RELRO

References:

RELRO

ELF: Executable and Linkable Format.

PIE: Position Independent Executables.

RELRO: Relocation Read-Only.

In dynamic linked ELF:

  • GOT: Global Offset Table.

    • A look-up table, contains pointers that points to the actual location of dynamically resolved functions.
    • Lives in .got.plt section.
    • Located at a static address.
    • Needs to be writable. —> can be overflowed by attackers.
    • dynamically populcated as the program is running:
      • first time GOT points back to PLT(inside a dynamic linker procedure), the dynamic linker finds the actual location, then written to GOT.
      • second time when the shared function is called, GOT contains the actual function addr.

  • PLT: Procedure Linkage Table.

    • Contains instructions that point directly to the GOT.
    • Lives in .plt section.
    • Located at a fixed offset from the .text section.

  • RELRO: Relocation Read-Only.

    • Linker resolves all dynamically linked functions at the beginning of the execution, then makes GOT read-only.
    • bin compiled with option -z,relro,-z,now: read-only for all GOT: Non-PLT part .got and PLT part .got.plt.
    • bin compiled with option -z,relro: read-only for non-plt part .got; the PLT part .got.plt is still writable.

Tips

Command checksec <binary> shows the section names:

[huzaifas@babylon ~] $ checksec test
[*] '/home/huzaifas/test'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

Command to check the GOT entry address of printf:

$ objdump -R test | grep -i printf
0000000000600fe0 R_X86_64_GLOB_DAT  printf@GLIBC_2.2.5

More

Created Feb 14, 2022 // Last Updated Feb 14, 2022

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?