- 0. Introduction
- 1. Glibc’s FORTIFY_SOURCE
- 2. Bypassing FORTIFY_SOURCE
- 3. Exploitation
- 4. Afterword
- 5.Reference
0. Introduction
2004年9月,RedHat的几位软件工程师提交了一个针对GCC和GLibc的新补丁,其作用是为内存和字符串函数提供一种轻量级的缓冲区溢出保护机制。它可以通过定义\(\_FORTIFY\_SOURCE\)标志来配置,因此常被称为\(FORTIFY\_SOURCE\),在目前主流的linux操作系统中都能够见到他的身影,包括Ubuntu,Feroda,Redhat,Centos等等……并且\(FORTIFY\_SOURCE\)在安卓平台有着更为广泛的应用,这可能与安卓特殊的管理机制有关
在该补丁的官方描述中,我们能够得到作者对这个patch的部分描述:
The intent of this patch is to add some checks that have no or non-measurable runtime overhead, so something that can be enabled for all programs and libraries in an operating system.
The patch certainly doesn’t prevent all buffer overflows, but should prevent many common ones. It works by computing a constant (conservative) number of bytes remaining to the end of object(s) each destination pointer passed to memory and string functions, if possible checking for overflows at compile time, if not possible passing that constant size to special checking alternatives of the memory/stringfunctions.
when the above GCC 4.0+ and -D_FORTIFY_SOURCE=1 is used at optimization level 1 and above, security measures that shouldn’t change behaviour of conforming programs are taken. With -D_FORTIFY_SOURCE=2 some more checking is added, but some conforming programs might fail.
基本总结如下:
- FORTIFY_SOURCE是一种对缓冲区溢出以及格式化字符串的轻量级的保护机制 ,但并不是所有类型的缓冲区溢出都可以用这个它来检测
- 它保护C和C ++代码
- 没有大量的运行时的开销,不会影响到系统的性能
- 这种保护机制并不仅仅够应用于glibc,只要将相应的头文件string.h,stdio.h打上补丁,也能够实现这种保护,在gcc中由于它使用了-D_FORTIFY_SOURCE来开启保护,因此得名