what is linux nx

linux nx refers to "No-eXecute", which is a protection mechanism in Linux, that is, the data is not executable to prevent the attacker's shellcode from trying to execute in the data area due to overflow during program operation. Case.

#The operating environment of this tutorial: linux5.9.8 system, Dell G3 computer.

What is linux nx?

Some protection mechanisms commonly used in Linux programs

1. NX (DEP in Windows)

NX: No-eXecute, DEP: Data Execute Prevention

• That is, the data is not executable, preventing the attacker's shellcode from trying to execute in the data area due to overflow during program operation.
• gcc is enabled by default, the options are:

gcc -o test test.c      // 默认情况下，开启NX保护
gcc -z execstack -o test test.c  // 禁用NX保护
gcc -z noexecstack -o test test.c  // 开启NX保护

2. PIE (ASLR)

PIE: Position-Independent Excutable, ASLR: Address Space Layout Randomization

• fpie/fPIE: Need to be used with option -pie to turn on the pie option to compile the executable file so that elf has the shared library attribute. Can be loaded and run anywhere in memory. Similar to it, there is fpic/fPIC. The description is https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html

-fpic

	Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. Such code accesses all constant addresses through a global offset table (GOT). The dynamic loader resolves the GOT entries when the program starts (the dynamic loader is not part of GCC; it is part of the operating system). If the GOT size for the linked executable exceeds a machine-specific maximum size, you get an error message from the linker indicating that -fpic does not work; in that case, recompile with -fPIC instead. (These maximums are 8k on the SPARC, 28k on AArch64 and 32k on the m68k and RS/6000. The x86 has no such limit.)

	Position-independent code requires special support, and therefore works only on certain machines. For the x86, GCC supports PIC for System V but not for the Sun 386i. Code generated for the IBM RS/6000 is always position-independent.

	When this flag is set, the macros `__pic__` and `__PIC__` are defined to 1.

-fPIC

	If supported for the target machine, emit position-independent code, suitable for dynamic linking and avoiding any limit on the size of the global offset table.This option makes a difference on AArch64, m68k, PowerPC and SPARC.

	Position-independent code requires special support, and therefore works only on certain machines.

	When this flag is set, the macros `__pic__` and `__PIC__` are defined to 2.

-fpie
-fPIE

	These options are similar to -fpic and -fPIC, but the generated position-independent code can be only linked into executables. Usually these options are used to compile code that will be linked using the  -pie  GCC option.

	-fpie and -fPIE both define the macros `__pie__` and `__PIE__`. The macros have the value 1 for `-fpie` and 2 for `-fPIE`.

• The difference is that fpic /fPIC is used for compiling shared libraries, and fpie/fPIE is the option for pie file compilation. The document says that the shared library generated by pic (position-independent code) can only be linked to the executable file. Afterwards, you can compile a simple C program by yourself and pie will run normally. That is, as many articles on the Internet say, the position-independent code generated by the pie option can be assumed to be in This program, but I don’t see any difference between fpie/fPIE. It’s just that the macro definition is only the difference between 1 and 2. It seems...
  Compile command (PIE is not enabled by default):

gcc -fpie -pie -o test test.c    // 开启PIE
gcc -fPIE -pie -o test test.c    // 开启PIE
gcc -fpic -o test test.c         // 开启PIC
gcc -fPIC -o test test.c         // 开启PIC
gcc -no-pie -o test test.c       // 关闭PIE

• ASLR (Address Space Randomization) was originally designed to only randomize the addresses of stack, library, heap and other segments. The value of ASLR is stored in /proc/sys/kernel/randomize_va_space, as follows:

0 - Indicates that process address space randomization is turned off.
1 - Indicates randomizing the base address of mmap, stack and vdso pages.
2 - Indicates increasing the randomization of the stack (heap) on the basis of 1. (Default)

Change its value method: echo 0 > /proc/sys/kernel/randomize_va_space

vDSO: virtual dynamic shared object;
mmap: Memory mapping.
PIE is responsible for the random base address of the executable program.
The following is taken from Wiki:

Position-independent executable (PIE) implements a random base address for the main executable binary and has been in place since 2003. It provides the same address randomness to the main executable as being used for the shared libraries.

PIE is part of ASLR, ASLR is a system function, and PIE is a compilation option.
Note: When allocating heap, there are two methods: mmap() and brk(), which are controlled by malloc() Called when memory is allocated, brk when the allocation is small, otherwise mmap, 128k difference.

3. Canary (Stack Protection)

Canary protects the stack. Every time the function is executed, a Canary value is randomly generated on the stack. Afterwards, when the function returns from execution, the Canary value is detected. If it is inconsistent, the system will report an exception.

• Wiki：
• Canaries or canary words are known values ​​that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data will therefore alert of an overflow, which can then be handled, for example, by invalidating the corrupted data. A canary value should not be confused with a sentinel value.

As mentioned above, the canary value is placed between the buffer and the control data. When the buffer overflows, the value is overwritten so that it can be detected To determine whether there is an error or attack. Mitigating buffer overflow attacks.

• Compile options:

gcc -o test test.c                       //默认关闭
gcc -fno-stack-protector -o test test.c  //禁用栈保护
gcc -fstack-protector -o test test.c     //启用堆栈保护，不过只为局部变量中含有 char 数组的函数插入保护代码
gcc -fstack-protector-all -o test test.c //启用堆栈保护，为所有函数插入保护代码

4. RELRO (RELocation Read Only)

There are two RELRO modes in Linux: ”Partial RELRO" and "Full RELRO". Partial RELRO is enabled by default in Linux.

Partial RELRO：

• Compile command:
  gcc -o test test.c // Partially enabled by default
  gcc -Wl,- z,relro -o test test.c // Turn on part of RELRO
  gcc -z lazy -o test test.c // Turn on part of part
• The various parts of the ELF file are reordered. Internal data sections (such as .got, .dtors, etc.) are placed before program's data sections (such as .data and .bss);
• The GOT pointed to by no plt is only Read;
• GOT table can be written (should be different from the above).

Full RELRO：

• Compile command:
  gcc -Wl,-z,relro,-z,now -o test test.c // Turn on Full RELRO
  gcc -z now -o test test.c / / Enable all
• Support all functions of Partial mode;
• The entire GOT table is mapped to read-only.

gcc -z norelro -o a a.c // RELRO is turned off, that is, No RELRO

Note:

• .dtors: Called when the shared library defined with .dtors is loaded;
• In the case of bss or data overflow errors, Partial and Full RELRO protect the data segments in the ELF from being overwritten. However, only Full RELRO can mitigate GOT table overwrite attacks, but it is relatively expensive because the program needs to parse all symbols before starting.
• Related recommendations: "Linux Video Tutorial"
  

The above is the detailed content of what is linux nx. For more information, please follow other related articles on the PHP Chinese website!