Here’s a short overview of available security options on Linux and how to enable or disable them.
To check security flags, I suggest using
checksec which can be installed with
python3 -m pip install checksec.py
and run with
python3 -m checsec <binary>.
The primary binary security options that can be enabled (on Linux) are:
NX is enabled by default, and can be disabled with:
NX means Non-eXecutable stack, and is used to prevent attacks where shellcode is injected into stack memory, for
example via buffer overflow.
PIE is enabled by default, and can be disabled with:
PIE means Position Independent Execution, and is used to randomize the address space of the program each time it is
run, which helps to prevent some code reuse attacks such as Ret2Libc and ROP.
PIE depends on
ASLR to work correctly
and works with
Stack canaries are enabled by default, and can be disabled with:
This will enable stack protectors in all functions with stack buffers (like
char buf[0x10]). Stack protectors can
be enabled in all functions with:
Stack canaries are used to detect buffer overflows upon return from a function, and performs a check that halts execution of the program to prevent malicious code execution.
Full RELRO can be enabled with:
RELRO is short for RELocatable Read Only. There are two levels of RELRO:
- Partial RELRO moves the
.gotsection of the binary below the
.bsssection in the binary so that overflows of global variables will not overwrite
.gotentries. This setting is applied to almost all binaries, but it is not particularly powerful at preventing exploits (and prevents different types of exploits from full RELRO).
- Full RELRO causes the entire
.gotsection of the binary to be marked as read only, and implicitly enables
LD_BIND_NOWwhen the binary starts. This prevents
.gotoverwrite attacks (unless program memory is re-protected) .
Fortify can be enabled with:
FORTIFY adds overflow checks to libary functions:
These overflow checks check source copy sizes to determine whether the buffer will overflow, and aborts execution if it does.