------------- First, Compilation Protection Technology ---------------- ◆ StackGuard is usually overwriting the function return because the buffer overflows usually , StackGuard is a compiler patch that generates a "canary" value (a single word) to the front of the return address, if the function is changed, it is proved that someone is trying to make the buffer overflow Attack, the program will respond immediately, send an intrusion warning message to syslogd, and then terminate the process. "Canary" contains: NULL (0x00), Cr (0x0D), LF (0x0a), and EOF (0xFF) four characters, which should block most of the string operations, so that the overflow attack is invalid. A random number canary is generated when the program is executed. So the attacker cannot get the "canary" value by searching the binary of the program. If / dev / uraandom exists, the random number is there. Otherwise, it is obtained by coding the current time. Its randomness is sufficient to prevent most of the predictive attacks.
The Immunix system is RED HAT Linux compiled with StackGuard, but the protection provided by StackGuard is not absolute security, which can break through the limit: if you override a function pointer, may exist () or _exit () system call address, GOT, etc. StackGuard Official Links: http://immunix.org/
◆ StackShield StackShield uses another different technique. Its approach is to create a special stack used to store a copy of the function returns the address. It adds a piece of code in the beginning and end of the protected function, and the code at the beginning is used to copy the function to a special table, and the code at the end is used to copy the return address from the table. Therefore, the function execution process will not change, and will always return to the main modulation function. Some new protection measures have been added in the new version, and when an address is called, the execution of the function is terminated when the function pointer within the non-text segment is called. StackShield cannot defend only the single-byte overflow that covers the% EBP, and we can also bypass the restrictions by overwriting other ELF structures.
Www.angelfire.com/sk/stackshield/download.html
------------------ Second, the library function link protection ------------------ ◆ FormatGuard formatGuard is a GLIBC's patch, Follow the GPL, it uses a special CPP (GCC Precupler) macro to replace the original * printf () parameter statistics, which will compare the number of parameters of the * Printf, if the format is The number greater than the number of actual parameters, it is determined that the attack behavior is transmitted to the syslogd and terminates the process. If the weakness program is called the library other than glibc, formatGuard cannot protect.
www.immunix.org
◆ Libsafe libsafe is a dynamic link library that is loaded before the standard C library, mainly reinforced with Gets (), structf (), strcat (), sprintf () ... etc., Which is easy to happen, it is designed as Only attacks on the Stack Smashing && format string type. Alert7 has also written on how to bypass libsafe protection articles.
Http://www.research.avayalabs.com/project/libsafe/
-------------- Three, stacks must not be implemented -------------- ◆ Solar Designer's Nonexec Kernel Patch can see this is a Linux Nuclear patch, the most important characteristic of this patch is: User area stack is not executable [Non-Executable User Stack] Since the page (PAGE) execution BIT bit is not provided on the X86 CPU, the patch is subjected to a virtual address of the code segment. To distinguish between data segments and code segments, the program execution stream returns 0xC0000000 The following user stack space is considered to be buffer overflow attack behavior, and then generate a general protection exception and termination process. This will invalidize SHELLCODE in the buffer or environment variable (all in the stack segment). Of course, the security is not absolute, and the attack method of breaking the patch is described in detail by using the PLT return library function. There are still some other features: dynamic link librarging to address low-end (0x00 start), limit symbolic link attack, / TMP directory limit, / proc directory limit, Execve system call reinforcement, etc.
Www.openwall.com
◆ Solaris / SPARC NONEXEC-Stack Protection Can prohibit the stack segment under Solaris / SPARC, the method is prohibited from execution, the method is as follows, add two statements in / etc / system: set noexec_user_stack = 1 set noExec_user_stack_log = 1 first The strip prohibits the stack execution, the second records all activities that try to run the code in the stack segment. After Reboot, it will take effect. All remodeling protection is limited. Return-to-libc, Fake Frame can break through the limit, but the stack is not implemented by the stack has greatly improved the difficulty of attack. ------------------ Four, data segment is not available ------------------ ◆ Knox Linux kernel patch, function: The page of the data segment cannot be executed, revoked shared memory, enhances the restrictions on the EXECVE system call, the special processing of the file descriptor 0, 1, 2, / PROC directory, FIFO limit, symbolic link limit, this patch only 2.2 Kernel. Http://isec.pl/projects/knox/knox.html
◆ RSX Linux kernel module, data segment (stack, heap) is not executable.
http://www.starzetz.com/software/rsx/
◆ EXEC SHIELD EXEC-SHIELD The maximum virtual address of the executable image included from the kernel state display, the dynamic maintenance of this "Maximum value of the executable virtual address" is called "executable limit", each occurs The scheduling process will use this value to update the code segment descriptor to write GDT, Exec-Shield dynamic tracking each application, so each program runs different "executable limits" because The limit is usually a very low virtual address, so the space except the MMAP () map except STACK and the space allocated is in executable limits, so it is not performed. Of course, Exec-Shield cannot defend the attack to the low 16M address space and Return-to-libc attack, but it can still block the vast majority of attacks of the SHELLCODE in the data segment.
http://redhat.com/~mingo/exec-shield/
-------------------------------- Five, enhanced buffer overflow protection and kernel Mac ------ --------------------------- ◆ OpenBSD Security Feature OpenBSD and Hardened Gentoo, Adamantix, SELINUX is a very high-default security level . OpenBSD passes the code audit and the vulnerability is very small. Similarly, he has a lot of security features: * Use strlcpy () and strlcat () functions to replace the original hazard function * Memap protection: W ^ x, read-only data segment, page protection, mmap () random map, malloc () random map Atexit () and stdio protection, * Privilege Separation * Privilege Recycling * BSD Chroot Jail * Other Many Features where W ^ X has many content: Stack, MMAP random map, read-only GOT / PLT / .ctor / .dtor, etc. . Although theoretical OpenBSD cannot block all types of attacks, many attack methods have been blocked. ◆ Pax Pax is a very bt thing, it seems that he is born is a dead end of the buffer overflow, and he severely examines every attack method and blocks. * Data segments based on X86-segment memory management * Pages Based on page-based memory management Data segments * Core read-only {-const Structure read-only - System call table read-only - Partial Description Table (IDT) ) Read-only-global segment descriptor table (GDT) read-only-data page read-only - This feature cannot coexist with normal LKM functions} * Full address space random map {- Nuclear stack random map of each system call - User Stack Random Mapping - ALF Optical Image Random Mapping - BRK () Assignment Heap Random Mapping - MMap () Management HEAP Random Mapping - Dynamic Link Library Random Mapping} * There are also low addresses that map dynamic link libraries to 0x00 Other features here By the way, the << The Advanced Return-Into-lib (C) Exploits> written on Phrack58 is mentioned, which is mentioned in this masterpiece to break through the fake stack (Fakeframe) and DL-Resolve () technology. Several protection methods, this is possible * NIX application layer Exploit technology's most advanced technology, Nergal solves several problems: Stack / Heap / BSS is not executable, MMAP random maps, clearly this advanced technology is still unable to unconditionally Breakthrough PAX, so on a Linux running full version of Pax, you want to start buffer overflows, there is no chance! ! ! Pax Team Http: //pax.grsecurity.net
◆ GrSecurity GRSEC contains Pax (this more BT ?? Khan ~), and LIDS, GRSEC supports kernel Mac (Madatory Access Control, forced access control), has a lot of features, see http://grsecurity.net/features .php
Www.grsecurity.net
------------------ 6, hardware level protection ------------------ x86 CPU is 4GB flat mode, The linear address of the data segment and the code segment is overlapping. The page can be executed as long as readable, so many kernel patches mentioned above have designed various methods to make data segments. Both Alpha, PPC, PA-RISC, SPARC, SPARC64, AMD64, and IA64 are now available for page execution BIT bit. Intel and AMD new page execution ratios are called NX security technology, Windows XP SP2 and Linux Kernel 2.6 support NX, although this hardware-level page protection is not as strong as PAX, but the hardware level support has undoubtedly increased software And the compatibility of the operating system, it is possible to get the protection of the buffer overflow. -------- CONCLUSION ---------- Safety and ease of use Always stand on the opposite side, the protection technology mentioned above can cause a small amount of performance loss, the designers already Optimize their work from the perspective of performance. However, people are more concerned about compatibility. Maybe you will find these things at all, yes, another safety of people want to have errors, that is, stable operation, use these Additional protection will cause psychological disappointment, I believe that with the popularity of NX and the development of the protection technology itself will be resolved. Maybe you often see such an article telling how to break through the advanced Exploit technology of buffer overflow protection. In fact, many content is only suitable as teaching, or the technology itself is still in the research phase, in actual attacks, using advanced BYPASS Techniques usually need to meet some conditions, not simply spending the length of the exploit code to achieve the purpose, and the attack will become very difficult to use the buffer overflow protection, and sometimes it is impossible, especially Many technologies will turn into paper. Use a patch similar to PAX, iptables rules, combined with kernel Mac, want to invade shell almost impossible, but unfortunately no money, don't put a Linux box on the Internet beta, let the people to play, ha ~ In the buffer overflow, it has not yet become a history today. It is always remembered. This is certainly not pessimistic, and the dying of the old technology must be with the birth of new technologies. If there is no evil hacking, what do we sit in front of the computer? ? If so, I will open a small supermarket with silly billy, and tell adam, why they don't do it. . Let those who don't know how to do safety, I will blow it ~~ PST, ph4NT0M security teamhttp: //www.ph4nt0m.org
A group of unfained young people, although most of the network security work, they are gathered together because of advocating Black Hat. Reference: Various Paper & Source Free from Internet, Most of Them WERE LISTED ABOVE.
