禁用安全功能使 Linux 容易受到缓冲区溢出的影响
Disabling security features to make Linux vulnerable to buffer overflow
为了让Linux机器容易溢出,我不得不使用这些命令
sudo echo 0 > /proc/sys/kernel/randomize_va_space
和
-fno-stack-protector -z execstack -o bug bug.c
在试图溢出机器之前使用这两个命令的目的是什么?他们禁用哪些安全功能会导致缓冲区溢出?
sudo echo 0 > /proc/sys/kernel/randomize_va_space
这是Address Space Layout Randomization (ASLR). On Windows, this is opt-in per app via the /DYNAMICBASE or /HIGHENTROPYVA switches. The Linux command is disabling it for the whole OS, so be sure to turn it back on once you are done with your homework. See also Address Space Layout Randomization in Windows Vista。
-fno-stack-protector
这 Buffer overflow protection. On Windows, it is enabled by building with /GS. See also Compiler Security Checks In Depth 为什么有用。
-z execstack
这是Data Execution Protection. On Windows, this is opt-in per app via the /NXCOMPAT switch. See also /DYNAMICBASE and /NXCOMPAT
至于为什么你必须禁用这些安全功能,这可能是你作业的重点。
On Windows there is one more security mechanism which is controlled by the /SAFESEH linker switch. See Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP for what this is about.
为了让Linux机器容易溢出,我不得不使用这些命令
sudo echo 0 > /proc/sys/kernel/randomize_va_space
和
-fno-stack-protector -z execstack -o bug bug.c
在试图溢出机器之前使用这两个命令的目的是什么?他们禁用哪些安全功能会导致缓冲区溢出?
sudo echo 0 > /proc/sys/kernel/randomize_va_space
这是Address Space Layout Randomization (ASLR). On Windows, this is opt-in per app via the /DYNAMICBASE or /HIGHENTROPYVA switches. The Linux command is disabling it for the whole OS, so be sure to turn it back on once you are done with your homework. See also Address Space Layout Randomization in Windows Vista。
-fno-stack-protector
这 Buffer overflow protection. On Windows, it is enabled by building with /GS. See also Compiler Security Checks In Depth 为什么有用。
-z execstack
这是Data Execution Protection. On Windows, this is opt-in per app via the /NXCOMPAT switch. See also /DYNAMICBASE and /NXCOMPAT
至于为什么你必须禁用这些安全功能,这可能是你作业的重点。
On Windows there is one more security mechanism which is controlled by the
/SAFESEHlinker switch. See Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP for what this is about.