binary-protection-flags
binary-protection-flags copied to clipboard
BigB00st
Cheat sheet of binary protections flags
Binary Protection Flags
Tables that list and describe gcc and linker flags that deal with protection mechanisms of linux binaries.
Canary
| Flag | Description |
|---|---|
-fno-stack-protector |
Canary is disabled |
-fstack-protector |
Canary is enabled for functions with potential vulnerable objects (default) |
-fstack-protector-all |
Canary is enabled for all functions |
NX
| Flag | Description |
|---|---|
-z noexecstack |
Data is not executable (default) |
-z execstack |
Disable NX, data is executable |
PIE
| Flag | Description |
|---|---|
-no-pie |
Binary will not be Position Independent Executable |
-pie |
Binary will be Position Independent Executable (default) |
RELRO
| Flag | Description |
|---|---|
-Wl,-z,norelro |
Relocation read-only will be disabled |
-Wl,-z,relro |
Partial RELRO, forces the GOT to come before the BSS in memory (default) |
-Wl,-z,relro,-z,now |
Full RELRO, GOT will be read-only |
Fortify
| Flag | Description |
|---|---|
-D_FORTIFY_SOURCE=0 -O0 |
Disabled (default) |
-D_FORTIFY_SOURCE=1 -O1 |
Perform checks on string and memory manipulation functions at compile time |
-D_FORTIFY_SOURCE=2 -O2 |
Perform extra checks when employing various string and memory manipulation functions at run time |
Note: -On sets compiler optimization level n.
ASLR
This is not a flag, but I decided to place this here either way. The commands below set ASLR for the entire system.
Enable:
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
Disable:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Notes
- Use checksec to view the protections of an existing binary.
- Flags passed with
-Wland-z, are sent directly to the linker.
Examples:
Compile binary with NX disabled:
gcc target.c -o target -z execstack
Compile binary without canary:
gcc target.c -o target -fno-stack-protector
BigB00st