Skip to content

Latest commit

 

History

History
194 lines (154 loc) · 7.64 KB

201205021827.txt.md

File metadata and controls

194 lines (154 loc) · 7.64 KB
Raw

3.11 Linux系统的DEP

http://scz.617.cn/unix/201205021827.txt

A: scz@nsfocus

某些Linux发行版(RedHat/Fedora)有一个内核参数exec-shield用于控制系统级DEP:

0

Exec-shield (including randomized VM mapping) is disabled for all
binaries, marked or not

1

Exec-shield is enabled for all marked binaries

这是缺省值。所谓marked,指"PT_GNU_STACK program header"存在。

2

Exec-shield is enabled for all binaries, regardless of marking (To be
used for testing purposes ONLY)

关闭系统级DEP:

sysctl -w kernel.exec-shield=0 echo 0 > /proc/sys/kernel/exec-shield

另有一个与ASLR相关的内核参数exec-shield-randomize:

0

Randomized VM mapping is disabled

1

Randomized VM mapping is enabled

这是缺省值。

关闭系统级ASLR:

sysctl -w kernel.exec-shield-randomize=0 echo 0 > /proc/sys/kernel/exec-shield-randomize

但上述两个内核参数在我的系统上都没有:

uname -a

Linux debian 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux

此时必须用别的办法判断当前系统是否启用DEP。为方便后续的diff操作,关闭ASLR 进行测试:

$ setarch uname -m -R cat /proc/self/maps | tee 1.txt 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat 08050000-08071000 rw-p 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0 b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rw-p b7fce000 00:00 0 b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0 b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso] b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffea000-c0000000 rw-p bffea000 00:00 0 [stack]

从显示中可以看出,heap、stack都没有x权限,当前系统启用了DEP。

$ execstack -q which cat

  • /bin/cat

cat不要求栈可执行。

可以用"setarch -X"关闭单个进程的部分DEP:

$ setarch uname -m -RX cat /proc/self/maps | tee 2.txt 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0 b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rwxp b7fce000 00:00 0 b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0 b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso] b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack] $ diff 1.txt 2.txt 2,5c2,5 < 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat < 08050000-08071000 rw-p 08050000 00:00 0 [heap] < b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive < b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0

0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0 7,10c7,10 < b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fce000-b7fd1000 rw-p b7fce000 00:00 0 < b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0

b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rwxp b7fce000 00:00 0 b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0 13,15c13,15 < b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so < b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so < bffea000-c0000000 rw-p bffea000 00:00 0 [stack]

b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]

"setarch -X"未能让stack可执行,但heap已经可执行。

strace -o 3.txt setarch uname -m -R cat /proc/self/maps > /dev/null

strace -o 4.txt setarch uname -m -RX cat /proc/self/maps > /dev/null

diff 3.txt 4.txt

... 80c80 < personality(0x40008 /* PER_??? */) = 0

personality(0x440008 /* PER_??? */) = 0 ...

在"sys/personality.h"中找到两个值:

ADDR_NO_RANDOMIZE = 0x0040000 READ_IMPLIES_EXEC = 0x0400000 PER_LINUX32 = 0x0008

"setarch -X"对应系统调用personality( READ_IMPLIES_EXEC )。

一般来说,为了编程关闭单个进程的DEP,先fork()出子进程,在子进程中调用:

personality( original_persona | READ_IMPLIES_EXEC )

然后exec...()。

D: scz@nsfocus

为了让stack可执行,目前只找到"execstack -s"这一种办法。

$ cp which cat scz_cat $ execstack -s scz_cat $ ./scz_cat /proc/self/maps 08048000-0804f000 r-xp 00000000 08:01 378821 /tmp/scz_cat 0804f000-08050000 rwxp 00006000 08:01 378821 /tmp/scz_cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c2c000-b7e2c000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e2c000-b7e2d000 rwxp b7e2c000 00:00 0 b7e2d000-b7f6d000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f6d000-b7f6f000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f6f000-b7f70000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f70000-b7f73000 rwxp b7f70000 00:00 0 b7f84000-b7f86000 rwxp b7f84000 00:00 0 b7f86000-b7f87000 r-xp b7f86000 00:00 0 [vdso] b7f87000-b7fa2000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b7fa2000-b7fa3000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b7fa3000-b7fa4000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bfa90000-bfaa5000 rwxp bfa90000 00:00 0 [stack] $ cat /proc/self/maps 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat 08050000-08071000 rw-p 08050000 00:00 0 [heap] b7c21000-b7e21000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e21000-b7e22000 rw-p b7e21000 00:00 0 b7e22000-b7f62000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f62000-b7f64000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f64000-b7f65000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f65000-b7f68000 rw-p b7f65000 00:00 0 b7f79000-b7f7b000 rw-p b7f79000 00:00 0 b7f7b000-b7f7c000 r-xp b7f7b000 00:00 0 [vdso] b7f7c000-b7f97000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b7f97000-b7f98000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so b7f98000-b7f99000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so bfd58000-bfd6e000 rw-p bfd58000 00:00 0 [stack]