Here is a summary of knowledge points for binary security. The reason for this article is that I can learn binary security specifically😄.
Binary security refers to guaranteeing the information security of binary data when transmitting data, that is, not being tampered with, decoded and so on. If attacked, it can be detected in time.
Binary security includes some things of cryptography, such as encryption and decryption, signature and so on.
CTFcompetitions, binary security usually appear in the form of
pwn. You will get a compiled program to analyze its logic and then crack it.
Cause pwn of linux is normally favorite example form now. So i decide to start pwn from linux platform.
In the linux, we can use instructions called
checksecto see the security protection mechanism of our target program. So the first we should know is kinds of protection mechanism.
Canary is a kind of protection technique to mitigate stack overflow.
You can set the canary by following args.
#Quoted From CTF-WIKI #enables protection, but only inserts protection for functions that have arrays in local variables -fstack-protector #Enable protection, insert protection for all functions -fstack-protector-all -fstack-protector-strong #Only protects functions with explicit stack_protect attribute -fstack-protector-explicit #Disable protection. -fno-stack-protector
Here is a example to understand what role canary play.
High Address | | +-----------------+ | args | +-----------------+ | return address | +-----------------+ rbp => | old ebp | +-----------------+ rbp-8 => | canary value | +-----------------+ | Local variables | Low | | Address
The canary value is usually stored in
TLS==>fs:[0x28], this value is also called
stack_guard. If the canary value was changed illegally, the program flow will go to a func called
__stack_chk_fail in glibc. And then you can’t crack the program as you think, it will prevent the easy stack overflow.(PS: Bypass Canary will be talked later…)
Nx(No Excute) enabled means instructions in stack won’t be allowed to execute. Normally attack ways like
jmp espwill out of action. But we can use ROP technique to bypass NX.
RELRO, this kind of protection mechanism has two form:
Full RELRO. If program was Full RELRO, we wouldn’t change the
PIE（position-independent executable） enabled means program’s memory address is random while running the program each time.
The basic address is 0x400000 when program’s status is
Has RWX(Read&Write&Execute) segments means program has some segments you have the power to read, write and execute.
You can try to understand it by following picture:
So what we should learn then? It’s no denying we should aim at understanding basic principles of common attack ways.
- Stack overflow
- Format string vulnerability
- Glibc Heap uses
- IO_FILE uses
- Conditional competition
- Integer overflow
- Sandbox escape
- Linux Kernel
- Others Framework(like arm,arch)
Fighting or losing, depend on yourself😀.