How to Prevent buffer overflow attacks in Linux

Article Title: How to Prevent buffer overflow attacks in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Although there are only a few Linux viruses, attacks based on Buffer Overflow still surprise many Linux users. What is "the first Linux virus in the world "?? Reman, strictly speaking, is not a real virus. It is essentially an old one in Linux/Unix (including Windows and other systems) there are already "buffer overflow" attack programs in the world. Reman is just a very common and automated Buffer Overflow program, but even so, it has caused a lot of panic in the Linux World.

The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

Linux system features

The buffer overflow is used to rewrite the memory content and the return address of the function, so as to change the code execution flow, which can only be valid within a certain range of permissions. Because the running of the process is related to the login permission and identity of the current user, it is impossible to break through the system's permission settings for the current user to create a buffer overflow. Therefore, although a program can execute other specified code by using buffer overflow, the executed Code only has specific permissions and cannot complete tasks beyond permissions.

However, some features of Linux (including Unix) systems can be exploited to break through the limitations of such permissions, so that higher or even full permissions can be obtained by using buffer overflow. It is mainly reflected in the following two aspects:

1. the Linux (including Unix) system allows other users to execute an executable file by setting its property as SUID or SGID. If the property of the executable file is root and the file property is set to SUID, the executable file has the available Buffer Overflow Vulnerability, it can be used to execute specific and specially arranged code as root. Since a code with root permission can be executed and a Shell with root permission can be generated, the risk of controlling the entire system is raised.

2. Many daemon in Linux (including Unix) run with the root permission. If the program has a buffer overflow that can be exploited, it can directly execute the code in another arrangement as root without modifying the SUID or SGID attribute of the program. This makes it easier to gain control of the system.

With the development of modern network technology and the deepening of network applications, the remote login mechanism, remote call and execution mechanism provided by computer networks are necessary. This gives an anonymous Internet user the opportunity to exploit the buffer overflow vulnerability to gain partial or full control of a system. In fact, attacks that take the buffer overflow vulnerability as the attack means account for the vast majority of remote network attacks, which poses an extremely serious security threat to the Linux system.

Channel Analysis

Generally, attackers will first attack the root program, and then execute code similar to "exec (sh)" by using memory errors that occur during buffer overflow to obtain a root Shell. to obtain the root permission of the Shell, attackers need to do the following:

1. Arrange specific code in the address space of the program. The following two methods are generally used to arrange attack code in the address space of the attacked program.

2. By properly initializing registers and memory, the program cannot return to the original execution place in case of buffer overflow, but jumps to the scheduled address space for execution.

When an attacker finds a way to change the code and process of the original program, the attack is dangerous.

Preventive Measures

The buffer overflow attack threats in Linux come from both the programming mechanism of software and the characteristics of Linux (and Unix) systems. In fact, the root cause of buffer overflow attacks and various computer viruses is that modern computer systems use Feng? How noriman "storage Program" works. This basic principle allows programs and data to be reproduced, copied, and executed in the memory. Therefore, to effectively prevent buffer overflow attacks, we should take two steps under these two sides.

Ensure correct and secure code

The root cause of the buffer overflow attack is the programming mechanism. Therefore, to prevent buffer overflow, you must first ensure the correctness of the code of Programs (including system software and application software) running on Linux, avoid variables, buffer size, and boundary in the program. For example, you can use the grep tool to search for library calls that are prone to vulnerabilities in the source code, check the variable size, array boundary, and protect pointer variables, and use the C compiler with the boundary and size detection functions.

Set the system based on certain security policies

When attackers attack a Linux system, they must first make necessary knowledge of the system to be attacked, such as version information, and then use some system settings to directly or indirectly obtain control. Therefore, the second aspect to prevent buffer overflow attacks is to implement effective security policies for system settings. There are many different types of policies. Due to limited space, only a few typical measures are listed:

(1) When the Telnet service is installed, manually rewrite the Telnet settings in the "/etc/inetd. conf" file so that remote login users cannot see the system prompts. The specific method is to rewrite the Telnet settings:

Telnet stream tcp nowait root/usr/sbin/tcpd/in. telnetd-h

The "-h" parameter can be added at the end to prevent the daemon from displaying any system information. Only the logon prompt is displayed.

(2) rewrite the "rc. local" file. By default, When you log on to Linux, the system runs rc. the local file displays the name, version number, kernel version, and server name of the Linux release version, which exposes a large amount of system information. Comment out the code that displays the information in the rc. local file so that the system does not display the information.

One way is to add "#" before the code line that displays the information:

...... # Echo "">/etc/issue # echo "$ R">/etc/issue # echo "Kernel $ (uname-r) on $ a $ (uname-m) ">/etc/issue # echo>/etc/issue ......

Another method is to delete the files/etc/issue.net and issue that save the system information. These two files are used to provide users with relevant information during Remote logon and local logon respectively. When deleting these two files, you still need to complete the annotation work in method 1. Otherwise, the system will automatically generate the two files at startup.

(3) the finger service is prohibited. In Linux, use the finger command to display the details of logged-on users on the local or remote system. The effective way to disable the finger service is to modify the file attributes and permissions (change to 600) so that only the root user can execute the command.

(4) process the "inetd. conf" file. Linux uses the inetd (super server) program to load network programs according to network requests. This program uses the "/etc/inetd. conf" file to obtain information about which Network Ports inetd listens to and which specific services are started for each port. Therefore, this file also exposes a large amount of sensitive information. To solve the problem, you can change the permission to 600 to allow only the root user access, and rewrite "/etc/inetd. the conf file will disable unnecessary service programs, and finally modify the attributes of the file so that it cannot be modified.

Summary

Buffer overflow attacks can be a common attack because the buffer overflow vulnerability is too common and easy to implement. Therefore, the buffer overflow problem has always been a problem.

Fortunately, OpenBSD adopts three effective policies to solve this security problem. I believe that in the near future, Linux users will no longer suffer from buffer overflow attacks.

Rarfile must be processed in Linux. Rarfile. You need to install RAR for Linux. This software can be downloaded from the Internet, but remember that it is not free. You can download RAR for Linux 3.2.0 from http://www.onlinedown.net/sort/125_1.htm, and then run the following command to install it:

# Tar-xzpvf rarlinux-3.2.0.tar.gz

# Cd rar

# Make

After installation, there will be the rar and unrar programs, rar is the compression program, and unrar is the decompression program. They have many Parameter options. Here we will only give a brief introduction and give examples to illustrate their usage:

# Rar a all *. mp3

This command sets all. Mp3's file is compressed into a rarpackage named all.rar. This program will. The rar extension will be automatically appended to the package name.

# Unrar e all.rar

This command decompress all files in all.rar.