UnixUnderBuffer OverflowDefense Analysis:
1. Data segments cannot be executed
KNoX
Linux Kernel Patch, function: the page of the Data Segment cannot be executed, the shared memory is revoked, the restrictions on execve system calling are enhanced, and the special processing of file descriptors 0, 1, and 2 is performed, /proc directory restrictions, FIFO restrictions, symbolic link restrictions, this patch only supports 2.2 kernel.
RSX
The Linux kernel module and Data Segment (stack and heap) cannot be executed.
Exec shield
Exec-shield tracks the maximum virtual address of the executable image contained by an application from the kernel state display, the "Maximum number of executable virtual addresses" of dynamic maintenance is called "executable restriction". Every time a process is switched, the scheduling process will use this value to update the code segment descriptor and write it to GDT, exec-shield dynamically tracks each application, so each program runs a different "executable restriction", because the executable restriction is usually a very low virtual address, therefore, the regions mapped by mmap () and the space allocated by malloc () are all in the executable restriction, and therefore cannot be executed. Of course, Exec-shield cannot defend against attacks that jump to a low 16 M address space and return-to-libc, but it can still prevent the vast majority of attacks that place shellcode in the data segment.
Ii. Enhanced Buffer Overflow Protection and kernel MAC
OpenBSD security feature
OpenBSD, Hardened Gentoo, Adamantix, and SELinux are operating systems with high default security levels. OpenBSD is audited by code,
There are very few vulnerabilities. He also has many security features:
Use the strlcpy () and strlcat () functions to replace the original dangerous functions.
Memory protection: W ^ X, read-only data segment, page protection, mmap () random ing, malloc () random ing, atexit () and stdio protection,
Privilege Separation
Revoke privileges
BSD chroot jail
Many other features
Among them, W ^ X has a lot of content: stack, mmap random ing, read-only GOT/PLT/. ctor/. dtor, etc. Theoretically, OpenBSD cannot block all types of attacks,
However, many attack methods have been blocked.
PaX
PaX is a very BT thing. It seems that it is born to be the opposite of buffer overflow. He severely examines every attack method and blocks it.
Data segments managed based on x86 segments cannot be executed
Pages of data segments managed based on page-based memory cannot be executed
Kernel page read-only {
-Const structure read-only
-Read-only system call table
-Read-Only local segment descriptor table (IDT)
-GDT read-only
-Data Page read-only
-This feature cannot coexist with the normal LKM function}
Full random ing of address space {
-Random ing of kernel stacks called by each system
-User stack random ing
-Random map of executable ELF Images
-Heap random ing allocated by Brk ()
-Heap random ing managed by Mmap ()
-Random ing of dynamic link library}
Other features such as ing a dynamic link library to a low address starting from 0x00
Here, by the way, I mentioned what Nergal wrote on Phrack58 <>. In this masterpiece, we mentioned that using the counterfeit stack embedding (Fakeframe) and dl-resolve () technology to break through several PaX protection methods, this is likely to be the most advanced technology in * nix Application Layer exploit technology. Nergal solves several problems: unexecutable Stack, Heap, and BSS, and random mmap ing, obviously, this advanced technology still cannot break through PaX unconditionally. Therefore, in a Linux running the complete PaX version, you may not have a chance to launch a buffer overflow !!!
Grsecurity
Grsec contains the same PaX and Lids grsec support kernel MAC (Madatory Access Control, Mandatory Access Control)
The parsing of the buffer overflow defense system in Unix has been completed. I hope you have mastered it.