3.11 Linux系统的DEP
https://scz.617.cn/unix/201205021827.txt
A: scz@nsfocus
某些Linux发行版(RedHat/Fedora)有一个内核参数exec-shield用于控制系统级DEP:
0
Exec-shield (including randomized VM mapping) is disabled for all
binaries, marked or not
1
Exec-shield is enabled for all marked binaries
这是缺省值。所谓marked,指"PT_GNU_STACK program header"存在。
2
Exec-shield is enabled for all binaries, regardless of marking (To be
used for testing purposes ONLY)
关闭系统级DEP:
sysctl -w kernel.exec-shield=0 echo 0 > /proc/sys/kernel/exec-shield
另有一个与ASLR相关的内核参数exec-shield-randomize:
0
Randomized VM mapping is disabled
1
Randomized VM mapping is enabled
这是缺省值。
关闭系统级ASLR:
sysctl -w kernel.exec-shield-randomize=0 echo 0 > /proc/sys/kernel/exec-shield-randomize
但上述两个内核参数在我的系统上都没有:
uname -a
Linux debian 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux
此时必须用别的办法判断当前系统是否启用DEP。为方便后续的diff操作,关闭ASLR 进行测试:
$ setarch uname -m
-R cat /proc/self/maps | tee 1.txt
08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat
0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat
08050000-08071000 rw-p 08050000 00:00 0 [heap]
b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive
b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0
b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fce000-b7fd1000 rw-p b7fce000 00:00 0
b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0
b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso]
b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so
b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so
b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so
bffea000-c0000000 rw-p bffea000 00:00 0 [stack]
从显示中可以看出,heap、stack都没有x权限,当前系统启用了DEP。
$ execstack -q which cat
- /bin/cat
cat不要求栈可执行。
可以用"setarch -X"关闭单个进程的部分DEP:
$ setarch uname -m
-RX cat /proc/self/maps | tee 2.txt
08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat
0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat
08050000-08071000 rwxp 08050000 00:00 0 [heap]
b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive
b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0
b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7fce000-b7fd1000 rwxp b7fce000 00:00 0
b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0
b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso]
b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so
b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so
b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so
bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]
$ diff 1.txt 2.txt
2,5c2,5
< 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat
< 08050000-08071000 rw-p 08050000 00:00 0 [heap]
< b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive
< b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0
0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0 7,10c7,10 < b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fce000-b7fd1000 rw-p b7fce000 00:00 0 < b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0
b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rwxp b7fce000 00:00 0 b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0 13,15c13,15 < b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so < b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so < bffea000-c0000000 rw-p bffea000 00:00 0 [stack]
b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]
"setarch -X"未能让stack可执行,但heap已经可执行。
strace -o 3.txt setarch uname -m
-R cat /proc/self/maps > /dev/null
strace -o 4.txt setarch uname -m
-RX cat /proc/self/maps > /dev/null
diff 3.txt 4.txt
... 80c80 < personality(0x40008 / PER_??? /) = 0
personality(0x440008 / PER_??? /) = 0 ...
在"sys/personality.h"中找到两个值:
ADDR_NO_RANDOMIZE = 0x0040000 READ_IMPLIES_EXEC = 0x0400000 PER_LINUX32 = 0x0008
"setarch -X"对应系统调用personality( READ_IMPLIES_EXEC )。
一般来说,为了编程关闭单个进程的DEP,先fork()出子进程,在子进程中调用:
personality( original_persona | READ_IMPLIES_EXEC )
然后exec...()。
D: scz@nsfocus
为了让stack可执行,目前只找到"execstack -s"这一种办法。
$ cp which cat
scz_cat
$ execstack -s scz_cat
$ ./scz_cat /proc/self/maps
08048000-0804f000 r-xp 00000000 08:01 378821 /tmp/scz_cat
0804f000-08050000 rwxp 00006000 08:01 378821 /tmp/scz_cat
08050000-08071000 rwxp 08050000 00:00 0 [heap]
b7c2c000-b7e2c000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive
b7e2c000-b7e2d000 rwxp b7e2c000 00:00 0
b7e2d000-b7f6d000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f6d000-b7f6f000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f6f000-b7f70000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f70000-b7f73000 rwxp b7f70000 00:00 0
b7f84000-b7f86000 rwxp b7f84000 00:00 0
b7f86000-b7f87000 r-xp b7f86000 00:00 0 [vdso]
b7f87000-b7fa2000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so
b7fa2000-b7fa3000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so
b7fa3000-b7fa4000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so
bfa90000-bfaa5000 rwxp bfa90000 00:00 0 [stack]
$ cat /proc/self/maps
08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat
0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat
08050000-08071000 rw-p 08050000 00:00 0 [heap]
b7c21000-b7e21000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive
b7e21000-b7e22000 rw-p b7e21000 00:00 0
b7e22000-b7f62000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f62000-b7f64000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f64000-b7f65000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so
b7f65000-b7f68000 rw-p b7f65000 00:00 0
b7f79000-b7f7b000 rw-p b7f79000 00:00 0
b7f7b000-b7f7c000 r-xp b7f7b000 00:00 0 [vdso]
b7f7c000-b7f97000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so
b7f97000-b7f98000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so
b7f98000-b7f99000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so
bfd58000-bfd6e000 rw-p bfd58000 00:00 0 [stack]