C Exploit mitigation techniques

There are a number of exploit mitigation techniques to reduce the impact of common C vulnerabilities. Unfortunately they are not as widely used as they should in free operating systems.

ASLR / pie

For ASLR to work properly Linux needs position independent code and position independent executables (CFLAGS -fpic and -pie). Currently most Linux distributions don't enable pie by default.

grsecurity / PaX

The grsecurity project includes many exploit mitigation techniques. It is a patch for the Linux kernel. Based on experience many local root exploits in the past were prevented on systems using grsecurity.

Most likely many parts of grsecurity could be integrated into the mainline kernel. This would involve splitting the patchset up into single patches that change single bits and submit them to the responsible upstream subsystem maintainer.

This has already partly happened in the past, however until now only a very small subset of grsecurity improvements went upstream.

Memory safety

Approaches that try to implement memory safety in C:


  • checksec.sh - shell script testing executables for common exploit mitigation techniques
exploit-mitigation.txt · Last modified: 2016/01/02 13:22 by hanno
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux