1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/../css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
Hardened Gentoo PaX Quickstart</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>Hardened Gentoo PaX Quickstart</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. What is Hardened Gentoo?</option>
<option value="#doc_chap2">2. What is PaX?</option>
<option value="#doc_chap3">3. An Introduction to PIE and SSP</option>
<option value="#doc_chap4">4. Building a PaX-enabled Kernel</option>
<option value="#doc_chap5">5. Building a PIE/SSP Enabled Userland</option>
<option value="#doc_chap6">6. When Things Misbehave (PaX Control)</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>What is Hardened Gentoo?</p>
<p>
Hardened Gentoo is a project interested in the hardening of a Gentoo system.
Several different solutions are supported by us and there is a fair bit of
flexibility to create your own setup. At the heart of Hardened Gentoo is
<span class="emphasis">PaX</span>.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>What is PaX?</p>
<p>
PaX is a patch to the Linux kernel that provides hardening in two ways.
</p>
<p>
The first, <span class="emphasis">ASLR</span> (Address Space Layout Randomization) provides a means to
randomize the addressing scheme of all data loaded into memory. When an
application is built as a <span class="emphasis">PIE</span> (Position Independent Executable), PaX is
able to also randomize the addresses of the application base in addition.
</p>
<p>
The second protection provided by PaX is non-executable memory. This prevents a
common form of attack where executable code is inserted into memory by an
attacker. More information on PaX can be found throughout this guide, but the
homepage can be found at <a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a>.
</p>
<p class="chaphead"><a name="doc_chap3"></a><span class="chapnum">3.
</span>An Introduction to PIE and SSP</p>
<p>
As mentioned above, PaX is complemented by PIE. This method of building
executables stores information needed to relocate parts of the executable in
memory, hence the name <span class="emphasis">Position Independent</span>.
</p>
<p>
<span class="emphasis">SSP</span> (Stack Smashing Protector) is a second complementary technology we
introduce at executable build time. SSP was originally introduced by IBM under
the name <span class="emphasis">ProPolice</span>. It modifies the C compiler to insert initialization
code into functions that create a buffer in memory.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
In newer versions of SSP, it is possible to apply SSP to all functions,
adding protection to functions whose buffer would normally be below the size
limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
</p></td></tr></table>
<p>
At run time, when a buffer is created, SSP adds a secret random value, the
canary, to the end of the buffer. When the function returns, SSP makes sure
that the canary is still intact. If an attacker were to perform a buffer
overflow, he would overwrite this value and trigger that stack smashing
handler. Currently this kills the target process.
</p>
<p>
<a href="http://www.trl.ibm.com/projects/security/ssp/">Further reading on
SSP.</a>
</p>
<p class="chaphead"><a name="doc_chap4"></a><span class="chapnum">4.
</span>Building a PaX-enabled Kernel</p>
<p>
Several Gentoo kernel trees are already patched with PaX.
</p>
<p>
For 2.4 based machines, the recommended kernels are <span class="code" dir="ltr">hardened-sources</span> or
<span class="code" dir="ltr">grsec-sources</span>. For 2.6 machines, <span class="code" dir="ltr">hardened-dev-sources</span> are
recommended.
</p>
<p>
Grab one of the recommended source trees, or apply the appropriate patch from
<a href="http://pax.grsecurity.net">http://pax.grsecurity.net</a> to your own tree and configure it as you
normally would for the target machine.
</p>
<p>
In <span class="code" dir="ltr">Security Options -> PaX</span>, apply the options as shown below.
</p>
<a name="doc_chap4_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing4.1: Kernel configuration</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
[*] Enable various PaX features
PaX Control ->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (none) --->
Non-executable page ->
[*] Enforce non-executable pages
[*] Paging based non-executable pages
[*] Segmentation based non-executable pages
[*] Emulate trampolines
[*] Restrict mprotect()
[ ] Disallow ELF text relocations
Address Space Layout Randomization ->
[*] Address Space Layout Randomization
[*] Randomize kernel stack base
[*] Randomize user stack base
[*] Randomize mmap() base
[*] Randomize ET_EXEC base
</pre></td></tr>
</table>
<p>
Build this kernel as you normally would and install it to <span class="path" dir="ltr">/boot</span>.
</p>
<p class="chaphead"><a name="doc_chap5"></a><span class="chapnum">5.
</span>Building a PIE/SSP Enabled Userland</p>
<p>
Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
specfile. This means that any users upgrading an older Hardened install should
remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
<span class="code" dir="ltr">hardened-gcc</span> package is now deprecated and should be unmerged
(version 5.0 is a dummy package). To get the current GCC, add
<span class="code" dir="ltr">USE="hardened"</span> to <span class="path" dir="ltr">/etc/make.conf</span>.
</p>
<p>
To maintain a consistant toolchain, first <span class="code" dir="ltr">emerge binutils gcc glibc</span>.
Next, rebuild the entire system with <span class="code" dir="ltr">emerge -e world</span>. All future packages
will be built with PIE/SSP.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffbbbb"><p class="note"><b>Warning: </b>
Both PIE and SSP are known to cause issues with some packages. If you come
across a package that fails to compile, please file a bug report including a log
of the failed compile and the output of <span class="code" dir="ltr">emerge info</span> to
<a href="http://bugs.gentoo.org/">http://bugs.gentoo.org/</a>.
</p></td></tr></table>
<p class="chaphead"><a name="doc_chap6"></a><span class="chapnum">6.
</span>When Things Misbehave (PaX Control)</p>
<p>
Some legitimate applications will attempt to generate code at run time which is
executed out of memory. Naturally, PaX does not allow this and it will promptly
kill the offending application.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
The most notable of these applications are XFree, mplayer and multimedia tools
based on xine-lib. The easiest way around these problems are to disable PaX
protections.
</p></td></tr></table>
<p>
Luckily there is a utility to toggle protections on a per-executable basis,
<span class="emphasis">paxctl</span>. As with any other package in Gentoo, install paxctl with the
command <span class="code" dir="ltr">emerge paxctl</span>. Usage is show by <span class="code" dir="ltr">paxctl -h</span>.
</p>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#bbffbb"><p class="note"><b>Note: </b>
If you have an older version of binutils, you will need to use <span class="emphasis">chpax</span>,
which edits the old-style PaX markings. Usage of chpax is largely the same as
paxctl. This also requires legacy marking support built into your kernel.
</p></td></tr></table>
<a name="doc_chap6_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.1: paxctl -h</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format flags
</pre></td></tr>
</table>
<p>
The first option we will note is <span class="code" dir="ltr">-v</span>, which can display flags set on a
particular binary.
</p>
<a name="doc_chap6_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing6.2: paxctl -v</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86
PaX control v0.2
Copyright 2004 PaX Team <pageexec@freemail.hu>
- PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is enabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is enabled
</pre></td></tr>
</table>
<p>
This shows an XFree binary with all protections disabled.
</p>
<p>
To set flags on a binary, the <span class="code" dir="ltr">-z</span> flag is useful as it restores the
default flags.
</p>
<p>
To disable protections on XFree, run
<span class="code" dir="ltr">paxctl -zpeMRxs /usr/X11R6/bin/XFree86</span>.
</p>
<p>
Play around with disabling/enabling protections to see what is the least needed
to run.
</p>
<br><p class="copyright">
The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
</p>
<!--
<rdf:RDF xmlns="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
<permits rdf:resource="http://web.resource.org/cc/Reproduction" />
<permits rdf:resource="http://web.resource.org/cc/Distribution" />
<requires rdf:resource="http://web.resource.org/cc/Notice" />
<requires rdf:resource="http://web.resource.org/cc/Attribution" />
<permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
<requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
</License>
</rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="docs/pax-howto.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated August 7, 2004</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
A quickstart covering PaX and Hardened Gentoo.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
<a href="mailto:brandon@inclusivetech.net" class="altlink"><b>Brandon Hale</b></a>
<br><i>Author</i><br><br>
<a href="mailto:blackace@gentoo.org" class="altlink"><b>Blackace</b></a>
<br><i>Editor</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb