GNU工具链里的漏洞利用缓解技术.pptx

1、A A traveltravel throughthrough exploitexploitmitigationsmitigations inin GNUGNU toolchainstoolchains#ls#ls -l-l00whoami01GCC/ld/Glibcdlinternals0100GCCinternals0101ldinternals0102Glibcdlinternals02smashingthestack03implementationofclassicalmitigations0300stackcanary0301NX(NoeXecutable)0302PIC/PIE&A

2、SLR0303relro04returnorientedprogramming05CFI&implementationinGCC06introtoRAPofPaX/Grsecurity0000 whoamiwhoamicoderwholemylifeworkedonSDCC/gputils,GCC/binutils,LLVMsecurityengineer&memberofhardenedlinux/h4rdenedzer0writeaC89compilerfromscratchonlyforfun(20092012)0101 GCC/ld/GlibcGCC/ld/Glibcdynamic-l

3、inkerdynamic-linker internalsinternals0100GCCinternals0101ldinternals0102Glibcdlinternals01000100 GCCGCC internals/sourceinternals/source directorydirectory overviewoverviewzetfuck-GFW/dust/gcc/gcc-6.2.0$ls-lFABOUT-NLS/*gettext*/boehm-gc/*java gc*/compile*config/*script call gcc by user*/*lots of m4

4、 script*/config.guess*config-ml.inconfig.rpath*config.sub*configure*configure.accontrib/*download prerequest/generate man pages*/*call compiler generate dependency*/depcomp*fixincludes/*fix(macro)system header to work with gcc*/gnattools/gotools/include/INSTALL/*Ada*/*golang*/*getopt.h,sha1.h,etc*/*

5、html install files*/01000100 GCCGCC internals/sourceinternals/source directorydirectory overviewoverviewzetfuck-GFW/dust/gcc/gcc-6.2.0$ls-lFinstall-sh*intl/*called by make install*/*gettext*/libada/libatomic/libbacktrace/libcc1/libcilkrts/libcpp/*_sync/_atomic*/*output like gdb backtrace*/*gdb evalu

6、te code on current context*/*intel cilk runtime*/*C preprocessor*/libdecnumber/libffi/libgcc/*decimal float library*/*part of java runtime*/*GCC runtime library:crt,vtv*/libgfortran/libgo/libgomp/libiberty/libitm/*OpenMP*/*vfork/md5*/*transaction memory*/libjava/libmpx/*Intel Memory Protection Exten

7、sions*/01000100 GCCGCC internals/sourceinternals/source directorydirectory overviewoverviewzetfuck-GFW/dust/gcc/gcc-6.2.0$ls-lFlibobjc/liboffloadmic/libquadmath/libsanitizer/libssp/libstdc+-v3/libvtv/*intel MIC runtime offload library*/*quad-precious math operations*/*leak/use after free/overflow,et

8、c*/*stack smash protection*/*C+runtime*/*after*/lto-plugin/zlib/gcc/*link time optimization*/*part of java runtime*/*frontend,middleend,backend*/01000100 GCCGCC internals/overviewinternals/overview ofof toolchainstoolchainssourceprogramcc1cppgccaslinkerlibctargetprogram01000100 GCCGCC internals/driv

9、erinternals/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_compiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute pex_init/*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_chi

10、ld/*call cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/driverinternals/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_compiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute p

11、ex_init/*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_child/*call cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/driverinternals/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_co

12、mpiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute pex_init/*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_child/*call cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/driverinternals/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set

13、_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_compiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute pex_init/*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_child/*call cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/driverintern

14、als/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_compiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute pex_init/*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_child/*call

15、 cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/driverinternals/drivermain /*in file gcc-main.c*/driver:main /*gcc.c*/decode_argv set_up_specs /*for cc1/as/ld*/do_spec_on_infiles /*for(n_infiles)*/lookup_compiler /*find compiler from suffix*/do_spec do_spec_2 do_spec_1 execute pex_init/

16、*piped execute*/pex_run pex_run_in_environment obj-funcs-exec_child/*call cc1*/maybe_run_linker /*collect2*/01000100 GCCGCC internals/whatinternals/what doesdoes specsspecs filefile dodozetfuck-GFW/bin/gcc-6.2.0/bin$./g+-#main.cc-fvtable-verify=std-o main verified_lib.so Using built-in specs.COLLECT

17、_GCC=./g+COLLECT_LTO_WRAPPER=/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/lto-wrapperTarget:x86_64-pc-linux-gnuConfigured with:./configure-disable-checking enable-languages=c,c+-enable-libstdcxx-threads enable-vtable-verify=yes-prefix=/home/zet/bin/gcc-6.2.0Thread model:posixgcc ver

18、sion 6.2.0(GCC)COLLECT_GCC_OPTIONS=-fvtable-verify=std-o main-shared-libgcc-mtune=generic-march=x86-64/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/cc1plus-quiet-imultiarch x86_64-linux-gnu-D_GNU_SOURCE main.cc-quiet-dumpbase main.cc-mtune=generic-march=x86-64-auxbase main-fvtable-ve

19、rify=std-o/tmp/ccVN0GoS.sCOLLECT_GCC_OPTIONS=-fvtable-verify=std-o main-shared-libgcc-mtune=generic-march=x86-64 as-64-o/tmp/ccUBFg31.o/tmp/ccVN0GoS.sCOMPILER_PATH=/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/:/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/:/home/zet/

20、bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/:/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/:/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/LIBRARY_PATH=/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/:/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/././././lib6

21、4/:/lib/x86_64-linux-gnu/:/lib/./lib64/:/usr/lib/x86_64-linux-gnu/:/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/./././:/lib/:/usr/lib/COLLECT_GCC_OPTIONS=-fvtable-verify=std-o main-shared-libgcc-mtune=generic-march=x86-64/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/coll

22、ect2-plugin/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/liblto_plugin.so-plugin-opt=/home/zet/bin/gcc-6.2.0/libexec/gcc/x86_64-pc-linux-gnu/6.2.0/lto-wrapper-plugin-opt=-fresolution=/tmp/cc9F8SHb.res-plugin-opt=-pass-through=-lgcc_s-plugin-opt=-pass-through=-lgcc-plugin-opt=-pass-th

23、rough=-lc-plugin-opt=-pass-through=-lgcc_s-plugin-opt=-pass-through=-lgcc-eh-frame-hdr-m elf_x86_64-dynamic-linker/lib64/ld-linux-x86-64.so.2-o main/usr/lib/x86_64-linux-gnu/crt1.o/usr/lib/x86_64-linux-gnu/crti.o/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/crtbegin.o/home/zet/bin/gcc-6.

24、2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/vtv_start.o-L/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0-L/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/././././lib64-L/lib/x86_64-linux-gnu-L/lib/./lib64-L/usr/lib/x86_64-linux-gnu-L/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6

25、.2.0/././.-lvtv-u_vtable_map_vars_start-u_vtable_map_vars_end/tmp/ccUBFg31.o verified_lib.so-lstdc+-lm-lgcc_s-lgcc-lc-lgcc_s-lgcc/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/vtv_end.o/home/zet/bin/gcc-6.2.0/lib/gcc/x86_64-pc-linux-gnu/6.2.0/crtend.o/usr/lib/x86_64-linux-gnu/crtn.oCOLLEC

26、T_GCC_OPTIONS=-fvtable-verify=std-o main-shared-libgcc-mtune=generic-march=x86-6401000100 GCCGCC internals/gccinternals/gcc corecoremain/*file main.c*/toplev:main/*file toplev.c*/decode_options do_compile compile_file lang_hooks.parse_file=c_common_parse_file symtab-finalize_compilation_unit targetm

27、.asm_out.file_end=file_end_indicate_exec_stack /*varasm.c*/01000100 GCCGCC internals/gccinternals/gcc corecoremain/*file main.c*/toplev:main/*file toplev.c*/decode_options do_compile compile_file lang_hooks.parse_file=c_common_parse_file symtab-finalize_compilation_unit targetm.asm_out.file_end=file

28、_end_indicate_exec_stack /*varasm.c*/01000100 GCCGCC internals/gccinternals/gcc corecoremain/*file main.c*/toplev:main/*file toplev.c*/decode_options do_compile compile_file lang_hooks.parse_file=c_common_parse_file symtab-finalize_compilation_unit targetm.asm_out.file_end=file_end_indicate_exec_sta

29、ck /*varasm.c*/01000100 GCCGCC internals/gccinternals/gcc corecoremain/*file main.c*/toplev:main/*file toplev.c*/decode_options do_compile compile_file lang_hooks.parse_file=c_common_parse_file/*back next*/symtab-finalize_compilation_unit /*last*/targetm.asm_out.file_end=file_end_indicate_exec_stack

30、 /*varasm.c*/01000100 GCCGCC internals/gccinternals/gcc corecoremain/*file main.c*/toplev:main/*file toplev.c*/decode_options do_compile compile_file lang_hooks.parse_file=c_common_parse_file symtab-finalize_compilation_unit targetm.asm_out.file_end=file_end_indicate_exec_stack /*.note.GNU-stack in

31、file varasm.c*/01000100 GCCGCC internals/gccinternals/gcc corecorelang_hooks.parse_file=c_common_parse_file c_parse_file c_parser_translation_unit c_parser_external_declaration c_parser_declaration_or_fndef/*function*/c_parser_declspecs/*parse specifiers*/c_parser_compound_statement finish_function/

32、*finish parsing*/c_genericize/*frontend tree to GENERIC*/cgraph_finalize_function /*create cgraph_node*/PS.C/C+convertdirectlyfromfrontendtree(cfamily/ccommon.def)toGIMPLE.01000100 GCCGCC internals/gccinternals/gcc corecorelang_hooks.parse_file=c_common_parse_file c_parse_file c_parser_translation_u

33、nit c_parser_external_declaration c_parser_declaration_or_fndef/*function*/c_parser_declspecs/*parse specifiers*/c_parser_compound_statement finish_function/*finish parsing*/c_genericize/*frontend tree to GENERIC*/cgraph_finalize_function /*create cgraph_node*/PS.C/C+convertdirectlyfromfrontendtree(

34、cfamily/ccommon.def)toGIMPLE.01000100 GCCGCC internals/gccinternals/gcc corecorelang_hooks.parse_file=c_common_parse_file c_parse_file c_parser_translation_unit c_parser_external_declaration c_parser_declaration_or_fndef/*function*/c_parser_declspecs/*parse specifiers*/c_parser_compound_statement fi

35、nish_function/*finish parsing*/c_genericize/*frontend tree to GENERIC*/cgraph_finalize_function /*create cgraph_node*/PS.C/C+convertdirectlyfromfrontendtree(cfamily/ccommon.def)toGIMPLE.01000100 GCCGCC internals/gccinternals/gcc corecoresymtab-finalize_compilation_unit analyze_functions /*create GIM

36、PLE*/cgraph_node:analyze gimplify_function_tree gimplify_body gimplify_stmt gimplify_expr compile /*transforms&optimizations*/ipa_passes /*symbol visibility,etc*/execute_ipa_pass_list(passes-all_small_ipa_passes)/*devirtualization,etc*/execute_ipa_pass_list(passes-all_regular_ipa_passes)/*target inv

37、olved*/execute_ipa_pass_list(all_late_ipa_passes)expand_all_functions nodeexpand execute_pass_list(all_passes)01000100 GCCGCC internals/gccinternals/gcc corecoresymtab-finalize_compilation_unit analyze_functions /*create GIMPLE*/cgraph_node:analyze gimplify_function_tree gimplify_body gimplify_stmt

38、gimplify_expr compile /*transforms&optimizations*/ipa_passes /*symbol visibility,etc*/execute_ipa_pass_list(passes-all_small_ipa_passes)/*devirtualization,etc*/execute_ipa_pass_list(passes-all_regular_ipa_passes)/*target involved*/execute_ipa_pass_list(all_late_ipa_passes)expand_all_functions nodeex

39、pand execute_pass_list(all_passes)01000100 GCCGCC internals/gccinternals/gcc corecoresymtab-finalize_compilation_unit analyze_functions /*create GIMPLE*/cgraph_node:analyze gimplify_function_tree gimplify_body gimplify_stmt gimplify_expr compile /*transforms&optimizations*/ipa_passes /*symbol visibi

40、lity,etc*/execute_ipa_pass_list(passes-all_small_ipa_passes)/*devirtualization,etc*/execute_ipa_pass_list(passes-all_regular_ipa_passes)/*target involved*/execute_ipa_pass_list(all_late_ipa_passes)expand_all_functions nodeexpand execute_pass_list(all_passes)01000100 GCCGCC internals/gccinternals/gcc

41、 corecoresymtab-finalize_compilation_unit analyze_functions /*create GIMPLE*/cgraph_node:analyze gimplify_function_tree gimplify_body gimplify_stmt gimplify_expr compile /*optimizations*/ipa_passes /*symbol visibility,etc*/execute_ipa_pass_list(passes-all_small_ipa_passes)/*devirtualization,etc*/exe

42、cute_ipa_pass_list(passes-all_regular_ipa_passes)/*target involved*/execute_ipa_pass_list(all_late_ipa_passes)expand_all_functions nodeexpand execute_pass_list(all_passes)01000100 GCCGCC internals/gccinternals/gcc corecoresymtab-finalize_compilation_unit analyze_functions /*create GIMPLE*/cgraph_nod

43、e:analyze gimplify_function_tree gimplify_body gimplify_stmt gimplify_expr compile /*optimizations*/ipa_passes /*symbol visibility,etc*/execute_ipa_pass_list(passes-all_small_ipa_passes)/*devirtualization,etc*/execute_ipa_pass_list(passes-all_regular_ipa_passes)/*target involved*/execute_ipa_pass_li

44、st(all_late_ipa_passes)expand_all_functions nodeexpand execute_pass_list(all_passes)01000100 GCCGCC internals/gccinternals/gcc corecoreexecute_pass_list(all_passes)execute_pass_list_1 execute_one_pass pass_expand:execute /*pass named expand*/expand_gimple_basic_block expand_gimple_stmt expand_gimple

45、_stmt_1 expand_assignment expand_expr expand_expr_real expand_expr_real_1 store_expr_with_bounds emit_move_insn emit_move_insn_1 insn_gen_fn:operator()gen_movsi ix86_expand_move emit_insn01000100 GCCGCC internals/gccinternals/gcc corecore/*find all the passes*/gcc-source/gcc/passes.def/*find all the

46、 passes of special type*/*optimization pass type.*/enum opt_pass_type GIMPLE_PASS,RTL_PASS,SIMPLE_IPA_PASS,IPA_PASS;01010101 binutils/ldbinutils/ld internalsinternalsmain/*ld/ldmain.c*/expandargv bfd_init lang_init output_section_statement_table_init /*input/output/assignment/gounp*/stat_ptr=&statem

47、ent_list;ldexp_init /*for parse sdcript*/*architecture specific init*/ldemul_before_parse=gldelf_i386_before_parse parse_args yyparse /*next*/lang_final /*add output_file_name to stat_ptr*/*set PIE flag,entry point symbol to undefines*/ldemul_after_parse=gldelf_i386_after_parse lang_process /*next*/

48、ld_write /*next*/01010101 binutils/ldbinutils/ld internalsinternalsmain/*ld/ldmain.c*/expandargv bfd_init lang_init output_section_statement_table_init /*input/output/assignment/gounp*/stat_ptr=&statement_list;ldexp_init /*for parse sdcript*/*architecture specific init*/ldemul_before_parse=gldelf_i3

49、86_before_parse parse_args yyparse /*next*/lang_final /*add output_file_name to stat_ptr*/*set PIE flag,entry point symbol to undefines*/ldemul_after_parse=gldelf_i386_after_parse lang_process /*next*/ld_write /*next*/01010101 binutils/ldbinutils/ld internalsinternalsmain/*ld/ldmain.c*/expandargv bf

50、d_init lang_init output_section_statement_table_init /*input/output/assignment/gounp*/stat_ptr=&statement_list;ldexp_init /*for parse sdcript*/*architecture specific init*/ldemul_before_parse=gldelf_i386_before_parse parse_args yyparse /*next*/lang_final /*add output_file_name to stat_ptr*/*set PIE