如何设置堆栈不可执行和ASLR

最近，做一个调查，如何在Windows和Linux系统下，做堆栈执行保护，和ASLR（Address Space Layout Randomization）。找了好多材料，才找到，在这里总结一下：

 

OSExecution space protectionASLR (Address Space Layout Randomization)DescriptionCheck ToolWindows

Compiler Option:
/NXCOMPACT
Default is enabled.

System option:
1.Open the Control Panel
2.Select System & Maintenance
3.Click System
4.Click Advanced System Settings
5.Click the Advanced tab
6.Click Performance Settings
7.Click the Data Execution Prevention tab

Compiler Option:
/DYNAMICBASE
Default is enabled.

System option:
ASLR is enabled by default. I don’t find the way to disable it. But, it can only run well based on enabling DEP/ NX.

Microsoft's Windows Vista (released January 2007), Windows Server 2008, Windows 7, and Windows Server 2008 R2 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[7] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes.Process explorer
Windbg
PllyDbgLinux

Compiler (Link) Option:
-Wl,-z,noexecstack or -Wa,--noexecstack

System option:
/proc/sys/kernel/exec-shield

Compiler Option:
-fPIC -pie

System option:
/proc/sys/kernel/randomize_va_space
Or
sysctl -w kernel.randomize_va_space=NEWVALUE

Linux has enabled a weak[6] form of ASLR by default since kernel version 2.6.12 (released June 2005).

1) http://www.trapkit.de/tools/checksec.html
2) find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X  to check whether the stack is executable
3) execstack -q ~/lib/libfoo.so.1 ~/bin/bar
        will query executable stack marking of the given files.

4) Command
readelf -h -d /usr/sbin/smbd | grep ‘Type:.*DYN’
If the file has been compiled for PIE, the command will return something similar to the following:
Type: DYN (Shared object file)

 

堆栈检测保护设置：

OSCompiler flagWindows/GSLinux

-fstack-protector-all

-fstack-protector 

 

 

randomize_va_space 的可能值如下：

ValueDescription0ASLR is disabled1All supported formsof ASLR are enabled, except heap randomization2All supported formsof ASLR are enabled.

 

exec-shield的取值如下：

ValueDescription0Exec-shield (includingrandomized VM mapping) is disabled for all binaries, marked or not1Exec-shield is enabled forall marked binaries (default)2Exec-shield is enabled forall binaries, regardless of marking (to be used for testing purposes ONLY)

 

在linux系统下，还有一个execstack 的命令可以设置库或者可执行文件的堆栈执行保护标志， 参数如下： 

ValueDescription 

-c,  --clear-execstack

 Clear executablestack flag bit-q, --queryQuery executable stack flagbit-s, --set-execstackSet executable stack flagbit

 

希望对大家在Windows和Linux下，保护缓冲区溢出有所帮助。