# Countermeasures

## Data Executable Prevention

Non-Executable Stack (NX) (Data Executable Prevention)

* Most binaries do not allow running code from Stack.
* Stack segments are marked as Non-Executable (NX bit).
  * Code cannot jump to it.
  * Return to lib-c attack not possible.

Introduced in recent OS, but can be disabled.

* Not ubiquitous on embedded devices.
* Binaries must opt-in!

## Canaries

Uses reference values after local variables to detect overflow.

* Value is placed when the function starts.
* Value is compared before the function exits.
* The program is interrupted if values do not match.

<figure><img src="https://3744219775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUaTnynVhA2CYjsGJT14j%2Fuploads%2FIKvipTXj0BIy3BE9bz7h%2FScreenshot%20from%202024-01-11%2017-39-53.png?alt=media&#x26;token=6f43cab3-391c-46f2-a3da-78780d87b893" alt=""><figcaption></figcaption></figure>

We can guess them, using brute force.

<figure><img src="https://3744219775-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUaTnynVhA2CYjsGJT14j%2Fuploads%2Fud6T8ap8D9FJV7tBHWvk%2FScreenshot%20from%202024-01-11%2017-40-35.png?alt=media&#x26;token=41e2ed28-96af-4e81-a675-f2a3d324bc36" alt=""><figcaption></figcaption></figure>

* `-fno-stack-protector`: disables stack protection. (What we have been using)
* `-fstack-protector`: enables stack protection for vulnerable functions that contain.
  * A character array larger than 8 bytes.
  * An 8-bit integer array larger than 8 bytes.
  * A call to `alloca()` with either a variable size or a constant size bigger than 8 bytes.
* `-fstack-protector-strong`: enables stack protection for vulnerable functions that contain.
  * An array of any size and type.
  * A call to `alloca()`.
  * A local variable that has its address taken.
* `-fstack-protector-all`: adds stack protection to all functions regardless of their vulnerability.

## Practical Example: return\_to\_libc.c (x86\_64)

x64 - first arguments are passed in register: `RDI`, `RSI`, `RDX`, `RCX`.

* Approach: load `RDI` with an address of a string, and jump to the system address.
* Problems: cannot jump to stack (due to NX).

Improved:

* Search for any code that loads `RDI` from the stack.
  * we can control what is in the stack but we cannot execute code from it.
* Jump to code that loads `RDI` from the stack.
* Jump to the system.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/analysis-and-exploration-of-vulnerabilities/buffers/countermeasures.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.