Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 36941 Details for
Bug 59164
review new hardened docs for mass consumption
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated pax-howto.xml
pax-howto.xml (text/plain), 7.77 KB, created by
Sven Vermeulen (RETIRED)
on 2004-08-07 05:44:34 UTC
(
hide
)
Description:
Updated pax-howto.xml
Filename:
MIME Type:
Creator:
Sven Vermeulen (RETIRED)
Created:
2004-08-07 05:44:34 UTC
Size:
7.77 KB
patch
obsolete
><?xml version='1.0' encoding="UTF-8"?> ><!-- $Header: $ ><?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> ><!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> >--> > ><guide link="/proj/en/hardened/docs/pax-howto.xml"> ><title>Hardened Gentoo PaX Quickstart</title> > ><author title="Author"> > <mail link="tseng@gentoo.org">Brandon Hale</mail> ></author> ><author title="Editor"> > <mail link="blackace@gentoo.org">Blackace</mail> ></author> > ><!-- The content of this document is licensed under the CC-BY-SA license --> ><!-- See http://creativecommons.org/licenses/by-sa/2.0 --> ><license/> > ><abstract> >A quickstart covering PaX and Hardened Gentoo. ></abstract> > ><version>1.1</version> ><date>August 07, 2004</date> > ><chapter> ><title>What is Hardened Gentoo?</title> ><section> ><body> > ><p> >Hardened Gentoo is a project interested in the hardening of a Gentoo system. >Several different solutions are supported by us and there is a fair bit of >flexibility to create your own setup. At the heart of Hardened Gentoo is ><e>PaX</e>. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>What is PaX?</title> ><section> ><body> > ><p> >PaX is a patch to the Linux kernel that provides hardening in two ways. ></p> > ><p> >The first, <e>ASLR</e> (Address Space Layout Randomization) provides a means to >randomize the addressing scheme of all data loaded into memory. When an >application is built as a <e>PIE</e> (Position Independent Executable), PaX is >able to also randomize the addresses of the application base in addition. ></p> > ><p> >The second protection provided by PaX is non-executable memory. This prevents a >common form of attack where executable code is inserted into memory by an >attacker. More information on PaX can be found throughout this guide, but the >homepage can be found at <uri>http://pax.grsecurity.net</uri>. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>An Introduction to PIE and SSP</title> ><section> ><body> > ><p> >As mentioned above, PaX is complemented by PIE. This method of building >executables stores information needed to relocate parts of the executable in >memory, hence the name <e>Position Independent</e>. ></p> > ><p> ><e>SSP</e> (Stack Smashing Protector) is a second complementary technology we >introduce at executable build time. SSP was originally introduced by IBM under >the name <e>ProPolice</e>. It modifies the C compiler to insert initialization >code into functions that create a buffer in memory. ></p> > ><note> >In newer versions of SSP, it is possible to apply SSP to all functions, >adding protection to functions whose buffer would normally be below the size >limit for SSP. This is enabled via the CFLAG -fstack-protector-all. ></note> > ><p> >At run time, when a buffer is created, SSP adds a secret random value, the >canary, to the end of the buffer. When the function returns, SSP makes sure >that the canary is still intact. If an attacker were to perform a buffer >overflow, he would overwrite this value and trigger that stack smashing >handler. Currently this kills the target process. ></p> > ><p> ><uri link="http://www.trl.ibm.com/projects/security/ssp/">Further reading on >SSP.</uri> ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>Building a PaX-enabled Kernel</title> ><section> ><body> > ><p> >Several Gentoo kernel trees are already patched with PaX. ></p> > ><p> >For 2.4 based machines, the recommended kernels are <c>hardened-sources</c> or ><c>grsec-sources</c>. For 2.6 machines, <c>hardened-dev-sources</c> are >recommended. ></p> > ><p> >Grab one of the recommended source trees, or apply the appropriate patch from ><uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you >normally would for the target machine. ></p> > ><p> >In <c>Security Options -> PaX</c>, apply the options as shown below. ></p> > ><pre caption="Kernel configuration"> >[*] Enable various PaX features > >PaX Control -> > > [ ] Support soft mode > [*] Use legacy ELF header marking > [*] Use ELF program header marking > MAC system integration (none) ---> > >Non-executable page -> > > [*] Enforce non-executable pages > [*] Paging based non-executable pages > [*] Segmentation based non-executable pages > [*] Emulate trampolines > [*] Restrict mprotect() > [ ] Disallow ELF text relocations > >Address Space Layout Randomization -> > > [*] Address Space Layout Randomization > [*] Randomize kernel stack base > [*] Randomize user stack base > [*] Randomize mmap() base > [*] Randomize ET_EXEC base ></pre> > ><p> >Build this kernel as you normally would and install it to <path>/boot</path>. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>Building a PIE/SSP Enabled Userland</title> ><section> ><body> > ><p> >Hardened Gentoo has added support for transparent PIE/SSP building via GCC's >specfile. This means that any users upgrading an older Hardened install should >remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the ><c>hardened-gcc</c> package is now deprecated and should be unmerged >(version 5.0 is a dummy package). To get the current GCC, add ><c>USE="hardened"</c> to <path>/etc/make.conf</path>. ></p> > ><p> >To maintain a consistant toolchain, first <c>emerge bintuils gcc glibc</c>. >Next, rebuild the entire system with <c>emerge -e world</c>. All future packages >will be built with PIE/SSP. ></p> > ><warn> >Both PIE and SSP are known to cause issues with some packages. If you come >across a package that fails to compile, please file a bug report including a log >of the failed compile and the output of <c>emerge info</c> to ><uri>http://bugs.gentoo.org/</uri>. ></warn> > ></body> ></section> ></chapter> > ><chapter> ><title>When Things Misbehave (PaX Control)</title> ><section> ><body> > ><p> >Some legitimate applications will attempt to generate code at run time which is >executed out of memory. Naturally, PaX does not allow this and it will promptly >kill the offending application. ></p> > ><note> >The most notable of these applications are XFree, mplayer and multimedia tools >based on xine-lib. The easiest way around these problems are to disable PaX >protections. ></note> > ><p> >Luckily there is a utility to toggle protections on a per-executable basis, ><e>paxctl</e>. As with any other package in Gentoo, install paxctl with the >command <c>emerge paxctl</c>. Usage is show by <c>paxctl -h</c>. ></p> > ><note> >If you have an older version of binutils, you will need to use <e>chpax</e>, >which edits the old-style PaX markings. Usage of chpax is largely the same as >paxctl. This also requires legacy marking support built into your kernel. ></note> > ><pre caption="paxctl -h"> >usage: paxctl <options> <files> > >options: > -p: disable PAGEEXEC -P: enable PAGEEXEC > -e: disable EMUTRMAP -E: enable EMUTRMAP > -m: disable MPROTECT -M: enable MPROTECT > -r: disable RANDMMAP -R: enable RANDMMAP > -x: disable RANDEXEC -X: enable RANDEXEC > -s: disable SEGMEXEC -S: enable SEGMEXEC > > -v: view flags -z: restore default flags > -q: suppress error messages -Q: report flags in short format flags ></pre> > ><p> >The first option we will note is <c>-v</c>, which can display flags set on a >particular binary. ></p> > ><pre caption="paxctl -v"> >y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86 >PaX control v0.2 >Copyright 2004 PaX Team <pageexec@freemail.hu> > >- PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86] > PAGEEXEC is disabled > SEGMEXEC is disabled > MPROTECT is enabled > RANDEXEC is disabled > EMUTRAMP is disabled > RANDMMAP is enabled ></pre> > ><p> >This shows an XFree binary with all protections disabled. ></p> > ><p> >To set flags on a binary, the <c>-z</c> flag is useful as it restores the >default flags. ></p> > ><p> >To disable protections on XFree, run ><c>paxctl -zpeMRxs /usr/X11R6/bin/XFree86</c>. ></p> > ><p> >Play around with disabling/enabling protections to see what is the least needed >to run. ></p> > ></body> ></section> ></chapter> ></guide>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=36941">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 59164
:
36645
|
36646
|
36940
| 36941 |
36956
