/[gentoo]/xml/htdocs/proj/en/hardened/pax-quickstart.xml
Gentoo

Contents of /xml/htdocs/proj/en/hardened/pax-quickstart.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.6 - (show annotations) (download) (as text)
Mon Apr 18 19:39:05 2005 UTC (13 years, 7 months ago) by solar
Branch: MAIN
Changes since 1.5: +2 -2 lines
File MIME type: application/xml
- removed obsoleted USE pie flag from docs

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.5 2005/02/06 22:46:50 solar Exp $ -->
3 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4
5 <guide link="/proj/en/hardened/pax-quickstart.xml">
6 <title>Hardened Gentoo PaX Quickstart</title>
7
8 <author title="Author">
9 <mail link="tseng@gentoo.org">Brandon Hale</mail>
10 </author>
11 <author title="Editor">
12 <mail link="blackace@gentoo.org">Blackace</mail>
13 </author>
14
15 <abstract>
16 A quickstart covering PaX and Hardened Gentoo.
17 </abstract>
18
19 <!-- The content of this document is licensed under the CC-BY-SA license -->
20 <!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
21 <license/>
22
23 <version>1.2</version>
24 <date>2004-08-07</date>
25
26 <chapter>
27 <title>What is Hardened Gentoo?</title>
28 <section>
29 <body>
30
31 <p>
32 Hardened Gentoo is a project interested in the hardening of a Gentoo system.
33 Several different solutions are supported by us and there is a fair bit of
34 flexibility to create your own setup. At the heart of Hardened Gentoo is
35 <e>PaX</e>.
36 </p>
37
38 </body>
39 </section>
40 </chapter>
41
42 <chapter>
43 <title>What is PaX?</title>
44 <section>
45 <body>
46
47 <p>
48 PaX is a patch to the Linux kernel that provides hardening in two ways.
49 </p>
50
51 <p>
52 The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to
53 randomize the addressing scheme of all data loaded into memory. When an
54 application is built as a <e>PIE</e> (Position Independent Executable), PaX is
55 able to also randomize the addresses of the application base in addition.
56 </p>
57
58 <p>
59 The second protection provided by PaX is non-executable memory. This prevents a
60 common form of attack where executable code is inserted into memory by an
61 attacker. More information on PaX can be found throughout this guide, but the
62 homepage can be found at <uri>http://pax.grsecurity.net</uri>.
63 </p>
64
65 </body>
66 </section>
67 </chapter>
68
69 <chapter>
70 <title>An Introduction to PIE and SSP</title>
71 <section>
72 <body>
73
74 <p>
75 As mentioned above, PaX is complemented by PIE. This method of building
76 executables stores information needed to relocate parts of the executable in
77 memory, hence the name <e>Position Independent</e>.
78 </p>
79
80 <p>
81 <e>SSP</e> (Stack Smashing Protector) is a second complementary technology we
82 introduce at executable build time. SSP was originally introduced by IBM under
83 the name <e>ProPolice</e>. It modifies the C compiler to insert initialization
84 code into functions that create a buffer in memory.
85 </p>
86
87 <note>
88 In newer versions of SSP, it is possible to apply SSP to all functions,
89 adding protection to functions whose buffer would normally be below the size
90 limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
91 </note>
92
93 <p>
94 At run time, when a buffer is created, SSP adds a secret random value, the
95 canary, to the end of the buffer. When the function returns, SSP makes sure
96 that the canary is still intact. If an attacker were to perform a buffer
97 overflow, he would overwrite this value and trigger that stack smashing
98 handler. Currently this kills the target process.
99 </p>
100
101 <p>
102 <uri link="http://www.trl.ibm.com/projects/security/ssp/">Further reading on
103 SSP.</uri>
104 </p>
105
106 </body>
107 </section>
108 </chapter>
109
110 <chapter>
111 <title>Building a PaX-enabled Kernel</title>
112 <section>
113 <body>
114
115 <p>
116 Several Gentoo kernel trees are already patched with PaX.
117 </p>
118
119 <p>
120 For 2.4 based machines, the recommended kernels are <c>hardened-sources</c> or
121 <c>grsec-sources</c>. For 2.6 machines, <c>hardened-dev-sources</c> are
122 recommended.
123 </p>
124
125 <p>
126 Grab one of the recommended source trees, or apply the appropriate patch from
127 <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you
128 normally would for the target machine.
129 </p>
130
131 <p>
132 In <c>Security Options -&gt; PaX</c>, apply the options as shown below.
133 </p>
134
135 <pre caption="Kernel configuration">
136 [*] Enable various PaX features
137
138 PaX Control -&gt;
139
140 [ ] Support soft mode
141 [*] Use legacy ELF header marking
142 [*] Use ELF program header marking
143 MAC system integration (none) ---&gt;
144
145 Non-executable page -&gt;
146
147 [*] Enforce non-executable pages
148 [*] Paging based non-executable pages
149 [*] Segmentation based non-executable pages
150 [*] Emulate trampolines
151 [*] Restrict mprotect()
152 [ ] Disallow ELF text relocations
153
154 Address Space Layout Randomization -&gt;
155
156 [*] Address Space Layout Randomization
157 [*] Randomize kernel stack base
158 [*] Randomize user stack base
159 [*] Randomize mmap() base
160 [*] Randomize ET_EXEC base
161 </pre>
162
163 <p>
164 Build this kernel as you normally would and install it to <path>/boot</path>.
165 </p>
166
167 </body>
168 </section>
169 </chapter>
170
171 <chapter>
172 <title>Building a PIE/SSP Enabled Userland</title>
173 <section>
174 <body>
175
176 <p>
177 Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
178 specfile. This means that any users upgrading an older Hardened install should
179 remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
180 <c>hardened-gcc</c> package is now deprecated and should be unmerged
181 (version 5.0 is a dummy package). To get the current GCC, add
182 <c>USE="hardened pic"</c> to <path>/etc/make.conf</path>.
183 </p>
184
185 <p>
186 To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>.
187 Next, rebuild the entire system with <c>emerge -e world</c>. All future packages
188 will be built with PIE/SSP.
189 </p>
190
191 <warn>
192 Both PIE and SSP are known to cause issues with some packages. If you come
193 across a package that fails to compile, please file a bug report including a log
194 of the failed compile and the output of <c>emerge info</c> to
195 <uri>http://bugs.gentoo.org/</uri>.
196 </warn>
197
198 </body>
199 </section>
200 </chapter>
201
202 <chapter>
203 <title>When Things Misbehave (PaX Control)</title>
204 <section>
205 <body>
206
207 <p>
208 Some legitimate applications will attempt to generate code at run time which is
209 executed out of memory. Naturally, PaX does not allow this and it will promptly
210 kill the offending application.
211 </p>
212
213 <note>
214 The most notable of these applications are XFree, mplayer and multimedia tools
215 based on xine-lib. The easiest way around these problems are to disable PaX
216 protections.
217 </note>
218
219 <p>
220 Luckily there is a utility to toggle protections on a per-executable basis,
221 <e>paxctl</e>. As with any other package in Gentoo, install paxctl with the
222 command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>.
223 </p>
224
225 <note>
226 If you have an older version of binutils, you will need to use <e>chpax</e>,
227 which edits the old-style PaX markings. Usage of chpax is largely the same as
228 paxctl. This also requires legacy marking support built into your kernel.
229 </note>
230
231 <pre caption="paxctl -h">
232 usage: paxctl &lt;options&gt; &lt;files&gt;
233
234 options:
235 -p: disable PAGEEXEC -P: enable PAGEEXEC
236 -e: disable EMUTRMAP -E: enable EMUTRMAP
237 -m: disable MPROTECT -M: enable MPROTECT
238 -r: disable RANDMMAP -R: enable RANDMMAP
239 -x: disable RANDEXEC -X: enable RANDEXEC
240 -s: disable SEGMEXEC -S: enable SEGMEXEC
241
242 -v: view flags -z: restore default flags
243 -q: suppress error messages -Q: report flags in short format flags
244 </pre>
245
246 <p>
247 The first option we will note is <c>-v</c>, which can display flags set on a
248 particular binary.
249 </p>
250
251 <pre caption="paxctl -v">
252 y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86
253 PaX control v0.2
254 Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt;
255
256 - PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86]
257 PAGEEXEC is disabled
258 SEGMEXEC is disabled
259 MPROTECT is enabled
260 RANDEXEC is disabled
261 EMUTRAMP is disabled
262 RANDMMAP is enabled
263 </pre>
264
265 <p>
266 This shows an XFree binary with all protections disabled.
267 </p>
268
269 <p>
270 To set flags on a binary, the <c>-z</c> flag is useful as it restores the
271 default flags.
272 </p>
273
274 <p>
275 To disable protections on XFree, run
276 <c>paxctl -zpeMRxs /usr/X11R6/bin/XFree86</c>.
277 </p>
278
279 <p>
280 Play around with disabling/enabling protections to see what is the least needed
281 to run.
282 </p>
283
284 </body>
285 </section>
286 </chapter>
287 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20