Binary hardening

From HandWiki
Revision as of 07:20, 5 August 2021 by imported>PolicyEnforcerIA (attribution)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Binary hardening is a software security technique in which binary files are analyzed and modified to protect against common exploits. Binary hardening is independent of compilers and involves the entire toolchain. For example, one binary hardening technique is to detect potential buffer overflows and to substitute in safer code. The advantage of manipulating binaries is that vulnerabilities in legacy code can be fixed automatically without the need for source code, which may be unavailable or obfuscated. Secondly, the same techniques can be applied to binaries from multiple compilers, some of which may be less secure than others.

Binary hardening often involves the non-deterministic modification of control flow and instruction addresses so as to prevent attackers from successfully reusing program code to perform exploits.

Hardening techniques

  • Buffer overflow protection
  • Stack overwriting protection
  • Position independent executables (see Address space layout randomization)
  • Binary stirring (randomizing the address of basic blocks)
  • Pointer masking (protection against code injection)
  • Control flow randomization (to protect against control flow diversion)