::: GCC PROTECTIONS :::
 
o Stack Smashing Protection (SSP) / ProPolice
   -fstack-protector - enables stack protection for functions using character arrays
   -fno-stack-protector - disables stack protection
 
by default it is included in gcc >=4.1 but not enabled, however it is distro specific
 
to check:
 
mike@quazi(/tmp):$ objdump -d sts | grep stack_chk_fail
080482e8 <__stack_chk_fail@plt>:
 80483f8:       e8 eb fe ff ff          call   80482e8 <__stack_chk_fail@plt>[/code]
 
What it does:
 
1. Reorders local variables so that buffers are placed after pointers
2. Copies pointers in function arguments to an area before local buffers
3. omits instrumentation code from functions to reduce overhead
4. adds a call to __stack_chk_fail() in the epilog
 
o GNU_STACK ELF markings
    -z execstack - enable executable stack
    -z noexecstack - disable executable stack (default)
 
gcc adds the stack marking above when you compile your source code. The default behavior is that your executable ends up with a non-executable stack unless there was some indication that an executable stack was necessary (trampolines).
 
mike@quazi(/tmp):$ gcc -o sts sts.c && readelf -l sts | grep -i stack
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
 
mike@quazi(/tmp):$ gcc -z execstack -o sts sts.c && readelf -l sts | grep -i stack
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
** There is also a execstack(8) tool included in the prelink package  that can dynamically set or unset the executable stack. **
 
mike@quazi(/tmp):$ readelf -l sts | grep -i stack
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
 
mike@quazi(/tmp):$ execstack -c sts && readelf -l sts | grep -i stack
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
 
mike@quazi(/tmp):$ execstack -s sts && readelf -l sts | grep -i stack
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
*** Note: if the GNU_STACK marking is missing then the stack is executable ***
 
o Buffer & Format String Vulnerability Checks /  -D_FORTIFY_SOURCE
 
Fortify source protection should be disabled by default, but if you have a distro that does something different you can disable it with:
 
 
mike@quazi(/tmp):$ gcc -O1 -D_FORTIFY_SOURCE=0 -o sts sts.c
 
If a binary is compiled with -D_FORTIFY_SOURCE=n 
  n = 2 / format srings (%n) and buffer checks 
  n = 1 / buffer overflow checks only
 
mike@quazi(/tmp):$ gcc -O1 -D_FORTIFY_SOURCE=2 -o sts sts.c
sts.c: In function 'main':
sts.c:12: warning: call to __builtin___strcpy_chk will always overflow destination buffer
mike@quazi(/tmp):$ ./sts
Stack Smashing @ Home
 
*** buffer overflow detected ***: ./sts terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x44)[0xb7f56944]
/lib/libc.so.6(__strcpy_chk+0x3d)[0xb7f55e3d]
./sts[0x80483e2]
/lib/libc.so.6(__libc_start_main+0xd8)[0xb7e87df8]
./sts[0x8048331]
======= Memory map: ========
08048000-08049000 r-xp 00000000 03:01 6045744    /tmp/sts
08049000-0804a000 rw-p 00000000 03:01 6045744    /tmp/sts
0804a000-0806b000 rw-p 0804a000 00:00 0          [heap]
b7e71000-b7e72000 rw-p b7e71000 00:00 0
b7e72000-b7fae000 r-xp 00000000 03:01 2916420    /lib/libc-2.5.so
b7fae000-b7faf000 r--p 0013c000 03:01 2916420    /lib/libc-2.5.so
b7faf000-b7fb1000 rw-p 0013d000 03:01 2916420    /lib/libc-2.5.so
b7fb1000-b7fb4000 rw-p b7fb1000 00:00 0
b7fc4000-b7fce000 r-xp 00000000 03:01 4784221    /usr/lib/libgcc_s.so.1
b7fce000-b7fcf000 rw-p 00009000 03:01 4784221    /usr/lib/libgcc_s.so.1
b7fcf000-b7fd1000 rw-p b7fcf000 00:00 0
b7fd1000-b7fec000 r-xp 00000000 03:01 2916462    /lib/ld-2.5.so
b7fec000-b7fee000 rw-p 0001b000 03:01 2916462    /lib/ld-2.5.so
bfb91000-bfba6000 rw-p bfb91000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
Aborted
 
mike@quazi(/tmp):$ objdump -d sts | grep _chk
080482e4 <__strcpy_chk@plt>:
 80483dd:       e8 02 ff ff ff          call   80482e4 <__strcpy_chk@plt>
 
::: KERNEL LEVEL PROTECTIONS :::
 
o Address Space Layout Randomization (ASLR)
 
ASLR is in vanilla linux kernels >= 2.6 
 
to disable it:
root@quazi(/tmp):# echo 0 > /proc/sys/kernel/randomize_va_space
or
root@quazi(/tmp):# /sbin/sysctl -w kernel.randomize_va_space=0
and if you only want ASLR disabled for each invokation use setarch(8) (may not be installed in your distro):
mike@quazi(/tmp):$ /usr/sbin/setarch i686 -R ./sts
 
o Exec-Shield
 
In order to disable exec-shield:
 
root@quazi(/tmp):# echo 0 > /proc/sys/kernel/exec-shield
root@quazi(/tmp):# echo 0 > /proc/sys/kernel/exec-shield-randomize
or 
root@quazi(/tmp):# /sbin/sysctl -w kernel.exec-shield=0
root@quazi(/tmp):# /sbin/sysctl -w kernel.exec-shield-randomize=0
*** Note: if you want to maintain the sysctl(8) changes after a reboot add them to sysctl.conf ***
 
SOURCE: sts.c
mike@quazi(/tmp):$ cat sts.c
#include <stdio.h>
#include <string.h>
 
int
main(void)
{
  int a = 1;
  char buf[4];
  char* ptr;
 
  printf("Stack Smashing @ Home\n");
  strcpy(buf, "rehsams");
 
  return(0);
}
 
That should get you going. If I missed something feel free to point it out :) a little too much heffevisen in my system right now.
 
References:
 
[+] http://www.trl.ibm.com/projects/security/ssp/main.html
[+] http://www.linux.org.uk/~ajh/gcc/gccsummit-2003-proceedings.pdf
[+] http://gcc.gnu.org/gcc-4.1/changes.html
[+] http://www.linux.com/feature/29186
[+] http://www.redhat.com/magazine/009jul05/features/execshield/#checks