Linux の実行ファイルのセキュリティについて勉強した記録


Linux の実行ファイルのセキュリティについて勉強した記録

$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

ASLR

ASLR(Address Space Layout Randomization)

現在のASLRの確認(ASLR有効=デフォルト)

$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2

ASLR有効化でのmalloc

# ./a.out '%08x'
[+] secret = 0x557f73997260
length = 2000
9245e5ce
# ./a.out '%08x'
[+] secret = 0x56391c287260
length = 2000
8fc8b5ce

ASLR無効

# sudo sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0

ASLR有効化でのmalloc

# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
# ./a.out '%08x'
[+] secret = 0x555555756260
length = 2000
ffffe5ce
$ sudo sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2

SSP

SSP(Stack Smashing Protection)
WaniCTF 2020 pwn 02 var rewrite で検証

CANARY : ENABLED

$ gcc ./pwn02.c -o pwn021 -no-pie

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn021
What's your name?: target = HACKASE

***start stack dump***
0x7ffe63ddb4a0: 0x41487ffe0000000f <- rsp
0x7ffe63ddb4a8: 0x4141004553414b43
0x7ffe63ddb4b0: 0x4141414141414141
0x7ffe63ddb4b8: 0xbe456300494e4157
0x7ffe63ddb4c0: 0x00007ffe63ddb4d0 <- rbp
0x7ffe63ddb4c8: 0x0000000000400a49 <- return address
***end stack dump***

*** stack smashing detected ***: <unknown> terminated

ばれてる

CANARY : disabled

$ gcc ./pwn02.c -o pwn022 -no-pie -fno-stack-protector

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ (echo "AAAAAAAAAAWANI"; cat) | ./pwn022
What's your name?: Congratulation!
ls

NX bit

NX bit(No eXecute bit)

工事中

工事中

PIE

PIE (Position Independent Executable)
WaniCTF 2020 pwn 04 GOT rewriter で検証

PIE : ENABLED

$ gcc ./pwn04.c -o ./pwn041

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : ENABLED
RELRO     : FULL

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x5623771a896a
Please input target address (0x600e10-0x6010b0):

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x55e18140496a
Please input target address (0x600e10-0x6010b0):

win 関数のアドレスが毎回変わる

PIE : disabled

$ gcc ./pwn04.c -o ./pwn042 -no-pie

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

win 関数のアドレスが変わらない

-no-pieオプションを付けると PIE だけでなく RELRO も変わる

-no-pieオプション無し
PIE       : ENABLED
RELRO     : FULL
-no-pieオプション有り
PIE       : disabled
RELRO     : Partial

RELRO

RELRO (RELocation Read Only)
WaniCTF 2020 pwn 04 GOT rewriter で検証

FULL RELRO

$ ./pwn041
Welcome to GOT rewriter!!!
win = 0x562224ce396a
Please input target address (0x600e10-0x6010b0):

$ objdump -d -M intel ./pwn041 | less
0000000000000800 <printf@plt>:
 800:   ff 25 aa 17 20 00       jmp    QWORD PTR [rip+0x2017aa]        # 201fb0 <printf@GLIBC_2.2.5>
 806:   68 04 00 00 00          push   0x4
 80b:   e9 a0 ff ff ff          jmp    7b0 <.plt>

printf の GOTアドレス が書き換えることができる範囲と違う

Partial RELRO

$ ./pwn042
Welcome to GOT rewriter!!!
win = 0x400807
Please input target address (0x600e10-0x6010b0):

$ objdump -d -M intel ./pwn042 | less
00000000004006d0 <printf@plt>:
  4006d0:       ff 25 62 09 20 00       jmp    QWORD PTR [rip+0x200962]        # 601038 <printf@GLIBC_2.2.5>
  4006d6:       68 04 00 00 00          push   0x4
  4006db:       e9 a0 ff ff ff          jmp    400680 <.plt>

printf の GOTアドレス が書き換えることができる範囲内にある