Parsing Buffer Overflow defense system in Unix

Source: Internet
Author: User

UnixUnderBuffer OverflowDefense Analysis:

1. Data segments cannot be executed

KNoX

Linux Kernel Patch, function: the page of the Data Segment cannot be executed, the shared memory is revoked, the restrictions on execve system calling are enhanced, and the special processing of file descriptors 0, 1, and 2 is performed, /proc directory restrictions, FIFO restrictions, symbolic link restrictions, this patch only supports 2.2 kernel.

RSX

The Linux kernel module and Data Segment (stack and heap) cannot be executed.

Exec shield

Exec-shield tracks the maximum virtual address of the executable image contained by an application from the kernel state display, the "Maximum number of executable virtual addresses" of dynamic maintenance is called "executable restriction". Every time a process is switched, the scheduling process will use this value to update the code segment descriptor and write it to GDT, exec-shield dynamically tracks each application, so each program runs a different "executable restriction", because the executable restriction is usually a very low virtual address, therefore, the regions mapped by mmap () and the space allocated by malloc () are all in the executable restriction, and therefore cannot be executed. Of course, Exec-shield cannot defend against attacks that jump to a low 16 M address space and return-to-libc, but it can still prevent the vast majority of attacks that place shellcode in the data segment.

Ii. Enhanced Buffer Overflow Protection and kernel MAC

OpenBSD security feature

OpenBSD, Hardened Gentoo, Adamantix, and SELinux are operating systems with high default security levels. OpenBSD is audited by code,

There are very few vulnerabilities. He also has many security features:

Use the strlcpy () and strlcat () functions to replace the original dangerous functions.

Memory protection: W ^ X, read-only data segment, page protection, mmap () random ing, malloc () random ing, atexit () and stdio protection,

Privilege Separation

Revoke privileges

BSD chroot jail

Many other features

Among them, W ^ X has a lot of content: stack, mmap random ing, read-only GOT/PLT/. ctor/. dtor, etc. Theoretically, OpenBSD cannot block all types of attacks,

However, many attack methods have been blocked.

PaX

PaX is a very BT thing. It seems that it is born to be the opposite of buffer overflow. He severely examines every attack method and blocks it.

Data segments managed based on x86 segments cannot be executed

Pages of data segments managed based on page-based memory cannot be executed

Kernel page read-only {

-Const structure read-only

-Read-only system call table

-Read-Only local segment descriptor table (IDT)

-GDT read-only

-Data Page read-only

-This feature cannot coexist with the normal LKM function}

Full random ing of address space {

-Random ing of kernel stacks called by each system

-User stack random ing

-Random map of executable ELF Images

-Heap random ing allocated by Brk ()

-Heap random ing managed by Mmap ()

-Random ing of dynamic link library}

Other features such as ing a dynamic link library to a low address starting from 0x00

Here, by the way, I mentioned what Nergal wrote on Phrack58 <>. In this masterpiece, we mentioned that using the counterfeit stack embedding (Fakeframe) and dl-resolve () technology to break through several PaX protection methods, this is likely to be the most advanced technology in * nix Application Layer exploit technology. Nergal solves several problems: unexecutable Stack, Heap, and BSS, and random mmap ing, obviously, this advanced technology still cannot break through PaX unconditionally. Therefore, in a Linux running the complete PaX version, you may not have a chance to launch a buffer overflow !!!

Grsecurity

Grsec contains the same PaX and Lids grsec support kernel MAC (Madatory Access Control, Mandatory Access Control)

The parsing of the buffer overflow defense system in Unix has been completed. I hope you have mastered it.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.