Your SlideShare is downloading. ×
0
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Grsecurity - Theoretical and Practical Application

1,775

Published on

Enhanced Linux System Security

Enhanced Linux System Security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,775
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. G. Geshev Open Fest 2010 20 - 21 November Sofia, Bulgaria GRSECURITY/PAX Theoretical & Practical Application
  • 2. About GRSECURITY (Greater Security) ▪ Back in the days.. 2000/2001 ▪ Port of the Owl project to Linux 2.4.1 ▪ Set of Kernel Patches Enhancing System Security ▪ Memory Corruption Bugs Exploitation Mitigation, ▪ Role-Based Access Control System, ▪ Filesystem Security Enhancements, ▪ Enhanced chroot(), ▪ Kernel Auditing, etc.
  • 3. Components (most of ‘em) ▪ PaX (NX not to be confused with W^X (OBSD), ASLR), ▪ paxctl (user-space PaX flags control utility) ▪ pspax, scanelf, dumpelf (pax-utils) ▪ paxtest (buffer overflow protection test suite) ▪ Role-Based Access Control (RBAC) System, ▪ gradm (RBAC Administration Console) ▪ Enhanced chroot(), ▪ Miscellaneous Features (Improved Filesystem Security), etc
  • 4. I n v o l v e m e n t ▪ The PaX Developers – pageexec@freemail.hu ▪ Brad Spengler (not Brad Spender) - spender@grsecurity.net ▪ Zbyniu Krzystolik ▪ Michael Dalton
  • 5. Detection ▪ Enhanced Kernel Auditing (GRKERNSEC_AUDIT_GROUP, GRKERNSEC_AUDIT_GID) ▪ Exec logging (GRKERNSEC_EXECLOG) ▪ Resource logging (GRKERNSEC_RESLOG, GRKERNSEC_FORKFAIL) ▪ Log execs within chroot (GRKERNSEC_CHROOT_EXECLOG) ▪ Ptrace logging (GRKERNSEC_AUDIT_PTRACE) ▪ Chdir logging (GRKERNSEC_AUDIT_CHDIR)
  • 6. Detection (cont.) ▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT) ▪ Signal logging (GRKERNSEC_SIGNAL) ▪ Fork failure logging (GRKERNSEC_FORKFAIL) ▪ Time change logging (GRKERNSEC_TIME) ▪ /proc/<pid>/ipaddr support (GRKERNSEC_PROC_IPADDR) ▪ Denied RWX mmap/mprotect logging (GRKERNSEC_RWXMAP_LOG)
  • 7. Detection (cont.) ▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL) ▪ Logging Options - ▪ Seconds in between log messages (min) (GRKERNSEC_FLOODTIME) ▪ Number of messages in a burst (max) (GRKERNSEC_FLOODBURST)
  • 8. Prevention ▪ Executable Protections – ▪ Deter ptrace-based process snooping (GRKERNSEC_HARDEN_PTRACE) ▪ Trusted Path Execution (GRKERNSEC_TPE, GRKERNSEC_TPE_ALL, GRKERNSEC_TPE_GID, GRKERNSEC_TPE_INVERT)
  • 9. Prevention (cont.) ▪ Network Protections – ▪ Larger entropy pools (GRKERNSEC_RANDNET) ▪ TCP/UDP blackhole (GRKERNSEC_BLACKHOLE) ▪ Socket restrictions (GRKERNSEC_SOCKET, GRKERNSEC_SOCKET_ALL, GRKERNSEC_SOCKET_ALL_GID, GRKERNSEC_SOCKET_CLIENT, GRKERNSEC_SOCKET_CLIENT_GID, GRKERNSEC_SOCKET_SERVER, GRKERNSEC_SOCKET_SERVER_GID)
  • 10. Prevention (cont.) ▪ Address Space Protection - ▪ Remove addresses from /proc/<pid>/[smaps|maps|stat] (GRKERNSEC_PROC_MEMMAP) ▪ Deny writing to /dev/kmem, /dev/mem, and /dev/port (GRKERNSEC_KMEM) ▪ Deter exploit bruteforcing (GRKERNSEC_BRUTE) ▪ Harden module auto-loading (GRKERNSEC_MODHARDEN) ▪ Hide kernel symbols (GRKERNSEC_HIDESYM) ▪ Hide kernel processes (GRKERNSEC_ACL_HIDEKERN)
  • 11. Prevention (cont.) ▪ Maximum tries before password lockout (GRKERNSEC_ACL_MAXTRIES,GRKERNSEC_ACL_TIMEOUT) ▪ Filesystem Protections - ▪ Proc restrictions (GRKERNSEC_PROC, GRKERNSEC_PROC_USER, GRKERNSEC_PROC_USERGROUP, GRKERNSEC_PROC_ADD) ▪ Linking restrictions (GRKERNSEC_LINK) ▪ FIFO restrictions (GRKERNSEC_FIFO) ▪ Runtime read-only mount protection (GRKERNSEC_ROFS) ▪
  • 12. Prevention (cont.) ▪ Chroot jail restrictions - (GRKERNSEC_CHROOT, GRKERNSEC_CHROOT_MOUNT, GRKERNSEC_CHROOT_DOUBLE, GRKERNSEC_CHROOT_PIVOT, GRKERNSEC_CHROOT_CHDIR, GRKERNSEC_CHROOT_CHMOD, GRKERNSEC_CHROOT_FCHDIR, GRKERNSEC_CHROOT_MKNOD, GRKERNSEC_CHROOT_SYSCTL) ▪
  • 13. Prevention (cont.) Address Space Modification Protection ▪ NOEXEC (least privilege enforcement) ▪ PAGEEXEC, SEGMEXEC ▪ MPROTECT ▪ KERNEXEC ▪ Address Space Layout Randomization ▪ RANDUSTACK (delta_stack) ▪ RANDEXEC (delta_exec) ▪ RANDMMAP (delta_mmap) ▪ RANDKSTACK
  • 14. ▪ PAX_PAGEEXEC Paging based non-executable pages ▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64 ▪ PAX_SEGMEXEC Segmentation based non-executable pages ▪ Duplicating every executable page in the lower half of the address space into the upper half. ▪ Code Segment ▪ Data Segment
  • 15. Address Space Layout Randomization ▪ User space stack delta_stack (24 bits) ▪ Kernel space stack delta_exec (24 bits) ▪ Mmap-managed heap delta_mmap (16 bits) ▪ Executable image (16 bits) ▪ Brk-managed heap (12 bits) ▪ Library images
  • 16. Refs http://www.phrack.org/issues.html?issue=66&id=2#article http://www.phrack.org/issues.html?issue=52&id=6#article http://www.grsecurity.net/~spender/ http://pax.grsecurity.net/ http://www.gentoo.org/proj/en/hardened/ https://xorl.wordpress.com/category/grsecurity/
  • 17. apropos(); Questions?
  • 18. exit(); Thank you for attending this lecture. Feedback – mailto: root@fsck-labs.exploits-bg.com

×