/[gentoo]/xml/htdocs/proj/en/hardened/pax-quickstart.xml
Gentoo

Contents of /xml/htdocs/proj/en/hardened/pax-quickstart.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.9 - (hide annotations) (download) (as text)
Wed May 24 19:28:36 2006 UTC (12 years, 2 months ago) by swift
Branch: MAIN
Changes since 1.8: +2 -2 lines
File MIME type: application/xml
typo fixing

1 solar 1.1 <?xml version='1.0' encoding="UTF-8"?>
2 swift 1.9 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.8 2006/02/02 03:42:18 solar Exp $ -->
3 solar 1.1 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5 solar 1.2 <guide link="/proj/en/hardened/pax-quickstart.xml">
6 solar 1.1 <title>Hardened Gentoo PaX Quickstart</title>
7    
8     <author title="Author">
9     <mail link="tseng@gentoo.org">Brandon Hale</mail>
10     </author>
11     <author title="Editor">
12     <mail link="blackace@gentoo.org">Blackace</mail>
13     </author>
14 solar 1.7 <author title="Editor">
15     <mail link="solar@gentoo.org">solar</mail>
16     </author>
17 solar 1.1
18     <abstract>
19     A quickstart covering PaX and Hardened Gentoo.
20     </abstract>
21    
22     <!-- The content of this document is licensed under the CC-BY-SA license -->
23     <!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
24     <license/>
25    
26 solar 1.7 <version>1.3</version>
27     <date>2005-07-11</date>
28 solar 1.1
29     <chapter>
30     <title>What is Hardened Gentoo?</title>
31     <section>
32     <body>
33    
34     <p>
35     Hardened Gentoo is a project interested in the hardening of a Gentoo system.
36     Several different solutions are supported by us and there is a fair bit of
37 solar 1.7 flexibility to create your own setup. At the heart of a common Hardened Gentoo
38     setup is <e>PaX</e>.
39 solar 1.1 </p>
40    
41     </body>
42     </section>
43     </chapter>
44    
45     <chapter>
46     <title>What is PaX?</title>
47     <section>
48     <body>
49    
50     <p>
51     PaX is a patch to the Linux kernel that provides hardening in two ways.
52     </p>
53    
54     <p>
55     The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to
56     randomize the addressing scheme of all data loaded into memory. When an
57     application is built as a <e>PIE</e> (Position Independent Executable), PaX is
58     able to also randomize the addresses of the application base in addition.
59     </p>
60    
61     <p>
62     The second protection provided by PaX is non-executable memory. This prevents a
63     common form of attack where executable code is inserted into memory by an
64     attacker. More information on PaX can be found throughout this guide, but the
65     homepage can be found at <uri>http://pax.grsecurity.net</uri>.
66     </p>
67    
68     </body>
69     </section>
70     </chapter>
71    
72     <chapter>
73     <title>An Introduction to PIE and SSP</title>
74     <section>
75     <body>
76    
77     <p>
78     As mentioned above, PaX is complemented by PIE. This method of building
79     executables stores information needed to relocate parts of the executable in
80     memory, hence the name <e>Position Independent</e>.
81     </p>
82    
83     <p>
84     <e>SSP</e> (Stack Smashing Protector) is a second complementary technology we
85     introduce at executable build time. SSP was originally introduced by IBM under
86     the name <e>ProPolice</e>. It modifies the C compiler to insert initialization
87     code into functions that create a buffer in memory.
88     </p>
89    
90     <note>
91     In newer versions of SSP, it is possible to apply SSP to all functions,
92     adding protection to functions whose buffer would normally be below the size
93     limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
94     </note>
95    
96     <p>
97     At run time, when a buffer is created, SSP adds a secret random value, the
98     canary, to the end of the buffer. When the function returns, SSP makes sure
99     that the canary is still intact. If an attacker were to perform a buffer
100     overflow, he would overwrite this value and trigger that stack smashing
101     handler. Currently this kills the target process.
102     </p>
103    
104     <p>
105     <uri link="http://www.trl.ibm.com/projects/security/ssp/">Further reading on
106     SSP.</uri>
107     </p>
108    
109     </body>
110     </section>
111     </chapter>
112    
113     <chapter>
114     <title>Building a PaX-enabled Kernel</title>
115     <section>
116     <body>
117    
118     <p>
119     Several Gentoo kernel trees are already patched with PaX.
120     </p>
121    
122     <p>
123 solar 1.7 For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c>
124 solar 1.1 </p>
125    
126     <p>
127     Grab one of the recommended source trees, or apply the appropriate patch from
128     <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you
129     normally would for the target machine.
130     </p>
131    
132     <p>
133     In <c>Security Options -&gt; PaX</c>, apply the options as shown below.
134     </p>
135    
136     <pre caption="Kernel configuration">
137     [*] Enable various PaX features
138    
139     PaX Control -&gt;
140    
141     [ ] Support soft mode
142     [*] Use legacy ELF header marking
143     [*] Use ELF program header marking
144     MAC system integration (none) ---&gt;
145    
146     Non-executable page -&gt;
147    
148     [*] Enforce non-executable pages
149     [*] Paging based non-executable pages
150     [*] Segmentation based non-executable pages
151     [*] Emulate trampolines
152     [*] Restrict mprotect()
153     [ ] Disallow ELF text relocations
154    
155     Address Space Layout Randomization -&gt;
156    
157     [*] Address Space Layout Randomization
158     [*] Randomize kernel stack base
159     [*] Randomize user stack base
160     [*] Randomize mmap() base
161     [*] Randomize ET_EXEC base
162     </pre>
163    
164     <p>
165     Build this kernel as you normally would and install it to <path>/boot</path>.
166     </p>
167    
168     </body>
169     </section>
170     </chapter>
171    
172     <chapter>
173     <title>Building a PIE/SSP Enabled Userland</title>
174     <section>
175     <body>
176    
177     <p>
178     Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
179     specfile. This means that any users upgrading an older Hardened install should
180     remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
181     <c>hardened-gcc</c> package is now deprecated and should be unmerged
182     (version 5.0 is a dummy package). To get the current GCC, add
183 solar 1.7 <c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened
184     profile.
185 solar 1.1 </p>
186    
187     <p>
188 solar 1.3 To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>.
189 solar 1.1 Next, rebuild the entire system with <c>emerge -e world</c>. All future packages
190     will be built with PIE/SSP.
191     </p>
192    
193     <warn>
194     Both PIE and SSP are known to cause issues with some packages. If you come
195 solar 1.7 across a package that fails to compile, please file a detailed bug report including
196     a log of the failed compile and the output of <c>emerge info</c> to
197 solar 1.1 <uri>http://bugs.gentoo.org/</uri>.
198     </warn>
199    
200 solar 1.7 <p>
201     You will probably also want to merge pax-utils.
202     Often if an ELF has executable relocations in the text segment these can cause problems for us.
203     scanelf -BRylptq
204     </p>
205    
206    
207 solar 1.1 </body>
208     </section>
209     </chapter>
210    
211     <chapter>
212     <title>When Things Misbehave (PaX Control)</title>
213     <section>
214     <body>
215    
216     <p>
217     Some legitimate applications will attempt to generate code at run time which is
218     executed out of memory. Naturally, PaX does not allow this and it will promptly
219     kill the offending application.
220     </p>
221    
222     <note>
223 solar 1.7 The most notable of these applications are XFree/Xorg, mplayer and multimedia tools
224 solar 1.1 based on xine-lib. The easiest way around these problems are to disable PaX
225     protections.
226     </note>
227    
228     <p>
229     Luckily there is a utility to toggle protections on a per-executable basis,
230     <e>paxctl</e>. As with any other package in Gentoo, install paxctl with the
231     command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>.
232     </p>
233    
234     <note>
235     If you have an older version of binutils, you will need to use <e>chpax</e>,
236     which edits the old-style PaX markings. Usage of chpax is largely the same as
237     paxctl. This also requires legacy marking support built into your kernel.
238     </note>
239    
240     <pre caption="paxctl -h">
241     usage: paxctl &lt;options&gt; &lt;files&gt;
242    
243     options:
244     -p: disable PAGEEXEC -P: enable PAGEEXEC
245     -e: disable EMUTRMAP -E: enable EMUTRMAP
246     -m: disable MPROTECT -M: enable MPROTECT
247     -r: disable RANDMMAP -R: enable RANDMMAP
248     -x: disable RANDEXEC -X: enable RANDEXEC
249     -s: disable SEGMEXEC -S: enable SEGMEXEC
250    
251     -v: view flags -z: restore default flags
252     -q: suppress error messages -Q: report flags in short format flags
253     </pre>
254    
255     <p>
256     The first option we will note is <c>-v</c>, which can display flags set on a
257     particular binary.
258     </p>
259    
260     <pre caption="paxctl -v">
261 solar 1.7 shell user # paxctl -v /usr/bin/Xorg
262 solar 1.1 PaX control v0.2
263     Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt;
264    
265 solar 1.7 - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
266 solar 1.1 PAGEEXEC is disabled
267     SEGMEXEC is disabled
268     MPROTECT is enabled
269     RANDEXEC is disabled
270     EMUTRAMP is disabled
271     RANDMMAP is enabled
272     </pre>
273    
274     <p>
275     This shows an XFree binary with all protections disabled.
276     </p>
277    
278     <p>
279     To set flags on a binary, the <c>-z</c> flag is useful as it restores the
280     default flags.
281     </p>
282    
283     <p>
284 solar 1.7 To disable protections on Xorg, run
285     <c>paxctl -zpeMRxs /usr/bin/Xorg</c>.
286 solar 1.1 </p>
287    
288     <p>
289     Play around with disabling/enabling protections to see what is the least needed
290 solar 1.8 to run. Often we find that we need the -m -sp combos.
291 solar 1.7 </p>
292    
293     <p>
294     A default init/conf.d script gets installed when you merge the chpax package
295     that setups some reasonable defaults on the well known misbehaviors.
296     You may want to enable the setting of these permissions at every boot.
297     Todo that you can run the following command
298 swift 1.9 <c>emerge chpax ; rc-update add chpax default ; /etc/init.d/chpax start</c>
299 solar 1.1 </p>
300    
301     </body>
302     </section>
303     </chapter>
304     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20