Mitigation Techniques Flashcards
Stack Mitigation Techniques
RELRO, NX (Non-eXecutable stack), PIE (Position Independent Executable), Stack Canary
How does the stack grows in reference to its addresses?
Grows from high addresses to low addresses
Difference between Partial-RELRO vs Full RELRO
Full RELRO populates the GOT (Global Offset Table) at startup and makes it read only. Partial RELRO has the GOT still writable at runtime while other areas are remapped as read only.
PIE
Positiion Independent Executable
ASLR
Address Space Layout Randomization
PIE vs ALSR
ASLR:
Is a feature of the OS.
Randomizes base memory addresses in virtual address space.
PIE:
Is a feature of the binary.
It compiles a binary so it is independent of the base address.
Stack Canary
Feature to push a canary to the stack that is checked before returning.
Types of Stack Canaries
Static, Random, Terminator
Stack Pivot Mitigation Tecniques
Virtual Memory Permission, Hooks
Virtual Memory Permission
Enforces that the SP is within a certain memory region at system call entry.
Hooks
Runtime security software checks that the SP is within sane bounds at critical functions.
ROP Mitigation Tecniques
Control Flow Guard, Return Flow Guard, Indirect Branch Tracking, Pointer Authentication Codes, Shadow Stacks,
Control Flow Guard
Software-enforced forward CFI. At compile time it generates a list of valid indirect branch targets. At load time, it creates bitmap storing valid addresses. At runtime, it checks actual addresses against bitmap.
Return Flow Guard
Software-enforced back-edge CFI. Enforces that functions return to the address that they were called from. At function prologue, store return address in shadow stack. At function epilogue, compare return address.
Problems with Return Flow Guard
Inherent race conditions by another thread overwriting return address on stack before load occurs. Shadow Stack memory is writable.
