Detailed explanation of PWN protection mechanism

Keywords: pwn

Explain and summarize the protection mechanism encountered in the pwn process.

Stack Canaries

Put a well written: PWN Canary learning - sarace - blog Park (cnblogs.com)

brief introduction

stack canaries are canaries from underground coal mines. They can detect gas leakage faster than miners and have the function of early warning. When this concept is applied to stack protection, a random canary value is set at the bottom of the stack when initializing a stack frame. Before the stack frame is destroyed, test whether the value is "dead", that is, whether it is changed. If it is changed, it indicates that stack overflow occurs and the program ends in another process, so as to avoid successful exploitation of vulnerabilities.

It is mainly divided into three categories: Terminator, random and random XOR. The specific implementations include StackGuard, StackShied, ProPoliced, etc.

  • terminator canaries: considering that many stack overflows are caused by improper string operations, and these strings end in NULL \x00 and are truncated by \ x00, all terminators set the low order to \ x00 to prevent disclosure and forgery. Truncated characters also include CR(0x0d),LF(0x0a), EOF(0xff). In fact, the highest position of the last part is 00, \ x00ab1245

  • random canaries: in order to prevent canaries from being guessed by attackers, canaries are usually randomly generated during program initialization and stored in a safe place.

  • random canaries XOR: in fact, there is one more XOR operation than random canaries. Whether the data of canaries or XOR is tampered, it will be detected. xor eax,DWORD PTR gs:0x14

Implementation principle

Under Linux, there is a fs register to save the thread local storage TLS. TLS is mainly used to avoid the conflict caused by multiple threads accessing the same global variable or static variable. 64 bit uses fs register, offset at 0x28. 32 bits are registered with gs, offset at 0x14. This location stores the stack_guard, i.e. reserved and Canary, is finally compared with canary in the stack to detect overflow.

The specific process is to use_ dl_random to generate stack_chk_guard, and then use THREAD_SET_STACK_GUARD to set the stack_ The lowest order of guard and canary is set to \ x00. If_ dl_random==NULL, then canary is the fixed value.

If the program does not define THREAD_SET_STACK_GUARD macro, then it will be used directly_ stack_chk_guard, which is a global variable placed in the. bss section.

TLS structure

x86 32-bit

mov    eax,gs:0x14
mov    DWORD PTR [ebp-0xc],eax

mov    eax,DWORD PTR [ebp-0xc]
xor    eax,DWORD PTR gs:0x14
je     0x80492b2 <vuln+103> # Normal function return
call   0x8049380 <__stack_chk_fail_local> # Call error handler
 High  
        Address |                 |  
                +-----------------+
                | args            |
                +-----------------+
                | return address  |
                +-----------------+
                | old ebp         |
      ebp =>    +-----------------+
                | ebx             |
    ebp-4 =>    +-----------------+
                | unknown         |
    ebp-8 =>    +-----------------+
                | canary value    |
   ebp-12 =>    +-----------------+
                | local variable         |
        Low     |                 |
        Address

64 bit

mov    rax,QWORD PTR fs:0x28
mov    QWORD PTR [rbp-0x8],rax

mov    rax,QWORD PTR [rbp-0x8]
xor    rax,QWORD PTR fs:0x28
je     0x401232 <vuln+102> # Normal function return
call   0x401040 <__stack_chk_fail@plt> # Call error handler
 High
        Address |                 |
                +-----------------+
                | args            |
                +-----------------+
                | return address  |
                +-----------------+
                | old ebp         |
      rbp =>    +-----------------+
                | canary value    |
    rbp-8 =>    +-----------------+
                | local variable         |
        Low     |                 |
        Address

experiment

Canary. C smash: smash, break, break

#include<tdio.h>
int main(){
  char buf[10];
  scanf("%s",buf);
}
gcc -fno-stack-protector canary.c -o canary_no.out
gcc -fstack-protector canary.c -o canary_pro.out

Bypass mode

  • Leak canary in memory, such as printing through format string vulnerability

  • One by one blasting, but it is generally a multithreaded program. canary does not change until a new thread is generated. The highest bit is 00.

  • Hijack_ stack_chk_fail function. If canary verification fails, this function will be performed__ stack_ chk_ The fail function is a common delay binding function, which can be hijacked by modifying the GOT table.

  • Overwrite the canary in the thread local storage TLS. The overflow size is relatively large and can be used. Modify Canary on the stack and canary in TLS at the same time

No-eXecute(NX)

brief introduction

No execute (NX) means not executable. Its principle is to identify the memory page where the data is located as not executable.

In Linux, after the program is loaded into memory, the. text section is marked as executable, the. Data. BSS section is marked as non executable, and the stack is unknown. The traditional way of modifying the GOT table is no longer feasible. However, the code reuse attack ret2libc cannot be prevented

realization

Through the compilation option, strcmp comparison is used in_ handle_option function setting link_ The execstack and noexecstack of info structure are true and false.

In BFD_ elf_ size_ dynamic_ In the sections function, according to link_info to set elf_stack_flags = PF_R | PF_W | PF_X

When NX is turned on, there are only two without PF_X.

In_ bfd_ elf_ map_ sections_ to_ In the segments function, set stuct elf_ segment_ P in map structure_ flags=elf_ stack_ flags. The compilation setting is completed.

At load time, elf is called_ load_ Binary function, according to the above p_flags to set the executable_stack=EXSTACK_ENABLE_X

Or EXSTACK_DISABLE_X

Set executable_stack pass in setup_arg_pages, through vm_flags sets the virtual memory space vma of the process.

When the program counter points to an unknowable memory page, a page error is triggered.

experiment

nx.c

#include<unistd.h>
void vuln_func(){
    char buf[128];
    read(STDIN_FILENO,buf,256);
}
int main(int argc , char*argv[]){
    vuln_func();
    write(STDOUT_FILENO,"Hello world!\n",13);
}

ASLR and PIE

brief introduction

Most attacks need to know the memory layout of the program. Introducing randomization of memory layout can increase the difficulty of vulnerability exploitation. Address space layout randomization ASLR (address space layout randomization)

ASLR /proc/sys/kernel/randomize_ va_ There are three cases of space:

ASLR Executable PLT Heap Stack Shared Libraries
0 unchanged unchanged unchanged unchanged unchanged
1 unchanged unchanged unchanged change change
2 unchanged unchanged change change change
2+pie change change change change change

PIE location independent executable is implemented on the compiler of the application layer. By compiling the program into location independent code PIC, the program can be loaded into any location, just like a special shared library. PIE can affect performance to some extent.

experiment:

#include<stdio.h>
#include<stdlib.h>
#include<dlfcn.h>
int main(){
    int stack;
    int *heap=malloc(sizeof(int));
    void *handle = dlopen("libc.so.6",RTLD_NOW | RTLD_GLOBAL);

    printf("executable:%p\n",&main);
    printf("system@plt:%p\n",&system);
    printf("heap: %p\n",heap);
    printf("stack: %p\n",&stack);
    printf("libc: %p\n",handle);
    free(heap);
    return 0;
}

cat /proc/sys/kernel/randomize_va_space
echo 0/1/2 > /proc/sys/kernel/randomize_va_space

ASLR=2 and PIE is turned on

FORTIFY_SOURCE

brief introduction

Buffer overflow often occurs when the program calls some dangerous functions, such as memcpy. When the length of the source string is greater than the destination buffer, buffer overflow will occur.

FORTIFY_SOURCE is essentially a check and replace mechanism, a security patch for GCC and glibc.

Checking the danger function and replacing it with a safety function will not have a great impact on the performance of the program. Currently, it supports memcpy, memmove, memset, strcpy, strncpy, strcat, strncat,sprintf, vsprintf, snprintf, vsnprintf, gets, etc.

realization

Buffer overflow check to secure function_ strcpy_chk() as an example, you can see that this function determines whether the source data length is greater than the destination buffer. If yes, it is called_ chk_fail(), otherwise memcpy will be called to execute normally.

Format string check to secure function_ printf_chk() as an example, for% N and% n $format strings.

experiment

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
int main(int argc, char*argv[]){
    char buf1[10],buf2[10],*s;
    int num;

    memcpy(buf1,argv[1],10);           //safe
    strcpy(buf2,"AAAABBBBC");
    printf("%s %s\n",buf1,buf2);

    memcpy(buf1,argv[2],atoi(argv[3])); //unknown
    strcpy(buf2,argv[1]);
    printf("%s %s\n",buf1,buf2);

    //memcpy(buf1,argv[1],11);         //unsafe
    //strcpy(buf2,"AAAABBBBCC");

    s=fgets(buf1,11,stdin);            //fmt unknown
    printf(buf1,&num);
}

Use GDB pwndbg to decompile main

Generate fortify0 1 2 using options 0 1 2

GDB pwndbg fortify1, you can see that the security function is replaced, but printf is not replaced.

Dump of assembler code for function main:
   0x0000000000001175 <+0>:     push   r12
   0x0000000000001177 <+2>:     push   rbp
   0x0000000000001178 <+3>:     push   rbx
   0x0000000000001179 <+4>:     sub    rsp,0x20
   0x000000000000117d <+8>:     mov    rbx,rsi
   0x0000000000001180 <+11>:    mov    rax,QWORD PTR [rsi+0x8]
   0x0000000000001184 <+15>:    mov    rdx,QWORD PTR [rax]
   0x0000000000001187 <+18>:    mov    QWORD PTR [rsp+0x16],rdx
   0x000000000000118c <+23>:    movzx  eax,WORD PTR [rax+0x8]
   0x0000000000001190 <+27>:    mov    WORD PTR [rsp+0x1e],ax
   0x0000000000001195 <+32>:    movabs rax,0x4242424241414141
   0x000000000000119f <+42>:    mov    QWORD PTR [rsp+0xc],rax
   0x00000000000011a4 <+47>:    mov    WORD PTR [rsp+0x14],0x43
   0x00000000000011ab <+54>:    lea    r12,[rsp+0xc]
   0x00000000000011b0 <+59>:    lea    rbp,[rsp+0x16]
   0x00000000000011b5 <+64>:    mov    rdx,r12
   0x00000000000011b8 <+67>:    mov    rsi,rbp
   0x00000000000011bb <+70>:    lea    rdi,[rip+0xe42]        # 0x2004
   0x00000000000011c2 <+77>:    mov    eax,0x0
   0x00000000000011c7 <+82>:    call   0x1030 <printf@plt>
   0x00000000000011cc <+87>:    mov    rdi,QWORD PTR [rbx+0x18]
   0x00000000000011d0 <+91>:    mov    edx,0xa
   0x00000000000011d5 <+96>:    mov    esi,0x0
   0x00000000000011da <+101>:   call   0x1050 <strtol@plt>
   0x00000000000011df <+106>:   movsxd rdx,eax
   0x00000000000011e2 <+109>:   mov    rsi,QWORD PTR [rbx+0x10]
   0x00000000000011e6 <+113>:   mov    ecx,0xa
   0x00000000000011eb <+118>:   mov    rdi,rbp
   0x00000000000011ee <+121>:   call   0x1040 <__memcpy_chk@plt>
   0x00000000000011f3 <+126>:   mov    rsi,QWORD PTR [rbx+0x8]
   0x00000000000011f7 <+130>:   mov    edx,0xa
   0x00000000000011fc <+135>:   mov    rdi,r12
   0x00000000000011ff <+138>:   call   0x1070 <__strcpy_chk@plt>
   0x0000000000001204 <+143>:   mov    rdx,r12
   0x0000000000001207 <+146>:   mov    rsi,rbp
   0x000000000000120a <+149>:   lea    rdi,[rip+0xdf3]        # 0x2004
   0x0000000000001211 <+156>:   mov    eax,0x0
   0x0000000000001216 <+161>:   call   0x1030 <printf@plt>
   0x000000000000121b <+166>:   mov    rsi,QWORD PTR [rbx+0x8]
   0x000000000000121f <+170>:   mov    ecx,0xa
   0x0000000000001224 <+175>:   mov    edx,0xb
   0x0000000000001229 <+180>:   mov    rdi,rbp
   0x000000000000122c <+183>:   call   0x1040 <__memcpy_chk@plt>
   0x0000000000001231 <+188>:   mov    edx,0xa
   0x0000000000001236 <+193>:   lea    rsi,[rip+0xdce]        # 0x200b
   0x000000000000123d <+200>:   mov    rdi,r12
   0x0000000000001240 <+203>:   call   0x1070 <__strcpy_chk@plt>
   0x0000000000001245 <+208>:   mov    rcx,QWORD PTR [rip+0x2e04]        # 0x4050 <stdin@GLIBC_2.2.5>
   0x000000000000124c <+215>:   mov    edx,0xb
   0x0000000000001251 <+220>:   mov    esi,0xa
   0x0000000000001256 <+225>:   mov    rdi,rbp
   0x0000000000001259 <+228>:   call   0x1060 <__fgets_chk@plt>
   0x000000000000125e <+233>:   lea    rsi,[rsp+0x8]
   0x0000000000001263 <+238>:   mov    rdi,rbp
   0x0000000000001266 <+241>:   mov    eax,0x0
   0x000000000000126b <+246>:   call   0x1030 <printf@plt>
   0x0000000000001270 <+251>:   mov    eax,0x0
   0x0000000000001275 <+256>:   add    rsp,0x20
   0x0000000000001279 <+260>:   pop    rbx
   0x000000000000127a <+261>:   pop    rbp
   0x000000000000127b <+262>:   pop    r12
   0x000000000000127d <+264>:   ret    
End of assembler dump.

GDB pwndbg fortify2 disas main, you can see that printf has also been replaced with a security function.

Dump of assembler code for function main:
   0x0000000000001175 <+0>:     push   r12
   0x0000000000001177 <+2>:     push   rbp
   0x0000000000001178 <+3>:     push   rbx
   0x0000000000001179 <+4>:     sub    rsp,0x20
   0x000000000000117d <+8>:     mov    rbx,rsi
   0x0000000000001180 <+11>:    mov    rax,QWORD PTR [rsi+0x8]
   0x0000000000001184 <+15>:    mov    rdx,QWORD PTR [rax]
   0x0000000000001187 <+18>:    mov    QWORD PTR [rsp+0x16],rdx
   0x000000000000118c <+23>:    movzx  eax,WORD PTR [rax+0x8]
   0x0000000000001190 <+27>:    mov    WORD PTR [rsp+0x1e],ax
   0x0000000000001195 <+32>:    movabs rax,0x4242424241414141
   0x000000000000119f <+42>:    mov    QWORD PTR [rsp+0xc],rax
   0x00000000000011a4 <+47>:    mov    WORD PTR [rsp+0x14],0x43
   0x00000000000011ab <+54>:    lea    r12,[rsp+0xc]
   0x00000000000011b0 <+59>:    lea    rbp,[rsp+0x16]
   0x00000000000011b5 <+64>:    mov    rcx,r12
   0x00000000000011b8 <+67>:    mov    rdx,rbp
   0x00000000000011bb <+70>:    lea    rsi,[rip+0xe42]        # 0x2004
   0x00000000000011c2 <+77>:    mov    edi,0x1
   0x00000000000011c7 <+82>:    mov    eax,0x0
   0x00000000000011cc <+87>:    call   0x1070 <__printf_chk@plt>
   0x00000000000011d1 <+92>:    mov    rdi,QWORD PTR [rbx+0x18]
   0x00000000000011d5 <+96>:    mov    edx,0xa
   0x00000000000011da <+101>:   mov    esi,0x0
   0x00000000000011df <+106>:   call   0x1040 <strtol@plt>
   0x00000000000011e4 <+111>:   movsxd rdx,eax
   0x00000000000011e7 <+114>:   mov    rsi,QWORD PTR [rbx+0x10]
   0x00000000000011eb <+118>:   mov    ecx,0xa
   0x00000000000011f0 <+123>:   mov    rdi,rbp
   0x00000000000011f3 <+126>:   call   0x1030 <__memcpy_chk@plt>
   0x00000000000011f8 <+131>:   mov    rsi,QWORD PTR [rbx+0x8]
   0x00000000000011fc <+135>:   mov    edx,0xa
   0x0000000000001201 <+140>:   mov    rdi,r12
   0x0000000000001204 <+143>:   call   0x1060 <__strcpy_chk@plt>
   0x0000000000001209 <+148>:   mov    rcx,r12
   0x000000000000120c <+151>:   mov    rdx,rbp
   0x000000000000120f <+154>:   lea    rsi,[rip+0xdee]        # 0x2004
   0x0000000000001216 <+161>:   mov    edi,0x1
   0x000000000000121b <+166>:   mov    eax,0x0
   0x0000000000001220 <+171>:   call   0x1070 <__printf_chk@plt>
   0x0000000000001225 <+176>:   mov    rsi,QWORD PTR [rbx+0x8]
   0x0000000000001229 <+180>:   mov    ecx,0xa
   0x000000000000122e <+185>:   mov    edx,0xb
   0x0000000000001233 <+190>:   mov    rdi,rbp
   0x0000000000001236 <+193>:   call   0x1030 <__memcpy_chk@plt>
   0x000000000000123b <+198>:   mov    edx,0xa
   0x0000000000001240 <+203>:   lea    rsi,[rip+0xdc4]        # 0x200b
   0x0000000000001247 <+210>:   mov    rdi,r12
   0x000000000000124a <+213>:   call   0x1060 <__strcpy_chk@plt>
   0x000000000000124f <+218>:   mov    rcx,QWORD PTR [rip+0x2dfa]        # 0x4050 <stdin@GLIBC_2.2.5>
   0x0000000000001256 <+225>:   mov    edx,0xb
   0x000000000000125b <+230>:   mov    esi,0xa
   0x0000000000001260 <+235>:   mov    rdi,rbp
   0x0000000000001263 <+238>:   call   0x1050 <__fgets_chk@plt>
   0x0000000000001268 <+243>:   lea    rdx,[rsp+0x8]
   0x000000000000126d <+248>:   mov    rsi,rbp
   0x0000000000001270 <+251>:   mov    edi,0x1
   0x0000000000001275 <+256>:   mov    eax,0x0
   0x000000000000127a <+261>:   call   0x1070 <__printf_chk@plt>
   0x000000000000127f <+266>:   mov    eax,0x0
   0x0000000000001284 <+271>:   add    rsp,0x20
   0x0000000000001288 <+275>:   pop    rbx
   0x0000000000001289 <+276>:   pop    rbp
   0x000000000000128a <+277>:   pop    r12
   0x000000000000128c <+279>:   ret    
End of assembler dump.

According to the fortify1 test result, an overflow occurred in strcpy and was detected. However, the format string vulnerability can still be used.

Using fortify2 experiment,% N and% n $were detected. And% n $needs to be continuously available after% 1$x. only one is printed in the figure below.

RELRO

brief introduction

When delay binding is enabled, symbol parsing only occurs when it is used for the first time. This process is carried out through the PLT table. After the parsing is completed, the corresponding GOT table entry will be modified to the correct function address. Therefore, in the case of delayed binding,. got.plt must be writable. An attacker can hijack the program by tampering with the address.

RELRO (relocation read only) mechanism is proposed to solve the security problem of delayed binding. Set the symbol redirection table to read-only, or resolve and bind all dynamic symbols when the program starts, so as to prevent GOT from being tampered with. There are two forms of RELRO:

  • Partial RELRO: some segments (. Dynamic,. Got, etc.) will be marked as read-only after initialization. They are enabled by default.

  • Full relro: except for Partial RELRO, delayed binding is prohibited. All imported symbols will be parsed at the beginning. The. got.plt segment will be fully initialized as the final address of the objective function and marked as read-only by mprotect. However, the. got.plt will be merged into. got, and this segment will not be seen. Will affect performance.

experiment

relro.c means to enter a hexadecimal address and write 4141 to that address

#include<stdio.h>
#include<stdlib.h>
int main(int argc,char*argv[]){
    printf("hello");
    printf("%s",argv[1]);
    printf("sdsd");
    size_t * p=(size_t*)strtol(argv[1],NULL,16);
    p[0]=0x41414141;
    printf("RELRO: %x\n",(unsigned int )*p);
    return 0;
}

The experiment failed. According to the book, there was a problem

In the dynamic relocation table, main is always R_X86_64_GLOB_DAT, the book should be the same as printf.

Conclusion: norelro can modify. got and. got.plt

partial can modify. got.plt

None of full can be modified

The conditions that cannot be modified are as follows. Of course, there may be other reasons

realization

When there is delayed binding, call will jump to printf@plt Then jmp to the. got.plt item, and then jump back for symbol binding. After completion, the. got.plt is modified to the real function address.

When there is no delay binding, all parsing work is completed when the program is loaded. Execute the call instruction to jump to the corresponding. plt.got item, and then jmp to the corresponding. Got item. The parsed function address has been saved.

Compilation options summary

stack canaries

-fstack-protector        yes alloca Series of functions and functions with internal buffers greater than 8 bytes enable protection
-fstack-protector-strong Added protection for functions containing local array and address references
-fstack-protector-all    Enable protection for all functions
-fstack-protector-explicit To include stack_protect Property to enable protection
-fno-stack-protector       Disable protection

nx

-z execstack
-z no execstack

ASLR

-ldl

PIE

-fpic   Generate location independent code for shared libraries
-pie    The location of the generated dynamic link is independent of the executable file, which usually needs to be specified at the same time-fpie
-no-pie Do not generate dynamically linked location independent executables
-fpie   be similar to-fpic´╝îHowever, the generated location independent code can only be used for executable files
-fno-pie Do not generate location independent code

FORTIFY_SOURCE

-D_FORTIFY_SOURCE=1   Enable buffer overflow attack check
-D_FORTIFY_SOURCE=2   Enable buffer overflow and format string attack checking

RELRO

-z norelro              Disable relro
-z lazy                 open Partial RELRO
-z now                  FULL PARTIAL

Posted by future_man on Mon, 29 Nov 2021 09:08:32 -0800