/[gentoo]/xml/htdocs/proj/en/hardened/pax-quickstart.xml
Gentoo

Contents of /xml/htdocs/proj/en/hardened/pax-quickstart.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.7 - (show annotations) (download) (as text)
Tue Jul 12 01:02:46 2005 UTC (13 years ago) by solar
Branch: MAIN
Changes since 1.6: +34 -17 lines
File MIME type: application/xml
- update docs

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.6 2005/04/18 19:39:05 solar Exp $ -->
3 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4
5 <guide link="/proj/en/hardened/pax-quickstart.xml">
6 <title>Hardened Gentoo PaX Quickstart</title>
7
8 <author title="Author">
9 <mail link="tseng@gentoo.org">Brandon Hale</mail>
10 </author>
11 <author title="Editor">
12 <mail link="blackace@gentoo.org">Blackace</mail>
13 </author>
14 <author title="Editor">
15 <mail link="solar@gentoo.org">solar</mail>
16 </author>
17
18 <abstract>
19 A quickstart covering PaX and Hardened Gentoo.
20 </abstract>
21
22 <!-- The content of this document is licensed under the CC-BY-SA license -->
23 <!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
24 <license/>
25
26 <version>1.3</version>
27 <date>2005-07-11</date>
28
29 <chapter>
30 <title>What is Hardened Gentoo?</title>
31 <section>
32 <body>
33
34 <p>
35 Hardened Gentoo is a project interested in the hardening of a Gentoo system.
36 Several different solutions are supported by us and there is a fair bit of
37 flexibility to create your own setup. At the heart of a common Hardened Gentoo
38 setup is <e>PaX</e>.
39 </p>
40
41 </body>
42 </section>
43 </chapter>
44
45 <chapter>
46 <title>What is PaX?</title>
47 <section>
48 <body>
49
50 <p>
51 PaX is a patch to the Linux kernel that provides hardening in two ways.
52 </p>
53
54 <p>
55 The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to
56 randomize the addressing scheme of all data loaded into memory. When an
57 application is built as a <e>PIE</e> (Position Independent Executable), PaX is
58 able to also randomize the addresses of the application base in addition.
59 </p>
60
61 <p>
62 The second protection provided by PaX is non-executable memory. This prevents a
63 common form of attack where executable code is inserted into memory by an
64 attacker. More information on PaX can be found throughout this guide, but the
65 homepage can be found at <uri>http://pax.grsecurity.net</uri>.
66 </p>
67
68 </body>
69 </section>
70 </chapter>
71
72 <chapter>
73 <title>An Introduction to PIE and SSP</title>
74 <section>
75 <body>
76
77 <p>
78 As mentioned above, PaX is complemented by PIE. This method of building
79 executables stores information needed to relocate parts of the executable in
80 memory, hence the name <e>Position Independent</e>.
81 </p>
82
83 <p>
84 <e>SSP</e> (Stack Smashing Protector) is a second complementary technology we
85 introduce at executable build time. SSP was originally introduced by IBM under
86 the name <e>ProPolice</e>. It modifies the C compiler to insert initialization
87 code into functions that create a buffer in memory.
88 </p>
89
90 <note>
91 In newer versions of SSP, it is possible to apply SSP to all functions,
92 adding protection to functions whose buffer would normally be below the size
93 limit for SSP. This is enabled via the CFLAG -fstack-protector-all.
94 </note>
95
96 <p>
97 At run time, when a buffer is created, SSP adds a secret random value, the
98 canary, to the end of the buffer. When the function returns, SSP makes sure
99 that the canary is still intact. If an attacker were to perform a buffer
100 overflow, he would overwrite this value and trigger that stack smashing
101 handler. Currently this kills the target process.
102 </p>
103
104 <p>
105 <uri link="http://www.trl.ibm.com/projects/security/ssp/">Further reading on
106 SSP.</uri>
107 </p>
108
109 </body>
110 </section>
111 </chapter>
112
113 <chapter>
114 <title>Building a PaX-enabled Kernel</title>
115 <section>
116 <body>
117
118 <p>
119 Several Gentoo kernel trees are already patched with PaX.
120 </p>
121
122 <p>
123 For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c>
124 </p>
125
126 <p>
127 Grab one of the recommended source trees, or apply the appropriate patch from
128 <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you
129 normally would for the target machine.
130 </p>
131
132 <p>
133 In <c>Security Options -&gt; PaX</c>, apply the options as shown below.
134 </p>
135
136 <pre caption="Kernel configuration">
137 [*] Enable various PaX features
138
139 PaX Control -&gt;
140
141 [ ] Support soft mode
142 [*] Use legacy ELF header marking
143 [*] Use ELF program header marking
144 MAC system integration (none) ---&gt;
145
146 Non-executable page -&gt;
147
148 [*] Enforce non-executable pages
149 [*] Paging based non-executable pages
150 [*] Segmentation based non-executable pages
151 [*] Emulate trampolines
152 [*] Restrict mprotect()
153 [ ] Disallow ELF text relocations
154
155 Address Space Layout Randomization -&gt;
156
157 [*] Address Space Layout Randomization
158 [*] Randomize kernel stack base
159 [*] Randomize user stack base
160 [*] Randomize mmap() base
161 [*] Randomize ET_EXEC base
162 </pre>
163
164 <p>
165 Build this kernel as you normally would and install it to <path>/boot</path>.
166 </p>
167
168 </body>
169 </section>
170 </chapter>
171
172 <chapter>
173 <title>Building a PIE/SSP Enabled Userland</title>
174 <section>
175 <body>
176
177 <p>
178 Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
179 specfile. This means that any users upgrading an older Hardened install should
180 remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
181 <c>hardened-gcc</c> package is now deprecated and should be unmerged
182 (version 5.0 is a dummy package). To get the current GCC, add
183 <c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened
184 profile.
185 </p>
186
187 <p>
188 To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>.
189 Next, rebuild the entire system with <c>emerge -e world</c>. All future packages
190 will be built with PIE/SSP.
191 </p>
192
193 <warn>
194 Both PIE and SSP are known to cause issues with some packages. If you come
195 across a package that fails to compile, please file a detailed bug report including
196 a log of the failed compile and the output of <c>emerge info</c> to
197 <uri>http://bugs.gentoo.org/</uri>.
198 </warn>
199
200 <p>
201 You will probably also want to merge pax-utils.
202 Often if an ELF has executable relocations in the text segment these can cause problems for us.
203 scanelf -BRylptq
204 </p>
205
206
207 </body>
208 </section>
209 </chapter>
210
211 <chapter>
212 <title>When Things Misbehave (PaX Control)</title>
213 <section>
214 <body>
215
216 <p>
217 Some legitimate applications will attempt to generate code at run time which is
218 executed out of memory. Naturally, PaX does not allow this and it will promptly
219 kill the offending application.
220 </p>
221
222 <note>
223 The most notable of these applications are XFree/Xorg, mplayer and multimedia tools
224 based on xine-lib. The easiest way around these problems are to disable PaX
225 protections.
226 </note>
227
228 <p>
229 Luckily there is a utility to toggle protections on a per-executable basis,
230 <e>paxctl</e>. As with any other package in Gentoo, install paxctl with the
231 command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>.
232 </p>
233
234 <note>
235 If you have an older version of binutils, you will need to use <e>chpax</e>,
236 which edits the old-style PaX markings. Usage of chpax is largely the same as
237 paxctl. This also requires legacy marking support built into your kernel.
238 </note>
239
240 <pre caption="paxctl -h">
241 usage: paxctl &lt;options&gt; &lt;files&gt;
242
243 options:
244 -p: disable PAGEEXEC -P: enable PAGEEXEC
245 -e: disable EMUTRMAP -E: enable EMUTRMAP
246 -m: disable MPROTECT -M: enable MPROTECT
247 -r: disable RANDMMAP -R: enable RANDMMAP
248 -x: disable RANDEXEC -X: enable RANDEXEC
249 -s: disable SEGMEXEC -S: enable SEGMEXEC
250
251 -v: view flags -z: restore default flags
252 -q: suppress error messages -Q: report flags in short format flags
253 </pre>
254
255 <p>
256 The first option we will note is <c>-v</c>, which can display flags set on a
257 particular binary.
258 </p>
259
260 <pre caption="paxctl -v">
261 shell user # paxctl -v /usr/bin/Xorg
262 PaX control v0.2
263 Copyright 2004 PaX Team &lt;pageexec@freemail.hu&gt;
264
265 - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
266 PAGEEXEC is disabled
267 SEGMEXEC is disabled
268 MPROTECT is enabled
269 RANDEXEC is disabled
270 EMUTRAMP is disabled
271 RANDMMAP is enabled
272 </pre>
273
274 <p>
275 This shows an XFree binary with all protections disabled.
276 </p>
277
278 <p>
279 To set flags on a binary, the <c>-z</c> flag is useful as it restores the
280 default flags.
281 </p>
282
283 <p>
284 To disable protections on Xorg, run
285 <c>paxctl -zpeMRxs /usr/bin/Xorg</c>.
286 </p>
287
288 <p>
289 Play around with disabling/enabling protections to see what is the least needed
290 to run. Often we fine that we need the -m -sp combos.
291 </p>
292
293 <p>
294 A default init/conf.d script gets installed when you merge the chpax package
295 that setups some reasonable defaults on the well known misbehaviors.
296 You may want to enable the setting of these permissions at every boot.
297 Todo that you can run the following command
298 <c>emerge chpax ; rc-update add chpax default ; /etc/inid.d/chpax start</c>
299 </p>
300
301 </body>
302 </section>
303 </chapter>
304 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20