***NX/DEP FLAG = -z execstack / -z no execstack----------------------------------
You can check execute flag on GNU_STACK program header to identify the compiled software support NX or not. Here is an output of following command.
#readelf -W -l uaf | grep GNU_STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
***CANARY Check = -f(no-)stack-protector-(all)-(strong)--------------------------
To identify canary protection you need to catch "__stack_chk_fail" function in the symbol header on the elf file of the executable. The "strong" flag was developed by google engineers to overtake the performance trade off on "all" switch.
To identify canary protection you need to catch "__stack_chk_fail" function in the symbol header on the elf file of the executable. The "strong" flag was developed by google engineers to overtake the performance trade off on "all" switch.
If you are interested in 'strong' flag you can find the details here http://tinyurl.com/nk4c7wu .
#readelf -s stack4 | grep stack
5: 00000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (3)
40: 00000000 0 FILE LOCAL DEFAULT ABS stack4.c
61: 00000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@@GLIBC_2
***FORTIFY_SOURCE flag = -D_FORTIFY_SOURCE_=0,1,2,3---------------------This flag uses a built in object function called
__builtin_object_size()
for some of
the
string functions as listed. Function List that support FORTIFY_SOURCE
memcpy() strcpy() strcat() sprintf() vsprintf()
memmove() strncpy() strncat() snprintf() vsnprintf()
memset() fprintf() vfprintf() printf() vprintf()
memset() fprintf() vfprintf() printf() vprintf()
#readelf -s stack4 | grep chk
2: 00000000 0 FUNC GLOBAL DEFAULT UND __printf_chk@GLIBC_2.3.4 (2)
3: 00000000 0 FUNC GLOBAL DEFAULT UND __gets_chk@GLIBC_2.3.4 (2)
51: 00000000 0 FUNC GLOBAL DEFAULT UND __printf_chk@@GLIBC_2.3.4
53: 00000000 0 FUNC GLOBAL DEFAULT UND __gets_chk@@GLIBC_2.3.4
Just keep in mind that FORTIFY_SOURCE can not protect you if the destination or source buffer of string functions could not be determined during execution time.
***Full RELRO flag = -Wl,-z, relro,-z, now -------------------------------------------Full RELRO enables the entire GOT remapped as readonly. By enabling that feature you entirely protect function pointer overwrites on plt, bss, dtors, data GOT sections.
***Partial RELRO flag = -Wl,-z, relro
Partial RELRO enables non-PLT GOT remapped as readonly. PLT dependant GOT is still writable.
#readelf -l stack4 | grep GNU_RELRO
GNU_RELRO 0x000f14 0x08049f14 0x08049f14 0x000ec 0x000ec R 0x1
To check FULL RELRO option you should grep BIND_NOW on dynamic section of executable.
#readelf -d stack4 | grep BIND_NOW
0x00000018 (BIND_NOW)
***Format String Protection = -Wformat / -Wformat-security----------------------
This flag provides format string attacks on *printf family. -Wformat-security support additional reporting.
***Position Independent Executable flag = -pie--------------------------------------
Addition to ASLR protection PIE enables .text region addresses dynamic and this makes ROP attacks much harder.
#readelf -h fsp | grep 'Type: *DYN'
Type: DYN (Shared object file)
References: http://software.intel.com , http://www.trapkit.de, Coding in C++Second Edition.
1 comment:
I'm amazed, I have to say. Really hardly at any time do I experience a site that's the two educative and entertaining, and allow me tell you, you might have strike the nail on the head. Your concept is fantastic the issue is anything that not ample men and women are speaking intelligently about. I am very joyful that I stumbled across this in my find for anything referring to this.
Wholesale Flags
Flag Designer
Post a Comment