Shulou(Shulou.com)06/02 Report--

This article introduces the knowledge of "what is the protection mechanism of buffer overflow". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Buffer overflow principle

A buffer is the place where data is stored in memory. When a program tries to put data in a location in machine memory, a buffer overflow occurs because there is not enough space. On the other hand, the artificial overflow has a certain intention. the attacker writes a string that exceeds the length of the buffer, implants it into the buffer, and then inserts an ultra-long string into a buffer with limited space. at this time, there may be two results: one is that the excessively long string covers the adjacent storage units, causing the program to fail and seriously causing the system to crash. Another result is that this vulnerability can be exploited to execute arbitrary instructions and even gain special privileges of the system root.

A buffer is a contiguous block in the machine memory when the program is running. it holds a given type of data and can cause problems with the dynamic allocation of variables. Most of the time, in order not to take up too much memory, a program with dynamically allocated variables decides how much memory to allocate to them when the program is running. If the program puts overly long data in the dynamic allocation buffer, it will overflow. A buffer overflow program uses this overflowed data to put assembly language code in the machine's memory, usually where root permissions are generated. A single buffer overflow is not the root of the problem. But if the overflow is sent to an area where commands can be run with root privileges, once these commands are run, it is tantamount to giving up the machine.

The cause of the buffer overflow is that the parameters entered by the user are not carefully checked in the program. For example, the following program:

Void func1 (char * input) {char buffer [16]; strcpy (buffer, input);}

The strcpy () above will directly copy the contents of input into buffer. In this way, as long as the length of the input is greater than 16, it will cause an overflow of the buffer and make the program run wrong. Other standard functions that have problems like strcpy are strcat (), sprintf (), vsprintf (), gets (), scanf (), and getc (), fgetc (), getchar () within the loop.

Of course, casually filling the buffer to cause it to overflow will generally only result in a Segmentation fault error and will not achieve the purpose of the attack. The most common method is to create a buffer overflow to cause the program to run a user shell, and then execute other commands through shell. If the program belongs to root and has suid privileges, the attacker gets a shell with root privileges and can perform arbitrary operations on the system.

Please note that unless otherwise specified, the following assumes that the platform you are using is an Intel x86 CPU-based Linux system. For other platforms, the concept of this article is also applicable, but the program should be modified accordingly.

CANNARY (stack protection)

This option indicates whether stack protection is turned on or not.

Stack overflow protection is a means to mitigate buffer overflow attacks. When there is a buffer overflow attack vulnerability in the function, the attacker can overwrite the return address on the stack so that the shellcode can be executed. When stack guard is enabled, the cookie information is first inserted into the stack when the function starts execution. When the function actually returns, it verifies whether the cookie information is legal, and stops the program if it is illegal. Attackers often overwrite the cookie information when overwriting the return address, resulting in the failure of stack protection check and preventing the execution of shellcode. In Linux, we call cookie information canary.

In version 4.2, gcc added-fstack-protector and-fstack-protector-all compilation parameters to support stack protection, and 4.9 added-fstack-protector-strong compilation parameters to extend the scope of protection.

Therefore, you can control whether stack protection is turned on and to what extent at compile time, for example:

Gcc-fno-stack-protector-o test test.c / / disable stack guard

Gcc-fstack-protector-o test test.c / / enables stack protection, but only inserts protection code for functions that contain char arrays in local variables

Gcc-fstack-protector-all-o test test.c / / enables stack guard and inserts protection code for all functions

FORTIFY

This protection mechanism has not been well described in Chinese for a long time. According to my understanding, it and stack protection are both a new mechanism of gcc to enhance protection against buffer overflow attacks. Because it is not very common, and there is not much understanding.

For example, it might be simpler and clearer:

A simple C code with buffer overflow

Void fun (char * s) {char buf [0x100]; strcpy (buf, s); / * Don't allow gcc to optimise away the buf * / asm volatile ("": "m" (buf));}

Compile with the include parameter-UFORTIFYSOURCE

08048450: push% ebp; mov% esp,%ebpsub $0x118% esp; store 0x118 on stack mov 0x8 (% ebp),% eax; load target parameters into eaxmov% eax,0x4 (% esp); save target parameters lea-0x108 (% ebp),% eax; array bufmov% eax, (% esp) Save call 8048320 leave; ret

Compile with the include parameter-DFORTIFYSOURCE=2

08048470: push% ebp; mov% esp,%ebpsub $0x118% esp; movl $0x100 esp 0x8 (% esp); save mov 0x8 (% ebp),% eax; mov% eax,0x4 (% esp) with 0x100 as the target parameter; lea-0x108 (% ebp),% eax; mov% eax, (% esp); call 8048370 leave; ret

We can see that gcc generates some additional code to replace strcpy, memcpy, memset and other function names by judging the size of the array to prevent buffer overflow.

NX (DEP)

NX means No-eXecute. The basic principle of NX (DEP) is to identify the memory page where the data is located as unexecutable. When the program overflow is successfully transferred to shellcode, the program will try to execute instructions on the data page, and CPU will throw an exception instead of executing malicious instructions.

The gcc compiler turns on the NX option by default, and if you need to turn off the NX option, you can add the-z execstack parameter to the gcc compiler.

For example:

Gcc-z execstack-o test test.c

Under Windows, a similar concept is DEP (data execution protection), and the DEP compilation option is turned on by default in the latest version of Visual Studio.

PIE (ASLR)

In general, NX (called DEP on Windows platforms) and address space distribution randomization (ASLR) work at the same time.

Memory address randomization mechanism (address space layout randomization), there are three cases

0-turns off process address space randomization.

1-means to randomize the base address of mmap, stack and vdso pages.

2-means to increase the randomization of the heap on the basis of 1.

It can prevent attacks against DEP based on Ret2libc mode. ASLR is used in conjunction with DEP to effectively prevent attackers from running malicious code on the stack.

Built as PIE: a location-independent executable region (position-independent executables). This makes it much more difficult to use a return-oriented programming (return-oriented programming) approach when exploiting buffer overflows and other memory corruption defects in mobile operating systems.

The command to shut down PIE under liunx is as follows:

Sudo-s echo 0 > / proc/sys/kernel/randomize_va_space

ASLR effect

1. Image randomization

Image randomization is the randomization of the virtual address loaded by the PE file when it is mapped to memory, which is determined at system startup and will change after the system reboot.

2. Stack randomization

The stack base address is randomly selected when the program is running, which is different from image randomization in that the stack base address is determined not when the system starts, but when the program is opened, that is to say, the stack base address is different when the same program is run for any two times.

3. Randomization of PEB and TEB

After XP SP2, Microsoft no longer uses the fixed PEB base address 0x7FFDF000 and TEB base address 0x7FFDE000, but uses a random base address.

TEB is stored at FS:0 and FS: [0x18], and PEB is stored at TEB offset from 0x30.

RELRO

Set the symbol redirection table to read-only or parse and bind all dynamic symbols when the program starts, thereby reducing attacks on GOT (Global Offset Table).

This is the end of the content of "what is the protection mechanism of buffer overflow". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.