This is an old revision of the document!


C Exploit mitigation techniques

There are a number of exploit mitigation techniques to reduce the impact of common C vulnerabilities. Unfortunately they are not as widely used as they should in free operating systems.

ASLR / pie

For ASLR to work properly Linux needs position independent code and position independent executables (CFLAGS -fpic and -pie). Currently most Linux distributions don't enable pie by default.

grsecurity / PaX

The grsecurity project includes many exploit mitigation techniques. It is a patch for the Linux kernel. Based on experience many local root exploits in the past were prevented on systems using grsecurity.

Most likely many parts of grsecurity could be integrated into the mainline kernel. This would involve splitting the patchset up into single patches that change single bits and submit them to the responsible upstream subsystem maintainer.

This has already partly happened in the past, however until now only a very small subset of grsecurity improvements went upstream.

Memory safety

Approaches that try to implement memory safety in C:

  • Levee - tries to protect only memory containing code pointers (stack return adresses, function pointer variables), relatively small overhead, LLVM-based (Code Pointer Integrity 31C3 talk).
  • Address Sanitizer - mostly advertised as a debugging / fuzzing tool, could in theory also be used for production software, significant overhead, part of both LLVM and GCC in current versions (compiler flag -fsanitize=address).
  • Softbound+CETS - very strong memory protection, large overhead (over 100%), not in a state that it works with large real-world software, LLVM-based (Bug class genocide 30C3 talk)

Misc

  • checksec.sh - shell script testing executables for common exploit mitigation techniques
exploit-mitigation.1451737256.txt · Last modified: 2016/01/02 04:20 by hanno
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux