3.11 Linux系统的DEP https://scz.617.cn/unix/201205021827.txt A: scz@nsfocus 某些Linux发行版(RedHat/Fedora)有一个内核参数exec-shield用于控制系统级DEP: -------------------------------------------------------------------------- 0 Exec-shield (including randomized VM mapping) is disabled for all binaries, marked or not 1 Exec-shield is enabled for all marked binaries 这是缺省值。所谓marked,指"PT_GNU_STACK program header"存在。 2 Exec-shield is enabled for all binaries, regardless of marking (To be used for testing purposes ONLY) -------------------------------------------------------------------------- 关闭系统级DEP: sysctl -w kernel.exec-shield=0 echo 0 > /proc/sys/kernel/exec-shield 另有一个与ASLR相关的内核参数exec-shield-randomize: -------------------------------------------------------------------------- 0 Randomized VM mapping is disabled 1 Randomized VM mapping is enabled 这是缺省值。 -------------------------------------------------------------------------- 关闭系统级ASLR: sysctl -w kernel.exec-shield-randomize=0 echo 0 > /proc/sys/kernel/exec-shield-randomize 但上述两个内核参数在我的系统上都没有: # uname -a Linux debian 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux 此时必须用别的办法判断当前系统是否启用DEP。为方便后续的diff操作,关闭ASLR 进行测试: $ setarch `uname -m` -R cat /proc/self/maps | tee 1.txt 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat 08050000-08071000 rw-p 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0 b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rw-p b7fce000 00:00 0 b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0 b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso] b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffea000-c0000000 rw-p bffea000 00:00 0 [stack] 从显示中可以看出,heap、stack都没有x权限,当前系统启用了DEP。 $ execstack -q `which cat` - /bin/cat cat不要求栈可执行。 可以用"setarch -X"关闭单个进程的部分DEP: $ setarch `uname -m` -RX cat /proc/self/maps | tee 2.txt 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0 b7e8b000-b7fcb000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7fce000-b7fd1000 rwxp b7fce000 00:00 0 b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0 b7fe4000-b7fe5000 r-xp b7fe4000 00:00 0 [vdso] b7fe5000-b8000000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack] $ diff 1.txt 2.txt 2,5c2,5 < 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat < 08050000-08071000 rw-p 08050000 00:00 0 [heap] < b7c8a000-b7e8a000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive < b7e8a000-b7e8b000 rw-p b7e8a000 00:00 0 --- > 0804f000-08050000 rwxp 00006000 08:01 196226 /bin/cat > 08050000-08071000 rwxp 08050000 00:00 0 [heap] > b7c8a000-b7e8a000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive > b7e8a000-b7e8b000 rwxp b7e8a000 00:00 0 7,10c7,10 < b7fcb000-b7fcd000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fcd000-b7fce000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so < b7fce000-b7fd1000 rw-p b7fce000 00:00 0 < b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0 --- > b7fcb000-b7fcd000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so > b7fcd000-b7fce000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so > b7fce000-b7fd1000 rwxp b7fce000 00:00 0 > b7fe2000-b7fe4000 rwxp b7fe2000 00:00 0 13,15c13,15 < b8000000-b8001000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so < b8001000-b8002000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so < bffea000-c0000000 rw-p bffea000 00:00 0 [stack] --- > b8000000-b8001000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so > b8001000-b8002000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so > bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack] "setarch -X"未能让stack可执行,但heap已经可执行。 # strace -o 3.txt setarch `uname -m` -R cat /proc/self/maps > /dev/null # strace -o 4.txt setarch `uname -m` -RX cat /proc/self/maps > /dev/null # diff 3.txt 4.txt ... 80c80 < personality(0x40008 /* PER_??? */) = 0 --- > personality(0x440008 /* PER_??? */) = 0 ... 在"sys/personality.h"中找到两个值: ADDR_NO_RANDOMIZE = 0x0040000 READ_IMPLIES_EXEC = 0x0400000 PER_LINUX32 = 0x0008 "setarch -X"对应系统调用personality( READ_IMPLIES_EXEC )。 一般来说,为了编程关闭单个进程的DEP,先fork()出子进程,在子进程中调用: personality( original_persona | READ_IMPLIES_EXEC ) 然后exec...()。 D: scz@nsfocus 为了让stack可执行,目前只找到"execstack -s"这一种办法。 $ cp `which cat` scz_cat $ execstack -s scz_cat $ ./scz_cat /proc/self/maps 08048000-0804f000 r-xp 00000000 08:01 378821 /tmp/scz_cat 0804f000-08050000 rwxp 00006000 08:01 378821 /tmp/scz_cat 08050000-08071000 rwxp 08050000 00:00 0 [heap] b7c2c000-b7e2c000 r-xp 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e2c000-b7e2d000 rwxp b7e2c000 00:00 0 b7e2d000-b7f6d000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f6d000-b7f6f000 r-xp 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f6f000-b7f70000 rwxp 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f70000-b7f73000 rwxp b7f70000 00:00 0 b7f84000-b7f86000 rwxp b7f84000 00:00 0 b7f86000-b7f87000 r-xp b7f86000 00:00 0 [vdso] b7f87000-b7fa2000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b7fa2000-b7fa3000 r-xp 0001a000 08:01 1046552 /lib/ld-2.11.2.so b7fa3000-b7fa4000 rwxp 0001b000 08:01 1046552 /lib/ld-2.11.2.so bfa90000-bfaa5000 rwxp bfa90000 00:00 0 [stack] $ cat /proc/self/maps 08048000-0804f000 r-xp 00000000 08:01 196226 /bin/cat 0804f000-08050000 rw-p 00006000 08:01 196226 /bin/cat 08050000-08071000 rw-p 08050000 00:00 0 [heap] b7c21000-b7e21000 r--p 00000000 08:01 98130 /usr/lib/locale/locale-archive b7e21000-b7e22000 rw-p b7e21000 00:00 0 b7e22000-b7f62000 r-xp 00000000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f62000-b7f64000 r--p 0013f000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f64000-b7f65000 rw-p 00141000 08:01 769046 /lib/i686/cmov/libc-2.11.2.so b7f65000-b7f68000 rw-p b7f65000 00:00 0 b7f79000-b7f7b000 rw-p b7f79000 00:00 0 b7f7b000-b7f7c000 r-xp b7f7b000 00:00 0 [vdso] b7f7c000-b7f97000 r-xp 00000000 08:01 1046552 /lib/ld-2.11.2.so b7f97000-b7f98000 r--p 0001a000 08:01 1046552 /lib/ld-2.11.2.so b7f98000-b7f99000 rw-p 0001b000 08:01 1046552 /lib/ld-2.11.2.so bfd58000-bfd6e000 rw-p bfd58000 00:00 0 [stack]