diff options
| -rw-r--r-- | xml/hardened-debugging.xml | 12 | ||||
| -rw-r--r-- | xml/revdep-pax.xml | 616 |
2 files changed, 43 insertions, 585 deletions
diff --git a/xml/hardened-debugging.xml b/xml/hardened-debugging.xml index 21a0fc9..0a648a9 100644 --- a/xml/hardened-debugging.xml +++ b/xml/hardened-debugging.xml @@ -5,7 +5,7 @@ <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en"> <title>Gentoo Hardened debugging</title> <author title="Author"> - <mail link="klondike@xiscosoft.es">klondike</mail> + <mail link="klondike"/> </author> <author title="Contributor"> <!-- Via bugs #341889 and 265693 --> @@ -21,8 +21,8 @@ hardened kernel and toolcahin with PaX/Grsec, PIE and SSP. <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> <license/> -<version>1.0</version> -<date>2010-10-26</date> +<version>2</version> +<date>2012-04-28</date> <chapter> <title>Solving the '??' issue.</title> @@ -214,10 +214,12 @@ available breakpoints. <p> After debugging you may want to restore the system to its normal state, if you used <c>paxctl</c> you can reset the flags to default using the <c>-z</c> flag. +Since the -z flags will zero all the flags also want to keep trampoline +emulation disabled. This is done with the <c>-e</c> flag. </p> -<pre caption="Reseting the flags back to its defaults."> -# <i>paxctl -z binary</i> +<pre caption="Reseting the flags back to its defaults. Keep trampoline emulation disabled"> +# <i>paxctl -ze binary</i> </pre> </body> diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml index ba9f822..cbf3181 100644 --- a/xml/revdep-pax.xml +++ b/xml/revdep-pax.xml @@ -23,7 +23,10 @@ requiring RWX memory in order to process JIT code. <date>2012-02-19</date> <chapter> -<title>What's <c>revdep-pax</c> about?</title> +<title>What's revdep-pax about?</title> + +<section> +<body> <p by="Geroge Orwell"> Since the early days of PaX it was known that all programs were equal although @@ -33,6 +36,9 @@ allowing system administrators and users telling the system which binaries needed this lessened environment the PaX marks were created. </p> +</body> +</section> + <section> <title>A quick introduction to PaX markings.</title> <body> @@ -106,7 +112,7 @@ called. In order to solve this issue we have created <c>revdep-pax</c>. </body> </section> <section> -<title>What's <c>revdep-pax</c>?</title> +<title>What's revdep-pax?</title> <body> <p> @@ -134,7 +140,10 @@ libraries linked by an object and backwards to the objects linked by a library. </chapter> <chapter> -<title>Using <c>revdep-pax</c></title> +<title>Using revdep-pax</title> + +<section> +<body> <p by="The Emperor"> In order to witness the firepower of this fully ARMED and OPERATIONAL tool @@ -142,6 +151,9 @@ you'll first need to learn how to use it, once you are done, you'll be able to fire at will. </p> +</body> +</section> + <section> <title>Propagating PaX marks backwards from a library to objects that link at it </title> @@ -149,592 +161,36 @@ able to fire at will. <p> This is going to be probably the main way in which you are going to use this -utility. What it does is check all the libraries linked statically -The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package. -With this application you can print out information specific to the ELF -structure of a binary. The following table sums up the various options. -</p> - -<table> -<tr> - <th>Option</th> - <th>Long Option</th> - <th>Description</th> -</tr> -<tr> - <ti>-p</ti> - <ti>--path</ti> - <ti>Scan all directories in PATH environment</ti> -</tr> -<tr> - <ti>-l</ti> - <ti>--ldpath</ti> - <ti>Scan all directories in /etc/ld.so.conf</ti> -</tr> -<tr> - <ti>-R</ti> - <ti>--recursive</ti> - <ti>Scan directories recursively</ti> -</tr> -<tr> - <ti>-m</ti> - <ti>--mount</ti> - <ti>Don't recursively cross mount points</ti> -</tr> -<tr> - <ti>-y</ti> - <ti>--symlink</ti> - <ti>Don't scan symlinks</ti> -</tr> -<tr> - <ti>-A</ti> - <ti>--archives</ti> - <ti>Scan archives (.a files)</ti> -</tr> -<tr> - <ti>-L</ti> - <ti>--ldcache</ti> - <ti>Utilize ld.so.cache information (use with -r/-n)</ti> -</tr> -<tr> - <ti>-X</ti> - <ti>--fix</ti> - <ti>Try and 'fix' bad things (use with -r/-e)</ti> -</tr> -<tr> - <ti>-z [arg]</ti> - <ti>--setpax [arg]</ti> - <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti> -</tr> -<tr> - <th>Option</th> - <th>Long Option</th> - <th>Description</th> -</tr> -<tr> - <ti>-x</ti> - <ti>--pax</ti> - <ti>Print PaX markings</ti> -</tr> -<tr> - <ti>-e</ti> - <ti>--header</ti> - <ti>Print GNU_STACK/PT_LOAD markings</ti> -</tr> -<tr> - <ti>-t</ti> - <ti>--textrel</ti> - <ti>Print TEXTREL information</ti> -</tr> -<tr> - <ti>-r</ti> - <ti>--rpath</ti> - <ti>Print RPATH information</ti> -</tr> -<tr> - <ti>-n</ti> - <ti>--needed</ti> - <ti>Print NEEDED information</ti> -</tr> -<tr> - <ti>-i</ti> - <ti>--interp</ti> - <ti>Print INTERP information</ti> -</tr> -<tr> - <ti>-b</ti> - <ti>--bind</ti> - <ti>Print BIND information</ti> -</tr> -<tr> - <ti>-S</ti> - <ti>--soname</ti> - <ti>Print SONAME information</ti> -</tr> -<tr> - <ti>-s [arg]</ti> - <ti>--symbol [arg]</ti> - <ti>Find a specified symbol</ti> -</tr> -<tr> - <ti>-k [arg]</ti> - <ti>--section [arg]</ti> - <ti>Find a specified section</ti> -</tr> -<tr> - <ti>-N [arg]</ti> - <ti>--lib [arg]</ti> - <ti>Find a specified library</ti> -</tr> -<tr> - <ti>-g</ti> - <ti>--gmatch</ti> - <ti>Use strncmp to match libraries. (use with -N)</ti> -</tr> -<tr> - <ti>-T</ti> - <ti>--textrels</ti> - <ti>Locate cause of TEXTREL</ti> -</tr> -<tr> - <ti>-E [arg]</ti> - <ti>--etype [arg]</ti> - <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti> -</tr> -<tr> - <ti>-M [arg]</ti> - <ti>--bits [arg]</ti> - <ti>Print only ELF files matching numeric bits</ti> -</tr> -<tr> - <ti>-a</ti> - <ti>--all</ti> - <ti>Print all scanned info (-x -e -t -r -b)</ti> -</tr> -<tr> - <th>Option</th> - <th>Long Option</th> - <th>Description</th> -</tr> -<tr> - <ti>-q</ti> - <ti>--quiet</ti> - <ti>Only output 'bad' things</ti> -</tr> -<tr> - <ti>-v</ti> - <ti>--verbose</ti> - <ti>Be verbose (can be specified more than once)</ti> -</tr> -<tr> - <ti>-F [arg]</ti> - <ti>--format [arg]</ti> - <ti>Use specified format for output</ti> -</tr> -<tr> - <ti>-f [arg]</ti> - <ti>--from [arg]</ti> - <ti>Read input stream from a filename</ti> -</tr> -<tr> - <ti>-o [arg]</ti> - <ti>--file [arg]</ti> - <ti>Write output stream to a filename</ti> -</tr> -<tr> - <ti>-B</ti> - <ti>--nobanner</ti> - <ti>Don't display the header</ti> -</tr> -<tr> - <ti>-h</ti> - <ti>--help</ti> - <ti>Print this help and exit</ti> -</tr> -<tr> - <ti>-V</ti> - <ti>--version</ti> - <ti>Print version and exit</ti> -</tr> -</table> - -<p> -The format specifiers for the <c>-F</c> option are given in the following table. -Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly. -</p> - -<table> -<tr> - <th>Specifier</th> - <th>Full Name</th> - <th>Specifier</th> - <th>Full Name</th> -</tr> -<tr> - <ti>F</ti> - <ti>Filename</ti> - <ti>x</ti> - <ti>PaX Flags</ti> -</tr> -<tr> - <ti>e</ti> - <ti>STACK/RELRO</ti> - <ti>t</ti> - <ti>TEXTREL</ti> -</tr> -<tr> - <ti>r</ti> - <ti>RPATH</ti> - <ti>n</ti> - <ti>NEEDED</ti> -</tr> -<tr> - <ti>i</ti> - <ti>INTERP</ti> - <ti>b</ti> - <ti>BIND</ti> -</tr> -<tr> - <ti>s</ti> - <ti>Symbol</ti> - <ti>N</ti> - <ti>Library</ti> -</tr> -<tr> - <ti>o</ti> - <ti>Type</ti> - <ti>p</ti> - <ti>File name</ti> -</tr> -<tr> - <ti>f</ti> - <ti>Base file name</ti> - <ti>k</ti> - <ti>Section</ti> -</tr> -<tr> - <ti>a</ti> - <ti>ARCH/e_machine</ti> - <ti> </ti> - <ti> </ti> -</tr> -</table> - -</body> -</section> -<section> -<title>Using scanelf for Text Relocations</title> -<body> - -<p> -As an example, we will use <c>scanelf</c> to find binaries containing text -relocations. -</p> - -<p> -A relocation is an operation that rewrites an address in a loaded segment. Such -an address rewrite can happen when a segment has references to a shared object -and that shared object is loaded in memory. In this case, the references are -substituted with the real address values. Similar events can occur inside the -shared object itself. -</p> - -<p> -A text relocation is a relocation in the text segment. Since text segments -contain executable code, system administrators might prefer not to have these -segments writable. This is perfectly possible, but since text relocations -actually write in the text segment, it is not always feasible. -</p> - -<p> -If you want to eliminate text relocations, you will need to make sure -that the application and shared object is built with <e>Position Independent -Code</e> (PIC), making references obsolete. This not only increases security, -but also increases the performance in case of shared objects (allowing writes in -the text segment requires a swap space reservation and a private copy of the -shared object for each application that uses it). -</p> - -<p> -The following example will search your library paths recursively, without -leaving the mounted file system and ignoring symbolic links, for any ELF binary -containing a text relocation: -</p> - -<pre caption="Scanning the system for text relocation binaries"> -# <i>scanelf -lqtmyR</i> -</pre> - -<p> -If you want to scan your entire system for <e>any</e> file containing text -relocations: -</p> - -<pre caption="Scanning the entire system for text relocation files"> -# <i>scanelf -qtmyR /</i> -</pre> - -</body> -</section> -<section> -<title>Using scanelf for Specific Header</title> -<body> - -<p> -The scanelf util can be used to quickly identify files that contain a -given section header using the -k .section option. -</p> - -<p> -In this example we are looking for all files in /usr/lib/debug -recursively using a format modifier with quiet mode enabled that have been -stripped. A stripped elf will lack a .symtab entry, so we use the '!' -to invert the matching logic. -</p> - -<pre caption="Scanning for stripped or non stripped executables"> -# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i> -</pre> - -</body> -</section> -<section> -<title>Using scanelf for Specific Segment Markings</title> -<body> - -<p> -Each segment has specific flags assigned to it in the Program Header of the -binary. One of those flags is the type of the segment. Interesting values are -PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the -segment contains dynamic linking information), PT_INTERP (the segment -contains the name of the program interpreter), PT_GNU_STACK (a GNU extension -for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS -(a PaX extension for the ELF format, used by the security-minded -<uri link="http://pax.grsecurity.net/">PaX Project</uri>. -</p> - -<p> -If we want to scan all executables in the current working directory, PATH -environment and library paths and report those who have a writable and -executable PT_LOAD or PT_GNU_STACK marking, you could use the following command: -</p> - -<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK"> -# <i>scanelf -lpqe .</i> -</pre> - -</body> -</section> -<section> -<title>Using scanelf's Format Modifier Handler</title> -<body> - -<p> -A useful feature of the <c>scanelf</c> utility is the format modifier handler. -With this option you can control the output of <c>scanelf</c>, thereby -simplifying parsing the output with scripts. -</p> - -<p> -As an example, we will use <c>scanelf</c> to print the file names that contain -text relocations: -</p> - -<pre caption="Example of the scanelf format modifier handler"> -# <i>scanelf -l -p -R -q -F "%F #t"</i> +utility. What it does is check all the libraries linked statically by the +binaries using <c>ldd</c> and then smartly add the paxmarks of those libraries +to generate the new set. As a result if <path>/usr/games/bin/armagetronad</path> +links with <path>/usr/lib64/libGL.so.1</path> which has the <e>-m</e> PaX mark +(allow RWX mappings) because you are using a llvm requiring graphics driver +you'll get that binary marked with the <e>-m</e> PaX mark too since it needs it. +Below you can see how to run it. +</p> + +<pre caption="Propagating the PaX marks from the libraries"> +# <i>mv /etc/grsec/learning.roles /etc/grsec/policy</i> +# <i>chmod 0600 /etc/grsec/policy</i> </pre> -</body> -</section> -</chapter> - -<chapter id="pspax"> -<title>Listing PaX Flags and Capabilities</title> -<section> -<title>About PaX</title> -<body> - -<p> -<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri -link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri -link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main -goal is "to research various defense mechanisms against the exploitation of -software bugs that give an attacker arbitrary read/write access to the -attacked task's address space. This class of bugs contains among others -various forms of buffer overflow bugs (be they stack or heap based), user -supplied format string bugs, etc." -</p> - -<p> -To be able to benefit from these defense mechanisms, you need to run a Linux -kernel patched with the latest PaX code. The <uri -link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and -its parent project, grsecurity. The supported kernel package is -<c>sys-kernel/hardened-sources</c>. -</p> - -<p> -The Gentoo/Hardened project has a <uri -link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri> -for your reading pleasure. -</p> - -</body> -</section> -<section> -<title>Flags and Capabilities</title> -<body> - -<p> -If your toolchain supports it, your binaries can have additional PaX flags in -their Program Header. The following flags are supported: -</p> - -<table> -<tr> - <th>Flag</th> - <th>Name</th> - <th>Description</th> -</tr> -<tr> - <ti>P</ti> - <ti>PAGEEXEC</ti> - <ti> - Refuse code execution on writable pages based on the NX bit - (or emulated NX bit) - </ti> -</tr> -<tr> - <ti>S</ti> - <ti>SEGMEXEC</ti> - <ti> - Refuse code execution on writable pages based on the - segmentation logic of IA-32 - </ti> -</tr> -<tr> - <ti>E</ti> - <ti>EMUTRAMP</ti> - <ti> - Allow known code execution sequences on writable pages that - should not cause any harm - </ti> -</tr> -<tr> - <ti>M</ti> - <ti>MPROTECT</ti> - <ti> - Prevent the creation of new executable code to the process - address space - </ti> -</tr> -<tr> - <ti>R</ti> - <ti>RANDMMAP</ti> - <ti> - Randomize the stack base to prevent certain stack overflow - attacks from being successful - </ti> -</tr> -<tr> - <ti>X</ti> - <ti>RANDEXEC</ti> - <ti> - Randomize the address where the application maps to prevent - certain attacks from being exploitable - </ti> -</tr> -</table> - -<p> -The default Linux kernel also supports certain capabilities, grouped in the -so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those -capabilities in our <uri -link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document. -</p> - -</body> -</section> -<section> -<title>Using pspax</title> -<body> - -<p> -The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the -run-time capabilities of all programs you have permission for. On Linux kernels -with additional support for extended attributes (such as SELinux) those -attributes are shown as well. -</p> - -<p> -When ran, <c>pspax</c> shows the following information: -</p> - -<table> -<tr> - <th>Column</th> - <th>Description</th> -</tr> -<tr> - <ti>USER</ti> - <ti>Owner of the process</ti> -</tr> -<tr> - <ti>PID</ti> - <ti>Process id</ti> -</tr> -<tr> - <ti>PAX</ti> - <ti>Run-time PaX flags (if applicable)</ti> -</tr> -<tr> - <ti>MAPS</ti> - <ti>Write/eXecute markings for the process map</ti> -</tr> -<tr> - <ti>ELF_TYPE</ti> - <ti>Process executable type: ET_DYN or ET_EXEC</ti> -</tr> -<tr> - <ti>NAME</ti> - <ti>Name of the process</ti> -</tr> -<tr> - <ti>CAPS</ti> - <ti>POSIX.1e capabilities (see note)</ti> -</tr> -<tr> - <ti>ATTR</ti> - <ti>Extended attributes (if applicable)</ti> -</tr> -</table> <note> -<c>pspax</c> only displays these capabilities when it is linked with -the external capabilities library. This requires you to build <c>pax-utils</c> -with -DWANT_SYSCAP. +Due to the way in which <c>ldd</c> works you'll get all the libraries required +at runtime, even those required by libraries you link to (and so on recursively) +as a result <c>revdep-pax</c> will detect all dependencies in a single pass. If +the behaviour of <c>ldd</c> changes so may change the behaviour of +<c>revdep-pax</c> </note> <p> -By default, <c>pspax</c> does not show any kernel processes. If you want those -to be taken as well, use the <c>-a</c> switch. -</p> - -</body> -</section> -</chapter> - -<chapter id="dumpelf"> -<title>Programming with ELF files</title> -<section> -<title>The dumpelf Utility</title> -<body> - -<p> -With the <c>dumpelf</c> utility you can convert a ELF file into human readable C -code that defines a structure with the same image as the original ELF file. +The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package. +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options. </p> -<pre caption="dumpelf example"> -$ <i>dumpelf /bin/hostname</i> -#include <elf.h> - -<comment>/* - * ELF dump of '/bin/hostname' - * 10276 (0x2824) bytes - */</comment> - -struct { - Elf32_Ehdr ehdr; - Elf32_Phdr phdrs[8]; - Elf32_Shdr shdrs[26]; -} dumpedelf_0 = { - -.ehdr = { -<comment>(... Output stripped ...)</comment> -</pre> - </body> </section> </chapter> -</guide> +</guide>
\ No newline at end of file |