grsecurity - theoretical and practical application
DESCRIPTION
Enhanced Linux System SecurityTRANSCRIPT
![Page 1: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/1.jpg)
G. Geshev
Open Fest 2010
20 - 21 November
Sofia, Bulgaria
GRSECURITY/PAX
Theoretical & Practical Application
![Page 2: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/2.jpg)
About GRSECURITY (Greater Security)▪ Back in the days.. 2000/2001
▪ Port of the Owl project to Linux 2.4.1
▪ Set of Kernel Patches Enhancing System Security
▪ Memory Corruption Bugs Exploitation Mitigation,
▪ Role-Based Access Control System,
▪ Filesystem Security Enhancements,
▪ Enhanced chroot(),
▪ Kernel Auditing, etc.
![Page 3: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/3.jpg)
Components (most of ‘em)
▪ PaX (NX not to be confused with W^X (OBSD), ASLR),
▪ paxctl (user-space PaX flags control utility)
▪ pspax, scanelf, dumpelf (pax-utils)
▪ paxtest (buffer overflow protection test suite)
▪ Role-Based Access Control (RBAC) System,
▪ gradm (RBAC Administration Console)
▪ Enhanced chroot(),
▪ Miscellaneous Features (Improved Filesystem Security), etc
![Page 4: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/4.jpg)
I n v o l v e m e n t
▪ The PaX Developers –
▪ Brad Spengler (not Brad Spender) -
▪ Zbyniu Krzystolik
▪ Michael Dalton
![Page 5: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/5.jpg)
Detection
▪ Enhanced Kernel Auditing
(GRKERNSEC_AUDIT_GROUP, GRKERNSEC_AUDIT_GID)
▪ Exec logging (GRKERNSEC_EXECLOG)
▪ Resource logging
(GRKERNSEC_RESLOG, GRKERNSEC_FORKFAIL)
▪ Log execs within chroot (GRKERNSEC_CHROOT_EXECLOG)
▪ Ptrace logging (GRKERNSEC_AUDIT_PTRACE)
▪ Chdir logging (GRKERNSEC_AUDIT_CHDIR)
![Page 6: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/6.jpg)
Detection (cont.)
▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT)
▪ Signal logging (GRKERNSEC_SIGNAL)
▪ Fork failure logging (GRKERNSEC_FORKFAIL)
▪ Time change logging (GRKERNSEC_TIME)
▪ /proc/<pid>/ipaddr support (GRKERNSEC_PROC_IPADDR)
▪ Denied RWX mmap/mprotect logging
(GRKERNSEC_RWXMAP_LOG)
![Page 7: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/7.jpg)
Detection (cont.)
▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL)
▪ Logging Options -
▪ Seconds in between log messages (min)
(GRKERNSEC_FLOODTIME)
▪ Number of messages in a burst (max)
(GRKERNSEC_FLOODBURST)
![Page 8: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/8.jpg)
Prevention
▪ Executable Protections –
▪ Deter ptrace-based process snooping
(GRKERNSEC_HARDEN_PTRACE)
▪ Trusted Path Execution
(GRKERNSEC_TPE, GRKERNSEC_TPE_ALL,
GRKERNSEC_TPE_GID, GRKERNSEC_TPE_INVERT)
![Page 9: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/9.jpg)
Prevention (cont.)▪ Network Protections –
▪ Larger entropy pools (GRKERNSEC_RANDNET)
▪ TCP/UDP blackhole (GRKERNSEC_BLACKHOLE)
▪ Socket restrictions
(GRKERNSEC_SOCKET, GRKERNSEC_SOCKET_ALL, GRKERNSEC_SOCKET_ALL_GID, GRKERNSEC_SOCKET_CLIENT, GRKERNSEC_SOCKET_CLIENT_GID, GRKERNSEC_SOCKET_SERVER, GRKERNSEC_SOCKET_SERVER_GID)
![Page 10: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/10.jpg)
Prevention (cont.)▪ Address Space Protection -
▪ Remove addresses from /proc/<pid>/[smaps|maps|stat] (GRKERNSEC_PROC_MEMMAP)
▪ Deny writing to /dev/kmem, /dev/mem, and /dev/port (GRKERNSEC_KMEM)
▪ Deter exploit bruteforcing (GRKERNSEC_BRUTE)
▪ Harden module auto-loading (GRKERNSEC_MODHARDEN)
▪ Hide kernel symbols (GRKERNSEC_HIDESYM)
▪ Hide kernel processes (GRKERNSEC_ACL_HIDEKERN)
![Page 11: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/11.jpg)
Prevention (cont.)▪ Maximum tries before password lockout
(GRKERNSEC_ACL_MAXTRIES,GRKERNSEC_ACL_TIMEOUT)
▪ Filesystem Protections -
▪ Proc restrictions (GRKERNSEC_PROC, GRKERNSEC_PROC_USER, GRKERNSEC_PROC_USERGROUP, GRKERNSEC_PROC_ADD)
▪ Linking restrictions (GRKERNSEC_LINK)
▪ FIFO restrictions (GRKERNSEC_FIFO)
▪ Runtime read-only mount protection (GRKERNSEC_ROFS)
▪
![Page 12: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/12.jpg)
Prevention (cont.)
▪ Chroot jail restrictions -
(GRKERNSEC_CHROOT, GRKERNSEC_CHROOT_MOUNT,
GRKERNSEC_CHROOT_DOUBLE, GRKERNSEC_CHROOT_PIVOT,
GRKERNSEC_CHROOT_CHDIR, GRKERNSEC_CHROOT_CHMOD,
GRKERNSEC_CHROOT_FCHDIR, GRKERNSEC_CHROOT_MKNOD,
GRKERNSEC_CHROOT_SYSCTL)
▪
![Page 13: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/13.jpg)
Prevention (cont.)
Address Space Modification Protection▪ NOEXEC (least privilege enforcement)
▪ PAGEEXEC, SEGMEXEC
▪ MPROTECT
▪ KERNEXEC
▪ Address Space Layout Randomization
▪ RANDUSTACK (delta_stack)
▪ RANDEXEC (delta_exec)
▪ RANDMMAP (delta_mmap)
▪ RANDKSTACK
![Page 14: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/14.jpg)
▪ PAX_PAGEEXEC Paging based non-executable pages▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64
▪ PAX_SEGMEXEC Segmentation based non-executable pages
▪ Duplicating every executable page in the lower half of the
address space into the upper half.
▪ Code Segment
▪ Data Segment
![Page 15: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/15.jpg)
Address Space Layout Randomization
▪ User space stack delta_stack (24 bits)
▪ Kernel space stack delta_exec (24 bits)
▪ Mmap-managed heap delta_mmap (16 bits)
▪ Executable image (16 bits)
▪ Brk-managed heap (12 bits)
▪ Library images
![Page 16: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/16.jpg)
Refs
http://www.phrack.org/issues.html?issue=66&id=2#article
http://www.phrack.org/issues.html?issue=52&id=6#article
http://www.grsecurity.net/~spender/
http://pax.grsecurity.net/
http://www.gentoo.org/proj/en/hardened/
https://xorl.wordpress.com/category/grsecurity/
![Page 17: Grsecurity - Theoretical and Practical Application](https://reader036.vdocument.in/reader036/viewer/2022082606/557f66f0d8b42af1298b49a5/html5/thumbnails/17.jpg)
apropos();
Questions?