How to Prevent buffer overflow attacks in Linux

Article Title: How to Prevent buffer overflow attacks in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Although there are only a few Linux viruses, attacks based on Buffer Overflow still surprise many Linux users. What is "the first Linux virus in the world "?? Reman, strictly speaking, is not a real virus. It is essentially an old one in Linux/Unix (including Windows and other systems) there are already "buffer overflow" attack programs in the world. Reman is just a very common and automated Buffer Overflow program, but even so, it has caused a lot of panic in the Linux World.

The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

　　Linux system features

The buffer overflow is used to rewrite the memory content and the return address of the function, so as to change the code execution flow, which can only be valid within a certain range of permissions. Because the running of the process is related to the login permission and identity of the current user, it is impossible to break through the system's permission settings for the current user to create a buffer overflow. Therefore, although a program can execute other specified code by using buffer overflow, the executed Code only has specific permissions and cannot complete tasks beyond permissions.

However, some features of Linux (including Unix) systems can be exploited to break through the limitations of such permissions, so that higher or even full permissions can be obtained by using buffer overflow. It is mainly reflected in the following two aspects:

1. the Linux (including Unix) system allows other users to execute an executable file by setting its property as SUID or SGID. If the property of the executable file is root and the file property is set to SUID, the executable file has the available Buffer Overflow Vulnerability, it can be used to execute specific and specially arranged code as root. Since a code with root permission can be executed and a Shell with root permission can be generated, the risk of controlling the entire system is raised.

2. Many daemon in Linux (including Unix) run with the root permission. If the program has a buffer overflow that can be exploited, it can directly execute the code in another arrangement as root without modifying the SUID or SGID attribute of the program. This makes it easier to gain control of the system.

With the development of modern network technology and the deepening of network applications, the remote login mechanism, remote call and execution mechanism provided by computer networks are necessary. This gives an anonymous Internet user the opportunity to exploit the buffer overflow vulnerability to gain partial or full control of a system. In fact, attacks that take the buffer overflow vulnerability as the attack means account for the vast majority of remote network attacks, which poses an extremely serious security threat to the Linux system.

　　Channel Analysis

Generally, attackers attack the root program first, and then execute code similar to "exec (sh)" using memory errors that occur when the buffer overflow occurs to obtain a root Shell. To obtain the root permission of the Shell, attackers need to do the following:

1. Arrange specific code in the address space of the program. The following two methods are generally used to arrange attack code in the address space of the attacked program.

2. By properly initializing registers and memory, the program cannot return to the original execution place in case of buffer overflow, but jumps to the scheduled address space for execution.

When an attacker finds a way to change the code and process of the original program, the attack is dangerous.

　　Preventive Measures

The buffer overflow attack threats in Linux come from both the programming mechanism of software and the characteristics of Linux (and Unix) systems. In fact, the root cause of buffer overflow attacks and various computer viruses is that modern computer systems use Feng? How noriman "storage Program" works. This basic principle allows programs and data to be reproduced, copied, and executed in the memory. Therefore, to effectively prevent buffer overflow attacks, we should take two steps under these two sides.

[1] [2] Next page