/[gentoo]/xml/htdocs/proj/en/hardened/pax-quickstart.xml
Gentoo

Contents of /xml/htdocs/proj/en/hardened/pax-quickstart.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.10 - (hide annotations) (download) (as text)
Thu Mar 22 17:58:19 2007 UTC (11 years, 7 months ago) by solar
Branch: MAIN
Changes since 1.9: +2 -1 lines
File MIME type: application/xml
- note that chpax is obsolete

1 solar 1.1 <?xml version='1.0' encoding="UTF-8"?>
2 solar 1.10 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.9 2006/05/24 19:28:36 swift Exp $ -->
3 solar 1.1 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5 solar 1.2 <guide link="/proj/en/hardened/pax-quickstart.xml">
6 solar 1.1 <title>Hardened Gentoo PaX Quickstart</title>
7    
8     <author title="Author">
9     <mail link="tseng@gentoo.org">Brandon Hale</mail>
10     </author>
11     <author title="Editor">
12     <mail link="blackace@gentoo.org">Blackace</mail>
13     </author>
14 solar 1.7 <author title="Editor">
15     <mail link="solar@gentoo.org">solar</mail>
16     </author>
17 solar 1.1
18     <abstract>
19     A quickstart covering PaX and Hardened Gentoo.
20     </abstract>
21    
22     <!-- The content of this document is licensed under the CC-BY-SA license -->
23     <!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
24     <license/>
25    
26 solar 1.7 <version>1.3</version>
27     <date>2005-07-11</date>
28 solar 1.1
29     <chapter>
30     <title>What is Hardened Gentoo?</title>
31     <section>
32     <body>
33    
34     <p>
35     Hardened Gentoo is a project interested in the hardening of a Gentoo system.
36     Several different solutions are supported by us and there is a fair bit of
37 solar 1.7 flexibility to create your own setup. At the heart of a common Hardened Gentoo
38     setup is <e>PaX</e>.
39 solar 1.1 </p>
40    
41     </body>
42     </section>
43     </chapter>
44    
45     <chapter>
46     <title>What is PaX?</title>
47     <section>
48     <body>
49    
50     <p>
51     PaX is a patch to the Linux kernel that provides hardening in two ways.
52     </p>
53    
54     <p>
55     The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to
56     randomize the addressing scheme of all data loaded into memory. When an
57     application is built as a <e>PIE</e> (Position Independent Executable), PaX is
58     able to also randomize the addresses of the application base in addition.
59     </p>
60    
61     <p>
62     The second protection provided by PaX is non-executable memory. This prevents a
63     common form of attack where executable code is inserted into memory by an
64     attacker. More information on PaX can be found throughout this guide, but the
65     homepage can be found at <uri>http://pax.grsecurity.net</uri>.
66     </p>
67    
68     </body>
69     </section>
70     </chapter>
71    
72     <chapter>
73     <title>An Introduction to PIE and SSP</title>
74     <section>
75     <body>
76    
77     <p>
78     As mentioned above, PaX is complemented by PIE. This method of building
79     executables stores information needed to relocate parts of the executable in
80     memory, hence the name <e>Position Independent</e>.
81     </p>
82    
83     <p>
84     <e>SSP</e> (Stack Smashing Protector) is a second complementary technology we
85     introduce at executable build time. SSP was originally introduced by IBM under
86     the name <e>ProPolice</e>. It modifies the C compiler to insert initialization
87     code into functions that create a buffer in memory.
88     </p>
89    
90     <note>
91     In newer versions of SSP, it is possible to apply SSP to all functions,
92     adding protection to functions whose buffer would normally be below the size
93     limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
94     </note>
95    
96     <p>
97     At run time, when a buffer is created, SSP adds a secret random value, the
98     canary, to the end of the buffer. When the function returns, SSP makes sure
99     that the canary is still intact. If an attacker were to perform a buffer
100     overflow, he would overwrite this value and trigger that stack smashing
101     handler. Currently this kills the target process.
102     </p>
103    
104     <p>
105     <uri link="http://www.trl.ibm.com/projects/security/ssp/">Further reading on
106     SSP.</uri>
107     </p>
108    
109     </body>
110     </section>
111     </chapter>
112    
113     <chapter>
114     <title>Building a PaX-enabled Kernel</title>
115     <section>
116     <body>
117    
118     <p>
119     Several Gentoo kernel trees are already patched with PaX.
120     </p>
121    
122     <p>
123 solar 1.7 For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c>
124 solar 1.1 </p>
125    
126     <p>
127     Grab one of the recommended source trees, or apply the appropriate patch from
128     <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you
129     normally would for the target machine.
130     </p>
131    
132     <p>
133     In <c>Security Options -&gt; PaX</c>, apply the options as shown below.
134     </p>
135    
136     <pre caption="Kernel configuration">
137     [*] Enable various PaX features
138    
139     PaX Control -&gt;
140    
141     [ ] Support soft mode
142     [*] Use legacy ELF header marking
143     [*] Use ELF program header marking
144     MAC system integration (none) ---&gt;
145    
146     Non-executable page -&gt;
147    
148     [*] Enforce non-executable pages
149     [*] Paging based non-executable pages
150     [*] Segmentation based non-executable pages
151     [*] Emulate trampolines
152     [*] Restrict mprotect()
153     [ ] Disallow ELF text relocations
154    
155     Address Space Layout Randomization -&gt;
156    
157     [*] Address Space Layout Randomization
158     [*] Randomize kernel stack base
159     [*] Randomize user stack base
160     [*] Randomize mmap() base
161     [*] Randomize ET_EXEC base
162     </pre>
163    
164     <p>
165     Build this kernel as you normally would and install it to <path>/boot</path>.
166     </p>
167    
168     </body>
169     </section>
170     </chapter>
171    
172     <chapter>
173     <title>Building a PIE/SSP Enabled Userland</title>
174     <section>
175     <body>
176    
177     <p>
178     Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
179     specfile. This means that any users upgrading an older Hardened install should
180     remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
181     <c>hardened-gcc</c> package is now deprecated and should be unmerged
182     (version 5.0 is a dummy package). To get the current GCC, add
183 solar 1.7 <c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened
184     profile.
185 solar 1.1 </p>
186    
187     <p>
188 solar 1.3 To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>.
189 solar 1.1 Next, rebuild the entire system with <c>emerge -e world</c>. All future packages
190     will be built with PIE/SSP.
191     </p>
192    
193     <warn>
194     Both PIE and SSP are known to cause issues with some packages. If you come
195 solar 1.7 across a package that fails to compile, please file a detailed bug report including
196     a log of the failed compile and the output of <c>emerge info</c> to
197 solar 1.1 <uri>http://bugs.gentoo.org/</uri>.
198     </warn>
199    
200 solar 1.7 <p>
201     You will probably also want to merge pax-utils.
202     Often if an ELF has executable relocations in the text segment these can cause problems for us.
203     scanelf -BRylptq
204     </p>
205    
206    
207 solar 1.1 </body>
208     </section>
209     </chapter>
210    
211     <chapter>
212     <title>When Things Misbehave (PaX Control)</title>
213     <section>
214     <body>
215    
216     <p>
217     Some legitimate applications will attempt to generate code at run time which is
218     executed out of memory. Naturally, PaX does not allow this and it will promptly
219     kill the offending application.
220     </p>
221    
222     <note>
223 solar 1.7 The most notable of these applications are XFree/Xorg, mplayer and multimedia tools
224 solar 1.1 based on xine-lib. The easiest way around these problems are to disable PaX
225     protections.
226     </note>
227    
228     <p>
229     Luckily there is a utility to toggle protections on a per-executable basis,
230     <e>paxctl</e>. As with any other package in Gentoo, install paxctl with the
231     command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>.
232     </p>
233    
234     <note>
235     If you have an older version of binutils, you will need to use <e>chpax</e>,
236     which edits the old-style PaX markings. Usage of chpax is largely the same as
237     paxctl. This also requires legacy marking support built into your kernel.
238 solar 1.10 New versions of paxctl make chpax obsolete.
239 solar 1.1 </note>
240    
241     <pre caption="paxctl -h">
242     usage: paxctl &lt;options&gt; &lt;files&gt;
243    
244     options:
245     -p: disable PAGEEXEC -P: enable PAGEEXEC
246     -e: disable EMUTRMAP -E: enable EMUTRMAP
247     -m: disable MPROTECT -M: enable MPROTECT
248     -r: disable RANDMMAP -R: enable RANDMMAP
249     -x: disable RANDEXEC -X: enable RANDEXEC
250     -s: disable SEGMEXEC -S: enable SEGMEXEC
251    
252     -v: view flags -z: restore default flags
253     -q: suppress error messages -Q: report flags in short format flags
254     </pre>
255    
256     <p>
257     The first option we will note is <c>-v</c>, which can display flags set on a
258     particular binary.
259     </p>
260    
261     <pre caption="paxctl -v">
262 solar 1.7 shell user # paxctl -v /usr/bin/Xorg
263 solar 1.1 PaX control v0.2
264     Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt;
265    
266 solar 1.7 - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
267 solar 1.1 PAGEEXEC is disabled
268     SEGMEXEC is disabled
269     MPROTECT is enabled
270     RANDEXEC is disabled
271     EMUTRAMP is disabled
272     RANDMMAP is enabled
273     </pre>
274    
275     <p>
276     This shows an XFree binary with all protections disabled.
277     </p>
278    
279     <p>
280     To set flags on a binary, the <c>-z</c> flag is useful as it restores the
281     default flags.
282     </p>
283    
284     <p>
285 solar 1.7 To disable protections on Xorg, run
286     <c>paxctl -zpeMRxs /usr/bin/Xorg</c>.
287 solar 1.1 </p>
288    
289     <p>
290     Play around with disabling/enabling protections to see what is the least needed
291 solar 1.8 to run. Often we find that we need the -m -sp combos.
292 solar 1.7 </p>
293    
294     <p>
295     A default init/conf.d script gets installed when you merge the chpax package
296     that setups some reasonable defaults on the well known misbehaviors.
297     You may want to enable the setting of these permissions at every boot.
298     Todo that you can run the following command
299 swift 1.9 <c>emerge chpax ; rc-update add chpax default ; /etc/init.d/chpax start</c>
300 solar 1.1 </p>
301    
302     </body>
303     </section>
304     </chapter>
305     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20