Gentoo revdep-pax introduction

+ +1 +2012-02-19 + + +What's <c>revdep-pax</c> about? + +

+Since the early days of PaX it was known that all programs were equal although +some were more equal than others and needed an environment with less +restrictions in order to be able to run. Thus, in order to have a secure way of +allowing system administrators and users telling the system which binaries +needed this lessened environment the PaX marks were created. +

+ +

+A quick introduction to PaX markings. + + +

+There are some programs which won't be able to run in an environment with all +the PaX features enabled, for example you may have a program which has so called +text relocations or you may have a language interpreter doing JIT code +compilation and requiring RWX mappings you may also have a program that +saves data including internal pointers into an mmaped file and which needs to be +restored in the same place no matter what. You could also be holding a security +competition and need to disable the execution restrictions and force it to +use fixed addresses on a particular program so it can be exploited doing a +simple nop sled based stack overflow to get to the next level. For taking into +account these issues binaries can be marked to force on or off some of the PaX +features. +

+ +

+Currently, the PaX features that can be lessened or enforced to allow programs +to run are: +

+ +

PAGEEXEC: Paging based execution restrictions. This is what other OSes know as + NX.
EMUTRAMP: Trampoline emulation. Required by for amongst other things code with + nested functions.
MPROTECT: Prevents the introduction of new executable code in the task. This is the + one you are more likely to need disabling with libraries generating JIT code. +
RANDMMAP: Randomizes the addresses where mappings are made unless the program + explicitly requests one (using the MAP_FIXED flag).
RANDEXEC: This flag is currently deprecated and was used to enforce random placement + of the executable part of the binary.
SEGMEXEC: This flag enables segmentation based execution protection. This feature is + not available on the amd64 architecture so in that architecture is disables by + default.

+ +

+There are various ways in which this advice to lessen the environment can be +provided to the system, amongst others Mandatory Access Control rules, extended +attributes and two kinds of markings on the binaries themselves, the legacy ones +which abuse an unused field in the ELF headers and the new ones which add a new +specific section to the ELF file with the markings. +

+ +

+All this markings though are only read in the executable and not in the +libraries linked by it to prevent some possible attacks (like libraries being +injected via LD_PRELOAD) and because it eases a lot the implementation since the +kernel shouldn't be aware of linking details. +

+ +

+This system has a problem: if we have a binary linking to a library which +requires, for example, trampoline emulation because it uses nested functions how +can we make sure the binary gets the propper markings? Yeah we could add PaX +marks to the library to state it needs trampoline emulation but still we haven't +fixed the issue since the kernel will only read the marks on the binary being +called. In order to solve this issue we have created revdep-pax. +

+ + +

+What's <c>revdep-pax</c>? + + +

+revdep-pax is a tool that allows to check for differences in PaX markings +between elf objects linking to libraries (for example /bin/bash) +and the libraries themselves (for example /lib64/libc.so.6). +

+ +

+revdep-pax is able to do this in various ways, it can check for +differences forward from one binary to all the libraries it links and it +can also check for PaX marking differences backwards from one library to +all the binaries linking to it (which may include other libraries too). In a +similar way it is possible to have all the forward and reverse mappings in the +system checked to try finding issues. +

+ +

+revdep-pax is also able to propagate these markings both forward to the +libraries linked by an object and backwards to the objects linked by a library. +

+ + +

+ + + +Using <c>revdep-pax</c> + +

+In order to witness the firepower of this fully ARMED and OPERATIONAL tool +you'll first need to learn how to use it, once you are done, you'll be +able to fire at will. +

+ +

+Propagating PaX marks backwards from a library to objects that link at it + + + +

+This is going to be probably the main way in which you are going to use this +utility. What it does is check all the libraries linked statically +The scanelf application is part of the app-misc/pax-utils package. +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options. +

+ + + + + + + + + -p + --path + Scan all directories in PATH environment + + + -l + --ldpath + Scan all directories in /etc/ld.so.conf + + + -R + --recursive + Scan directories recursively + + + -m + --mount + Don't recursively cross mount points + + + -y + --symlink + Don't scan symlinks + + + -A + --archives + Scan archives (.a files) + + + -L + --ldcache + Utilize ld.so.cache information (use with -r/-n) + + + -X + --fix + Try and 'fix' bad things (use with -r/-e) + + + -z [arg] + --setpax [arg] + Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx) + + + + + + + + -x + --pax + Print PaX markings + + + -e + --header + Print GNU_STACK/PT_LOAD markings + + + -t + --textrel + Print TEXTREL information + + + -r + --rpath + Print RPATH information + + + -n + --needed + Print NEEDED information + + + -i + --interp + Print INTERP information + + + -b + --bind + Print BIND information + + + -S + --soname + Print SONAME information + + + -s [arg] + --symbol [arg] + Find a specified symbol + + + -k [arg] + --section [arg] + Find a specified section + + + -N [arg] + --lib [arg] + Find a specified library + + + -g + --gmatch + Use strncmp to match libraries. (use with -N) + + + -T + --textrels + Locate cause of TEXTREL + + + -E [arg] + --etype [arg] + Print only ELF files matching etype ET_DYN,ET_EXEC ... + + + -M [arg] + --bits [arg] + Print only ELF files matching numeric bits + + + -a + --all + Print all scanned info (-x -e -t -r -b) + + + + + + + + -q + --quiet + Only output 'bad' things + + + -v + --verbose + Be verbose (can be specified more than once) + + + -F [arg] + --format [arg] + Use specified format for output + + + -f [arg] + --from [arg] + Read input stream from a filename + + + -o [arg] + --file [arg] + Write output stream to a filename + + + -B + --nobanner + Don't display the header + + + -h + --help + Print this help and exit + + + -V + --version + Print version and exit + +

Option	Long Option	Description
Option	Long Option	Description
Option	Long Option	Description

+ +

+The format specifiers for the -F option are given in the following table. +Prefix each specifier with % (verbose) or # (silent) accordingly. +

+ + + + + + + + + + F + Filename + x + PaX Flags + + + e + STACK/RELRO + t + TEXTREL + + + r + RPATH + n + NEEDED + + + i + INTERP + b + BIND + + + s + Symbol + N + Library + + + o + Type + p + File name + + + f + Base file name + k + Section + + + a + ARCH/e_machine + + + +

Specifier	Full Name	Specifier	Full Name

+ + +

+Using scanelf for Text Relocations + + +

+As an example, we will use scanelf to find binaries containing text +relocations. +

+ +

+A relocation is an operation that rewrites an address in a loaded segment. Such +an address rewrite can happen when a segment has references to a shared object +and that shared object is loaded in memory. In this case, the references are +substituted with the real address values. Similar events can occur inside the +shared object itself. +

+ +

+A text relocation is a relocation in the text segment. Since text segments +contain executable code, system administrators might prefer not to have these +segments writable. This is perfectly possible, but since text relocations +actually write in the text segment, it is not always feasible. +

+ +

+If you want to eliminate text relocations, you will need to make sure +that the application and shared object is built with Position Independent +Code (PIC), making references obsolete. This not only increases security, +but also increases the performance in case of shared objects (allowing writes in +the text segment requires a swap space reservation and a private copy of the +shared object for each application that uses it). +

+ +

+The following example will search your library paths recursively, without +leaving the mounted file system and ignoring symbolic links, for any ELF binary +containing a text relocation: +

+ +

+# scanelf -lqtmyR
+

+ +

+If you want to scan your entire system for any file containing text +relocations: +

+ +

+# scanelf -qtmyR /
+

+ + +

+Using scanelf for Specific Header + + +

+The scanelf util can be used to quickly identify files that contain a +given section header using the -k .section option. +

+ +

+In this example we are looking for all files in /usr/lib/debug +recursively using a format modifier with quiet mode enabled that have been +stripped. A stripped elf will lack a .symtab entry, so we use the '!' +to invert the matching logic. +

+ +

+# scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k
+

+ + +

+Using scanelf for Specific Segment Markings + + +

+Each segment has specific flags assigned to it in the Program Header of the +binary. One of those flags is the type of the segment. Interesting values are +PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the +segment contains dynamic linking information), PT_INTERP (the segment +contains the name of the program interpreter), PT_GNU_STACK (a GNU extension +for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS +(a PaX extension for the ELF format, used by the security-minded +PaX Project. +

+ +

+If we want to scan all executables in the current working directory, PATH +environment and library paths and report those who have a writable and +executable PT_LOAD or PT_GNU_STACK marking, you could use the following command: +

+ +

+# scanelf -lpqe .
+

+ + +

+Using scanelf's Format Modifier Handler + + +

+A useful feature of the scanelf utility is the format modifier handler. +With this option you can control the output of scanelf, thereby +simplifying parsing the output with scripts. +

+ +

+As an example, we will use scanelf to print the file names that contain +text relocations: +

+ +

+# scanelf -l -p -R -q -F "%F #t"
+

+ + +

+ + + +Listing PaX Flags and Capabilities +

+About PaX + + +

+PaX is a project hosted by the grsecurity project. Quoting the PaX documentation, its main +goal is "to research various defense mechanisms against the exploitation of +software bugs that give an attacker arbitrary read/write access to the +attacked task's address space. This class of bugs contains among others +various forms of buffer overflow bugs (be they stack or heap based), user +supplied format string bugs, etc." +

+ +

+To be able to benefit from these defense mechanisms, you need to run a Linux +kernel patched with the latest PaX code. The Hardened Gentoo project supports PaX and +its parent project, grsecurity. The supported kernel package is +sys-kernel/hardened-sources. +

+ +

+The Gentoo/Hardened project has a Gentoo PaX Quickstart Guide +for your reading pleasure. +

+ + +

+Flags and Capabilities + + +

+If your toolchain supports it, your binaries can have additional PaX flags in +their Program Header. The following flags are supported: +

+ + + + + + + + + P + PAGEEXEC + + Refuse code execution on writable pages based on the NX bit + (or emulated NX bit) + + + + S + SEGMEXEC + + Refuse code execution on writable pages based on the + segmentation logic of IA-32 + + + + E + EMUTRAMP + + Allow known code execution sequences on writable pages that + should not cause any harm + + + + M + MPROTECT + + Prevent the creation of new executable code to the process + address space + + + + R + RANDMMAP + + Randomize the stack base to prevent certain stack overflow + attacks from being successful + + + + X + RANDEXEC + + Randomize the address where the application maps to prevent + certain attacks from being exploitable + + +

Flag	Name	Description

+ +

+The default Linux kernel also supports certain capabilities, grouped in the +so-called POSIX.1e Capabilities. You can find a listing of those +capabilities in our POSIX Capabilities document. +

+ + +

+Using pspax + + +

+The pspax application, part of the pax-utils package, displays the +run-time capabilities of all programs you have permission for. On Linux kernels +with additional support for extended attributes (such as SELinux) those +attributes are shown as well. +

+ +

+When ran, pspax shows the following information: +

+ + + + + + + + USER + Owner of the process + + + PID + Process id + + + PAX + Run-time PaX flags (if applicable) + + + MAPS + Write/eXecute markings for the process map + + + ELF_TYPE + Process executable type: ET_DYN or ET_EXEC + + + NAME + Name of the process + + + CAPS + POSIX.1e capabilities (see note) + + + ATTR + Extended attributes (if applicable) + +

Column	Description

+ + +pspax only displays these capabilities when it is linked with +the external capabilities library. This requires you to build pax-utils +with -DWANT_SYSCAP. + + +

+By default, pspax does not show any kernel processes. If you want those +to be taken as well, use the -a switch. +

+ + +

+ + + +Programming with ELF files +

+The dumpelf Utility + + +

+With the dumpelf utility you can convert a ELF file into human readable C +code that defines a structure with the same image as the original ELF file. +

+ +

+$ dumpelf /bin/hostname
+#include <elf.h>
+
+/*
+ * ELF dump of '/bin/hostname'
+ *     10276 (0x2824) bytes
+ */
+
+struct {
+        Elf32_Ehdr ehdr;
+        Elf32_Phdr phdrs[8];
+        Elf32_Shdr shdrs[26];
+} dumpedelf_0 = {
+
+.ehdr = {
+(... Output stripped ...)
+

+ + +

+ +