SKILL: Binary Protection Bypass — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert binary protection identification and bypass techniques. Covers ASLR, PIE, NX, RELRO, canary, FORTIFY_SOURCE, stack clash, CET shadow stack, and ARM MTE. Each protection is paired with its bypass methods and required primitives. Distilled from ctf-wiki mitigation sections and real-world exploitation. Base models often confuse which protections block which attacks and miss the combinatorial effect of multiple protections.

0. RELATED ROUTING

• stack-overflow-and-rop — ROP chains to bypass NX, ret2libc for ASLR bypass
• format-string-exploitation — primary method for leaking canary, PIE, libc addresses
• heap-exploitation — heap attacks for RELRO bypass (when GOT is read-only)
• arbitrary-write-to-rce — what to overwrite when GOT is protected by RELRO

Advanced Reference

Load PROTECTION_BYPASS_MATRIX.md for comprehensive protection × bypass × primitive matrix.

---

1. PROTECTION IDENTIFICATION

$ checksec ./binary
[*] '/path/to/binary'
    Arch:     amd64-64-little
    RELRO:    Full RELRO          ← GOT read-only
    Stack:    Canary found        ← stack canary enabled
    NX:       NX enabled          ← stack not executable
    PIE:      PIE enabled         ← position-independent code
    FORTIFY:  Enabled             ← fortified libc functions

Quick Identification Table

Protection	Check Command	Binary Indicator
ASLR	cat /proc/sys/kernel/randomize_va_space	OS-level (0=off, 1=partial, 2=full)
PIE	checksec or readelf -h (Type: DYN)	Binary compiled with -pie
NX	checksec or readelf -l (no RWE segment)	gcc -z noexecstack (default on)
Canary	checksec or look for __stack_chk_fail@plt	gcc -fstack-protector-all
Partial RELRO	readelf -l (GNU_RELRO segment, .got.plt writable)	gcc -Wl,-z,relro
Full RELRO	readelf -l + .got section read-only	gcc -Wl,-z,relro,-z,now
FORTIFY	Presence of __printf_chk, __memcpy_chk etc.	gcc -D_FORTIFY_SOURCE=2

---

2. ASLR BYPASS

ASLR randomizes base addresses of stack, heap, libc, and mmap regions at each execution.

Bypass Method	Required Primitive	Notes
Information leak	Any read primitive (format string, OOB read, UAF)	Leak libc/stack/heap address → calculate base
Partial overwrite	Write primitive (limited length)	Overwrite last 1-2 bytes (page offset fixed)
Brute force (32-bit)	Ability to reconnect/retry	~256–4096 attempts (8-12 bits entropy)
Return-to-PLT	Stack overflow	PLT addresses are at fixed offset from binary base (if no PIE)
ret2dlresolve	Stack overflow + write primitive	Resolve arbitrary function without knowing libc base
Format string leak	Format string vulnerability	%N$p for stack/libc/heap addresses
Stack reading	Byte-by-byte (fork server)	Read stack byte-by-byte via crash oracle

ASLR Entropy (x86-64 Linux)

Region	Entropy (bits)	Positions
Stack	22	~4M
mmap / libc	28	~256M
Heap (brk)	13	~8K
PIE binary	28	~256M

---

3. PIE BYPASS

PIE (Position Independent Executable) randomizes the binary's own code/data base address.

Bypass Method	Required Primitive	Notes
Information leak	Read return address from stack	PIE base = leaked_addr - known_offset
Partial overwrite	One-byte or two-byte write	Last 12 bits of page offset are fixed
Format string leak	Format string vulnerability	%N$p where N points to .text return address
Relative addressing	Knowledge of binary layout	If you know relative offsets, only need one leak

Partial Overwrite Details

PIE binary loaded at: 0x555555554000 (example)
Function at offset 0x1234: 0x555555555234

Overwrite return address last 2 bytes: 0x?234 → 0x?XXX
Unknown: bits 12-15 (one nibble = 4 bits = 16 possibilities)
Success rate: 1/16 per attempt

---

4. NX / DEP BYPASS

NX (No-eXecute) / DEP (Data Execution Prevention) prevents execution of code on the stack/heap.

Bypass Method	Detail
ROP (Return-Oriented Programming)	Chain existing code gadgets ending in ret
ret2libc	Call libc functions (system, execve) directly
ret2csu	Use __libc_csu_init gadgets for controlled function calls
ret2dlresolve	Forge dynamic linker structures to resolve arbitrary functions
SROP	Use sigreturn to set all registers from fake signal frame
mprotect ROP	Chain mprotect(addr, size, PROT_RWX) → make page executable → jump to shellcode
JIT spray	In JIT environments (V8, etc.), create executable code via JIT compiler

mprotect Chain

# Make stack executable, then jump to shellcode
rop = b'A' * offset
rop += p64(pop_rdi) + p64(stack_page)     # page-aligned address
rop += p64(pop_rsi) + p64(0x1000)         # size
rop += p64(pop_rdx) + p64(7)              # PROT_READ|PROT_WRITE|PROT_EXEC
rop += p64(mprotect_addr)
rop += p64(shellcode_addr)                 # jump to shellcode on now-executable stack

---

5. RELRO BYPASS

RELRO Level	GOT Status	Bypass
No RELRO	GOT fully writable	Direct GOT overwrite
Partial RELRO	.got.plt writable (lazy binding)	GOT overwrite still works
Full RELRO	All GOT entries resolved at load, GOT read-only	Cannot write GOT → target other structures

Full RELRO Alternative Targets

Target	When	How
__malloc_hook	glibc < 2.34	Overwrite with one_gadget
__free_hook	glibc < 2.34	Overwrite with system, trigger free("/bin/sh")
_IO_FILE vtable	Any glibc	FSOP / vtable hijack
__exit_funcs	Any glibc	Overwrite exit handler list
TLS_dtor_list	glibc ≥ 2.34	Thread-local destructor list (needs pointer guard)
.fini_array	If writable	Overwrite destructor function pointers
Stack return address	Direct stack write	Overwrite return address for ROP

See arbitrary-write-to-rce for comprehensive target list.

---

6. CANARY BYPASS

Method	Condition	Detail
Format string leak	printf(user_input)	%N$p to read canary from stack
Brute-force	fork() server (canary persists in child)	Byte-by-byte: 256 × (canary_size-1) attempts
Stack reading	Partial overwrite / info leak	Overwrite canary's null byte, leak via output
Thread canary overwrite	Overflow reaches TLS	Canary at fs:[0x28]; overflow past buffer to TLS → overwrite canary with known value
Canary-relative overwrite	Overflow after canary but before return addr	Skip canary, only overwrite return address (rare layout)
Heap-based	Vulnerability is on heap, not stack	Canary only protects stack
__stack_chk_fail GOT overwrite	Partial RELRO	Overwrite __stack_chk_fail@GOT to point to harmless function → canary check passes

Canary Format

x86:    0x00XXXXXX (4 bytes, leading null byte)
x86-64: 0x00XXXXXXXXXXXXXX (8 bytes, leading null byte)

The leading \x00 prevents string operations from accidentally reading the canary.

---

7. FORTIFY_SOURCE BYPASS

_FORTIFY_SOURCE=2 adds buffer size checking and restricts format string operations.

Fortified Function	Restriction	Bypass
__printf_chk	%n with positional args (%N$n) forbidden	Use non-positional %n or %hn chain
__memcpy_chk	Destination buffer size checked	Use heap overflow instead of stack
__strcpy_chk	Same
__read_chk	Read size checked against buffer

Format String with FORTIFY_SOURCE

# %1$n is blocked by __printf_chk
# But sequential (non-positional) %n may still work:
# Print exact byte count, then %hn — must be very precise
# Or: find unfortified printf in binary/libc via ROP

---

8. CET (Control-flow Enforcement Technology)

Intel CET adds two mechanisms:

Shadow Stack

• Hardware-maintained copy of return addresses
• On ret, CPU checks shadow stack matches actual stack
• Mismatch → #CP fault (control protection exception)

Impact	Detail
ROP blocked	Return address overwrite detected on ret
JOP possible	jmp [reg] not checked by shadow stack
COP possible	call [reg] pushes to shadow stack but target validated by IBT

Indirect Branch Tracking (IBT)

• Indirect jmp/call must land on ENDBR64 instruction
• Non-ENDBR landing → #CP fault

Bypass:

• Data-only attacks (don't change control flow)
• Find valid ENDBR gadgets that chain into useful operations
• JOP with ENDBR-prefixed gadgets
• Target structures outside CFI scope (modprobe_path, function pointer arrays)

---

9. MTE (Memory Tagging Extension, ARM)

ARM MTE assigns 4-bit tags to memory pointers and allocations. Tag mismatch = fault.

Aspect	Detail
Tag bits	4 bits in pointer (bits 56-59) = 16 possible tags
Granule	16 bytes (each 16-byte granule has one tag)
Check	Load/store: pointer tag must match memory tag
Probabilistic	Random tag → 1/16 chance attacker guesses correctly

Bypass Approaches

Method	Success Rate
Brute-force	1/16 per attempt (6.25%)
Tag oracle	Side-channel to determine tag (timing, error messages)
In-bounds exploit	Stay within same tagged region (use relative offsets)
Tag bypass gadget	Use LDGM/STGM instructions if accessible
Speculative execution	Spectre-style bypass of tag check

---

10. DECISION TREE

Binary analysis: checksec output
├── NX disabled?
│   └── Shellcode on stack/heap (simplest path)
│
├── NX enabled (standard modern binary)?
│   ├── Need code execution → ROP/ret2libc
│   │
│   ├── Canary enabled?
│   │   ├── fork server? → byte-by-byte brute-force
│   │   ├── Format string? → leak canary via %p
│   │   ├── Heap vuln? → canary doesn't protect heap
│   │   └── Partial RELRO? → overwrite __stack_chk_fail@GOT
│   │
│   ├── PIE enabled?
│   │   ├── Format string? → leak .text address → PIE base
│   │   ├── Partial overwrite → last 12 bits fixed (1/16 brute-force)
│   │   └── OOB read? → leak code pointer
│   │
│   ├── ASLR enabled?
│   │   ├── Info leak available → leak libc base
│   │   ├── No leak → ret2dlresolve or SROP
│   │   ├── 32-bit? → brute-force feasible (~4096 attempts)
│   │   └── Return-to-PLT (no libc base needed for PLT calls)
│   │
│   ├── RELRO level?
│   │   ├── None/Partial → GOT overwrite
│   │   └── Full → alternative targets:
│   │       ├── glibc < 2.34 → __malloc_hook / __free_hook
│   │       ├── glibc ≥ 2.34 → _IO_FILE / exit_funcs / TLS_dtor_list
│   │       ├── .fini_array (if writable)
│   │       └── Stack return address
│   │
│   └── FORTIFY_SOURCE?
│       ├── Blocks positional %n → use sequential %n or heap exploit
│       └── Blocks buffer overflows in fortified functions → use unfortified paths
│
├── CET (shadow stack)?
│   ├── ROP blocked → data-only attack or JOP
│   └── ENDBR-gadget chaining
│
└── MTE (ARM)?
    ├── 1/16 brute-force
    └── Stay in-bounds for relative corruption