Prepare Linux for security attacks

In order to be able to perform simple buffer overflow attacks, Linux should be stripped from all security mechanisms enabled by default. In this case it is the ASLR and ExecShield. The first one is address space randomization to randomize the starting address of heap and stack. In order a buffer overflow to be successful, guessing the address is essential. The ExecShield is a protection mechanism that disallows executing any code that is stored in the stack.

ASLR:

sudo echo 0 > /proc/sys/kernel/randomize_va_space

or, in oder to have it permanently on every reboot, just add the following lines in /etc/sysctl.conf

kernel.randomize_va_space = 1

ExecShield (some distributions for example Debian, have it disabled by default):

kernel.exec-shield = 1

In some linux distributions, we should be cereful to avoid the stack smashing. GCC uses protection such that it emit extra code to check for buffer overflows. Taken directly from the GCC documentation, having the option -fstack-protector enable, the compiled code will have the stack smashing protection by:

This is done by adding a guard variable to functions with vulnerable objects.
This includes functions that call alloca, and functions with buffers larger 
than 8 bytes.The guards are initialized when a function is entered and then 
checked when the function exits.  If a guard check fails, an error message 
is printed and the program exits.

To make sure that this is disabled, we compile the target programs (just for testing) with:

-fno-stack-protector
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s