如何设置堆栈不可执行和ASLR

最近，做一个调查，如何在Windows和Linux系统下，做堆栈执行保护，和ASLR（Address Space Layout Randomization）。找了好多材料，才找到，在这里总结一下：

 

OS	Execution space protection	ASLR (Address Space Layout Randomization)	Description	Check Tool
Windows	Compiler Option: /NXCOMPACT Default is enabled. System option: 1.Open the Control Panel 2.Select System & Maintenance 3.Click System 4.Click Advanced System Settings 5.Click the Advanced tab 6.Click Performance Settings 7.Click the Data Execution Prevention tab	Compiler Option: /DYNAMICBASE Default is enabled. System option: ASLR is enabled by default. I don’t find the way to disable it. But, it can only run well based on enabling DEP/ NX.	Microsoft's Windows Vista (released January 2007), Windows Server 2008, Windows 7, and Windows Server 2008 R2 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[7] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes.	Process explorer Windbg PllyDbg
Linux	Compiler (Link) Option: -Wl,-z,noexecstack or -Wa,--noexecstack System option: /proc/sys/kernel/exec-shield	Compiler Option: -fPIC -pie System option: /proc/sys/kernel/randomize_va_space Or sysctl -w kernel.randomize_va_space=NEWVALUE	Linux has enabled a weak[6] form of ASLR by default since kernel version 2.6.12 (released June 2005).	1) http://www.trapkit.de/tools/checksec.html 2) find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X  to check whether the stack is executable 3) execstack -q ~/lib/libfoo.so.1 ~/bin/bar         will query executable stack marking of the given files. 4) Command readelf -h -d /usr/sbin/smbd | grep ‘Type:.*DYN’ If the file has been compiled for PIE, the command will return something similar to the following: Type: DYN (Shared object file)

 

堆栈检测保护设置：

OS	Compiler flag
Windows	/GS
Linux	-fstack-protector-all -fstack-protector

 

randomize_va_space 的可能值如下：

Value	Description
0	ASLR is disabled
1	All supported formsof ASLR are enabled, except heap randomization
2	All supported formsof ASLR are enabled.

 

exec-shield的取值如下：

Value	Description
0	Exec-shield (includingrandomized VM mapping) is disabled for all binaries, marked or not
1	Exec-shield is enabled forall marked binaries (default)
2	Exec-shield is enabled forall binaries, regardless of marking (to be used for testing purposes ONLY)

 

在linux系统下，还有一个execstack 的命令可以设置库或者可执行文件的堆栈执行保护标志， 参数如下： 

Value	Description
-c,  --clear-execstack	Clear executablestack flag bit
-q, --query	Query executable stack flagbit
-s, --set-execstack	Set executable stack flagbit

 

希望对大家在Windows和Linux下，保护缓冲区溢出有所帮助。