checksec 总结
一、RELRO
relro 是一种用于加强对 binary 数据段的保护的技术。relro 分为 partial relro 和 full relro
Partial RELRO
- 现在gcc 默认编译就是 partial relro(很久以前可能需要加上选项 gcc -Wl,-z,relro)
- some sections(.init_array .fini_array .jcr .dynamic .got) are marked as read-only after they have been initialized by the dynamic loader
- non-PLT GOT is read-only (.got)
- GOT is still writeable (.got.plt)
Full RELRO
拥有 Partial RELRO 的所有特性
lazy resolution 是被禁止的,所有导入的符号都在 startup time 被解析
bonus: the entire GOT is also (re)mapped as read-only or the .got.plt section is completely initialized with the final addresses of the target functions (Merge .got and .got.plt to one section .got). Moreover,since lazy resolution is not enabled, the
GOT[1]
andGOT[2]
entries are not initialized.GOT[0]
is a the address of the module’s DYNAMIC section.GOT[1]
is the virtual load address of the link_map,GOT[2]
is the address for the runtime resolver function编译时需要加上选项 gcc -Wl,-z,relro,-z,now
其中-z 参数是把-z 后面的 keyword 传给linker ld
ld manual 中关于now 选项的解释
When generating an executable or shared library, mark it to tell the dynamic linker to r