G. Geshev

Open Fest 2010

20 - 21 November

Sofia, Bulgaria

GRSECURITY/PAX

Theoretical & Practical Application

About GRSECURITY (Greater Security)▪ Back in the days.. 2000/2001

▪ Port of the Owl project to Linux 2.4.1

▪ Set of Kernel Patches Enhancing System Security

▪ Memory Corruption Bugs Exploitation Mitigation,

▪ Role-Based Access Control System,

▪ Filesystem Security Enhancements,

▪ Enhanced chroot(),

▪ Kernel Auditing, etc.

Components (most of ‘em)

▪ PaX (NX not to be confused with W^X (OBSD), ASLR),

▪ paxctl (user-space PaX flags control utility)

▪ pspax, scanelf, dumpelf (pax-utils)

▪ paxtest (buffer overflow protection test suite)

▪ Role-Based Access Control (RBAC) System,

▪ gradm (RBAC Administration Console)

▪ Enhanced chroot(),

▪ Miscellaneous Features (Improved Filesystem Security), etc

I n v o l v e m e n t

▪ The PaX Developers –

pageexec@freemail.hu

▪ Brad Spengler (not Brad Spender) -

spender@grsecurity.net

▪ Zbyniu Krzystolik

▪ Michael Dalton

Detection

▪ Enhanced Kernel Auditing

(GRKERNSEC_AUDIT_GROUP, GRKERNSEC_AUDIT_GID)

▪ Exec logging (GRKERNSEC_EXECLOG)

▪ Resource logging

(GRKERNSEC_RESLOG, GRKERNSEC_FORKFAIL)

▪ Log execs within chroot (GRKERNSEC_CHROOT_EXECLOG)

▪ Ptrace logging (GRKERNSEC_AUDIT_PTRACE)

▪ Chdir logging (GRKERNSEC_AUDIT_CHDIR)

Detection (cont.)

▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT)

▪ Signal logging (GRKERNSEC_SIGNAL)

▪ Fork failure logging (GRKERNSEC_FORKFAIL)

▪ Time change logging (GRKERNSEC_TIME)

▪ /proc/<pid>/ipaddr support (GRKERNSEC_PROC_IPADDR)

▪ Denied RWX mmap/mprotect logging

(GRKERNSEC_RWXMAP_LOG)

Detection (cont.)

▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL)

▪ Logging Options -

▪ Seconds in between log messages (min)

(GRKERNSEC_FLOODTIME)

▪ Number of messages in a burst (max)

(GRKERNSEC_FLOODBURST)

Prevention

▪ Executable Protections –

▪ Deter ptrace-based process snooping

(GRKERNSEC_HARDEN_PTRACE)

▪ Trusted Path Execution

(GRKERNSEC_TPE, GRKERNSEC_TPE_ALL,

GRKERNSEC_TPE_GID, GRKERNSEC_TPE_INVERT)

Prevention (cont.)▪ Network Protections –

▪ Larger entropy pools (GRKERNSEC_RANDNET)

▪ TCP/UDP blackhole (GRKERNSEC_BLACKHOLE)

▪ Socket restrictions

(GRKERNSEC_SOCKET, GRKERNSEC_SOCKET_ALL, GRKERNSEC_SOCKET_ALL_GID, GRKERNSEC_SOCKET_CLIENT, GRKERNSEC_SOCKET_CLIENT_GID, GRKERNSEC_SOCKET_SERVER, GRKERNSEC_SOCKET_SERVER_GID)

Prevention (cont.)▪ Address Space Protection -

▪ Remove addresses from /proc/<pid>/[smaps|maps|stat] (GRKERNSEC_PROC_MEMMAP)

▪ Deny writing to /dev/kmem, /dev/mem, and /dev/port (GRKERNSEC_KMEM)

▪ Deter exploit bruteforcing (GRKERNSEC_BRUTE)

▪ Harden module auto-loading (GRKERNSEC_MODHARDEN)

▪ Hide kernel symbols (GRKERNSEC_HIDESYM)

▪ Hide kernel processes (GRKERNSEC_ACL_HIDEKERN)

Prevention (cont.)▪ Maximum tries before password lockout

(GRKERNSEC_ACL_MAXTRIES,GRKERNSEC_ACL_TIMEOUT)

▪ Filesystem Protections -

▪ Proc restrictions (GRKERNSEC_PROC, GRKERNSEC_PROC_USER, GRKERNSEC_PROC_USERGROUP, GRKERNSEC_PROC_ADD)

▪ Linking restrictions (GRKERNSEC_LINK)

▪ FIFO restrictions (GRKERNSEC_FIFO)

▪ Runtime read-only mount protection (GRKERNSEC_ROFS)

▪

Prevention (cont.)

▪ Chroot jail restrictions -

(GRKERNSEC_CHROOT, GRKERNSEC_CHROOT_MOUNT,

GRKERNSEC_CHROOT_DOUBLE, GRKERNSEC_CHROOT_PIVOT,

GRKERNSEC_CHROOT_CHDIR, GRKERNSEC_CHROOT_CHMOD,

GRKERNSEC_CHROOT_FCHDIR, GRKERNSEC_CHROOT_MKNOD,

GRKERNSEC_CHROOT_SYSCTL)

▪

Prevention (cont.)

Address Space Modification Protection▪ NOEXEC (least privilege enforcement)

▪ PAGEEXEC, SEGMEXEC

▪ MPROTECT

▪ KERNEXEC

▪ Address Space Layout Randomization

▪ RANDUSTACK (delta_stack)

▪ RANDEXEC (delta_exec)

▪ RANDMMAP (delta_mmap)

▪ RANDKSTACK

▪ PAX_PAGEEXEC Paging based non-executable pages▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64

▪ PAX_SEGMEXEC Segmentation based non-executable pages

▪ Duplicating every executable page in the lower half of the

address space into the upper half.

▪ Code Segment

▪ Data Segment

Address Space Layout Randomization

▪ User space stack delta_stack (24 bits)

▪ Kernel space stack delta_exec (24 bits)

▪ Mmap-managed heap delta_mmap (16 bits)

▪ Executable image (16 bits)

▪ Brk-managed heap (12 bits)

▪ Library images

Refs

http://www.phrack.org/issues.html?issue=66&id=2#article

http://www.phrack.org/issues.html?issue=52&id=6#article

http://www.grsecurity.net/~spender/

http://pax.grsecurity.net/

http://www.gentoo.org/proj/en/hardened/

https://xorl.wordpress.com/category/grsecurity/

apropos();

Questions?

exit();

Thank you for attending this lecture.

Feedback –

mailto: root@fsck-labs.exploits-bg.com