Here is a summary of knowledge points for binary security. The reason for this article is that I can learn binary security specifically😄.



Binary security refers to guaranteeing the information security of binary data when transmitting data, that is, not being tampered with, decoded and so on. If attacked, it can be detected in time.

Binary security includes some things of cryptography, such as encryption and decryption, signature and so on.

In CTF competitions, binary security usually appear in the form of reverse and pwn. You will get a compiled program to analyze its logic and then crack it.

📖Linux Pwn

Cause pwn of linux is normally favorite example form now. So i decide to start pwn from linux platform.

Security protection mechanism

In the linux, we can use instructions called checksec to see the security protection mechanism of our target program. So the first we should know is kinds of protection mechanism.


Canary is a kind of protection technique to mitigate stack overflow.

You can set the canary by following args.

#Quoted From CTF-WIKI
#enables protection, but only inserts protection for functions that have arrays in local variables
#Enable protection, insert protection for all functions
#Only protects functions with explicit stack_protect attribute
#Disable protection.

Here is a example to understand what role canary play.

        Address |                 |
                | args            |
                | return address  |
        rbp =>  | old ebp         |
      rbp-8 =>  | canary value    |
| Local variables |
        Low     |                 |

The canary value is usually stored in TLS==>fs:[0x28], this value is also called stack_guard. If the canary value was changed illegally, the program flow will go to a func called __stack_chk_fail in glibc. And then you can’t crack the program as you think, it will prevent the easy stack overflow.(PS: Bypass Canary will be talked later…)


Nx(No Excute) enabled means instructions in stack won’t be allowed to execute. Normally attack ways like call esp and jmp esp will out of action. But we can use ROP technique to bypass NX.


RELRO, this kind of protection mechanism has two form: Partial RELRO and Full RELRO. If program was Full RELRO, we wouldn’t change the Got-table.


PIE(position-independent executable) enabled means program’s memory address is random while running the program each time.

The basic address is 0x400000 when program’s status is No-PIE.


Has RWX(Read&Write&Execute) segments means program has some segments you have the power to read, write and execute.

You can try to understand it by following picture:

Common Attack Ways

So what we should learn then? It’s no denying we should aim at understanding basic principles of common attack ways.

  • Stack overflow
  • Format string vulnerability
  • Glibc Heap uses
  • IO_FILE uses
  • Conditional competition
  • Integer overflow
  • Sandbox escape
  • Linux Kernel
  • Others Framework(like arm,arch)



⏱Concluding remarks

Fighting or losing, depend on yourself😀.