Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Hardened system w/o hardened-profile? [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ranger719
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2006
Posts: 92
Location: Germany
PostPosted: Mon Nov 03, 2008 3:27 pm    Post subject: Hardened system w/o hardened-profile? [SOLVED] Reply with quote
Hi there,
how do I interpret the output of 'paxtest blackhat' on my non-hardened box?

Code:
....Some stack-smash-detections....
Mode: blackhat
Linux transgression 2.6.27-gentoo-r1 #1 SMP PREEMPT Mon Oct 27 12:26:02 CET 2008 i686 Genuine Intel(R) CPU 1300 @ 1.66GHz GenuineIntel GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable stack (mprotect)              : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments                   : Vulnerable
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 14 bits (guessed)
Heap randomisation test (ET_DYN)         : 16 bits (guessed)
Main executable randomisation (ET_EXEC)  : 10 bits (guessed)
Main executable randomisation (ET_DYN)   : 10 bits (guessed)
Shared library randomisation test        : 10 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Killed
Return to function (memcpy)              : Killed
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Vulnerable
Executable shared library data           : Killed


Why is my stack etc randomized? What will happen if I install the hardened-sources and enable "Enforce non-executable pages" from the PAX-patchset? Will this work? Will I have a hardened system with SSP (gcc-4 builtin, thats why the return-to-libc attempts fail [-fstack-protector -fstack-protector-all -D_FORTIFY_SOURCE=2]), stack/etc randomization (don't know "from where") and Memory-protection from PAX? The only thing that I will not have are randomized library addresses as they are only available if "Address Space Layout Randomization" from PAX is enabled? But that needs a patched binutils/gcc/glibc with PIE, enabled by "USE=hardened" (only useable with a hardened profile)?

Is this correct?

Some more info:
Code:
emerge -pv1 gcc glibc binutils
[ebuild   R   ] sys-devel/binutils-2.19  USE="nls -multislot -multitarget -test -vanilla" 0 kB
[ebuild   R   ] sys-devel/gcc-4.3.2  USE="nls (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -gtk (-hardened) -ip28 -ip32r10k -libffi -mudflap (-multilib) -multislot (-n32) (-n64) -nocxx -objc -objc++ -objc-gc -openmp -test -vanilla" 57,592 kB
[ebuild   R   ] sys-libs/glibc-2.7-r2  USE="nls -debug -gd -glibc-compat20 -glibc-omitfp (-hardened) (-multilib) -profile (-selinux) -vanilla" 16,223 kB

eselect profile list
Available profile symlink targets:
  [1]   default-linux/x86/2006.1
  [2]   default-linux/x86/2006.1/desktop
  [3]   default-linux/x86/2007.0
  [4]   default-linux/x86/2007.0/desktop
  [5]   hardened/x86/2.6
  [6]   selinux/2007.0/x86
  [7]   selinux/2007.0/x86/hardened
  [8]   default/linux/x86/2008.0 *
  [9]   default/linux/x86/2008.0/desktop
  [10]  default/linux/x86/2008.0/developer
  [11]  default/linux/x86/2008.0/server
  [12]  hardened/linux/x86

Thanks in advance.

Edit:
Okay, here's what I learned:

Stack/Heap Randomization comes from libc/gcc and is called PIC (enabled by default in Gentoo and other distributions).

Memory protection can be enabled with PAX (hardened-sources) and does not need any further special configuration as long as your apps are 'coded correctly' (See http://www.gentoo.org/proj/en/hardened/)

PIE can only be enabled with a patched gcc/glibc/binutils. Currently only a/v in the hardened-profile.

SSP (Stack smack protection) works with gcc-v4 without any further configuration, although some programs don't like it (libc especially, can be compiled, the second compilation fails with linker-errors). I have to figure out a way to disable some CFLAGS for some ebuilds (emerge -ave1 @world-@system is nice, but not good enough...).

I'll mark this as solved.
Back to top
View user's profile Send private message
sd44
Apprentice
Apprentice


Joined: 21 Jul 2007
Posts: 277
Location: Nantes 44
PostPosted: Sat Nov 15, 2008 6:40 pm    Post subject: Reply with quote
winner : 5 !

if i understand this readme :

This is a hardened profile for 2.6-series kernels on x86. Note that it inherits from
hardened, not hardened/x86. hardened/x86 is for 2.4-series kernel only and masks stuff
that is only appropriate for 2.6 kernels. To avoid unnecessary disruption to the 2.4
profile, and to avoid this 2.6 profile having to undo masks in the 2.4 profile, this
profile simply inherits from the base hardened profile (parent = ../..).

Kevin F. Quinn <kevquinn@gentoo.org>, 25th June 2006
_________________
Pourquoi faire simple quand on peut faire compliqué ?
Back to top
View user's profile Send private message
ranger719
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2006
Posts: 92
Location: Germany
PostPosted: Sat Nov 15, 2008 7:03 pm    Post subject: Reply with quote
5 is the default hardened-profile which only offers glibc-2.6.1, gcc-3.4.6. My system is already on >glibc-2.6.1 and I can not enable it because I can not downgrade my libc. So I tried to enable as much additional security without reinstalling or using overlays. Except for PIE (which is the best security you can get..) I managed to enable all of the additional security offered by the hardened-profile [5].
Back to top
View user's profile Send private message
sd44
Apprentice
Apprentice


Joined: 21 Jul 2007
Posts: 277
Location: Nantes 44
PostPosted: Sat Nov 15, 2008 7:35 pm    Post subject: Reply with quote
gcc 4 is masked with hardened ! i have downgraded my system ... i haven't stable solution (overlay ... i don't like this)
if you have a solution stable and clean for hardened with gcc 4 ... I'm interested :D
_________________
Pourquoi faire simple quand on peut faire compliqué ?
Back to top
View user's profile Send private message
ranger719
Tux's lil' helper
Tux's lil' helper


Joined: 16 May 2006
Posts: 92
Location: Germany
PostPosted: Sun Nov 16, 2008 2:07 pm    Post subject: Reply with quote
Hardened profile with gcc4 is only supported via overlay (http://overlays.gentoo.org/dev/kevquinn/). As I wrote above, everything except PIE is working. PIC is enabled by default, PAX (except PIE) can be enabled in the hardened-kernel (just emerge it) and SSP is builtin in gcc4. GRSEC is also present in the hardened-kernel and can be enabled. But for SSP I still need to write a /etc/portage/bashrc (some hints can be found here: https://forums.gentoo.org/viewtopic-t-663365-postdays-0-postorder-asc-start-0.html) because some packages (e.g. libc) do not like SSP, so I have to unset the following CFLAGS: "-fstack-protector -fstack-protector-all -D_FORTIFY_SOURCE=2".
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy