01 September 2013

GCC Security Flags


***NX/DEP FLAG  = -z execstack / -z no execstack----------------------------------
You can check execute flag on GNU_STACK program header to identify the compiled software support NX or not. Here is an output of following command.

      #readelf -W -l uaf | grep GNU_STACK
       GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
         GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE  0x4


***CANARY Check  = -f(no-)stack-protector-(all)-(strong)--------------------------
To identify canary protection you need to catch "__stack_chk_fail" function in the symbol header  on the elf file of the executable. The "strong" flag was developed by google engineers to overtake the performance trade off on "all" switch.

 If you are interested in 'strong' flag you can find the details here  http://tinyurl.com/nk4c7wu .

      #readelf -s stack4 | grep stack
        5: 00000000      0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@GLIBC_2.4 (3)
        40: 00000000     0 FILE    LOCAL  DEFAULT  ABS stack4.c
        61: 00000000     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail@@GLIBC_2


***FORTIFY_SOURCE  flag = -D_FORTIFY_SOURCE_=0,1,2,3---------------------This flag uses a built in object function called  __builtin_object_size() for some of the string functions as listed. 
       
Function List that support FORTIFY_SOURCE
         memcpy()       strcpy()       strcat()       sprintf()      vsprintf() 
         memmove()    strncpy()    strncat()     snprintf()    vsnprintf()
         memset()         fprintf()     vfprintf()    printf()       vprintf()

       #readelf -s stack4 | grep chk
           2: 00000000     0 FUNC    GLOBAL DEFAULT    UND __printf_chk@GLIBC_2.3.4 (2)
             3: 00000000     0 FUNC    GLOBAL DEFAULT    UND __gets_chk@GLIBC_2.3.4 (2)
             51: 00000000     0 FUNC    GLOBAL DEFAULT  UND __printf_chk@@GLIBC_2.3.4
             53: 00000000     0 FUNC    GLOBAL DEFAULT  UND __gets_chk@@GLIBC_2.3.4

Just keep in mind that FORTIFY_SOURCE can not protect you if the destination or source buffer of string functions could not be determined during execution time.


***Full RELRO flag = -Wl,-z, relro,-z, now -------------------------------------------Full RELRO enables the entire  GOT  remapped as readonly. By enabling that feature you entirely protect function pointer overwrites on plt, bss, dtors, data GOT sections.

***Partial RELRO flag = -Wl,-z, relro

Partial RELRO enables non-PLT GOT remapped as readonly. PLT dependant GOT is still writable.
     
     #readelf -l stack4 | grep GNU_RELRO
        GNU_RELRO      0x000f14 0x08049f14 0x08049f14 0x000ec 0x000ec R   0x1

To check FULL RELRO option you should grep BIND_NOW on dynamic section of executable.
 
     #readelf -d stack4 | grep BIND_NOW
        0x00000018 (BIND_NOW)          

***Format String Protection = -Wformat / -Wformat-security----------------------

This flag provides format string attacks on *printf family. -Wformat-security support additional reporting.

***Position Independent Executable flag = -pie--------------------------------------

Addition to ASLR protection PIE enables .text region addresses dynamic and this makes ROP  attacks much harder.

     #readelf -h fsp | grep 'Type: *DYN'

       Type:                              DYN (Shared object file)

References: http://software.intel.com , http://www.trapkit.de, Coding in C++Second Edition.


1 comment:

Unknown said...

I'm amazed, I have to say. Really hardly at any time do I experience a site that's the two educative and entertaining, and allow me tell you, you might have strike the nail on the head. Your concept is fantastic the issue is anything that not ample men and women are speaking intelligently about. I am very joyful that I stumbled across this in my find for anything referring to this.
Wholesale Flags
Flag Designer