No eXecute (NX Bit) | Data Execution Prevention (DEP)
makes certain areas of memory non executable and makes an executable area, non writable.
Data, stack and heap segments are made non executable while text segment is made non writable
关闭:-z execstack
bypass: return-to-libc (return address overwritten as with a particular libc function address)
chained return to libc
Stack Canaries/Cookies
Address Space Layout Randomization (ASLR)
随机化程序基地址,栈地址,堆地址,库地址
查看是否打开:cat /proc/sys/kernel/randomize_va_space
0:ASLR关闭
1:随机化栈基地址(stack)、共享库(.so\libraries)、mmap 基地址
2:在1基础上,增加随机化堆基地址(chunk)
修改:echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
PIE
gcc编译选项
Relocation Read-Only (RELRO)
Partial RELRO
Full RELRO
FORTIFY
用于检查是否存在缓冲区溢出的错误
gcc -D_FORTIFY_SOURCE=1 (-O1 及以上) 只在编译阶段添加检查 (some headers are necessary as #include <string.h>)
gcc -D_FORTIFY_SOURCE=2 (-O2 及以上) 还在运行时检查 (detected buffer overflow terminates the program)
对格式化字符串影响
- 包含%n的格式化字符串不能位于程序内存中的可写地址。
- 当使用位置参数时,必须使用范围内的所有参数。所以如果要使用%7$x,你必须同时使用1,2,3,4,5和6。
网友评论