| 1 |
On 25/01/06, Thilo Bangert <thilo.bangert@×××.net> wrote: |
| 2 |
> > I have often considered and even tried a couple of times to setup a |
| 3 |
> > hardened box however I get confused between all the different options |
| 4 |
> > and all the different implications. What with Selinux Grsecurity 1/2 |
| 5 |
> > RSBAC PIE etc. etc. |
| 6 |
> > |
| 7 |
> > |
| 8 |
> |
| 9 |
> yeah - same here. although i am interested and wouldn't even mind a small |
| 10 |
> performance hit i have not had the guts to follow through... |
| 11 |
|
| 12 |
I'll try to summarise some of the most interesting aspects thereof: |
| 13 |
|
| 14 |
* grsecurity refers to a single kernel patch which provides a series |
| 15 |
of miscellaneous and very valuable "hardening" options, all of which |
| 16 |
are *completely* optional. |
| 17 |
|
| 18 |
* These options are fall within any of the following 8 categories: |
| 19 |
address space protection, role based access control, filesystem |
| 20 |
protections, kernel auditing, executable protections, network |
| 21 |
protections, sysctl support and logging options. |
| 22 |
|
| 23 |
* The options are all quite clearly documented and provide a diverse |
| 24 |
range of useful protections (even for those not running fully |
| 25 |
"hardened" systems). Highlights include denying writes to /dev/kmem, |
| 26 |
rendering kernel symbols invisible to regular users, chroot |
| 27 |
restrictions, /proc visibility restrictions, exec logging, restriction |
| 28 |
of access to dmesg, randomised TCP source ports and many more. |
| 29 |
|
| 30 |
* This patch also includes and provides PaX for optional and |
| 31 |
comprehensive W^X memory protections, even on architectures that do |
| 32 |
not support a so-called NX bit. The premise of W^X is that memory |
| 33 |
regions can be marked writable or executable but *not* both at the |
| 34 |
same time. PaX also allows for full randomisation of the address space |
| 35 |
belonging to a process. The stated goal of the project is to put an |
| 36 |
end to "arbitrary code execution". Highly recommended reading: |
| 37 |
http://en.wikipedia.org/wiki/PaX. |
| 38 |
|
| 39 |
* To best leverage the protections offered by PaX, it should be |
| 40 |
judiciously combined with various grsec options. Also, the user-land |
| 41 |
should be (at the very least) built with a PIE enabled gcc profile in |
| 42 |
order to build position independent executables. For more information |
| 43 |
on PIE and other related topics I recommend: |
| 44 |
http://www.gentoo.org/proj/en/hardened/primer.xml. |
| 45 |
|
| 46 |
* Although I'm not going to touch upon it much here (mainly because I |
| 47 |
have no real experience with it), grsecurity offers a full RBAC system |
| 48 |
for those how want to use it. The user-land tool used to manage and |
| 49 |
control policy is called "sys-apps/gradm" and features a remarkable |
| 50 |
learning mode in order to reduce the burden of developing a sensible |
| 51 |
policy in the first instance. Note that this is not the only RBAC |
| 52 |
mechanism at the disposal of hardened gentoo users (consider |
| 53 |
rsbac-sources and selinux as alternatives for instance). |
| 54 |
|
| 55 |
> |
| 56 |
> the craziest thing is, that i seem to get a hardened toolchain built by |
| 57 |
> default - without using the hardened profile |
| 58 |
|
| 59 |
Yes, that's absolutely correct. However if gcc is built with |
| 60 |
USE="hardened" then the fully hardened specs are just set to be the |
| 61 |
default (see below) and the profile that enables the conventional |
| 62 |
specs have the term "-vanilla" appended instead. |
| 63 |
|
| 64 |
For other packages the "hardened" USE flag has varying effects. For |
| 65 |
example, syslog-ng will install a policy that doesn't suck and creates |
| 66 |
a log file specifically to track pax policy violations. The "pic" USE |
| 67 |
flag is also quite important. Actually, there are not many stable |
| 68 |
packages left in the tree that care about this flag but some still |
| 69 |
need it so that special patches are applied to make sure that the |
| 70 |
results are fully position independent (or to work around quirks in |
| 71 |
the code in lieu of this topic). The hardened team usually try to get |
| 72 |
such work accepted upstream. |
| 73 |
|
| 74 |
Of course, the hardened portage profile sets these flags as necessary |
| 75 |
and also exhibits a no-nonsence USE flag policy which is very well |
| 76 |
suited to servers. Compare this to the standard 2005.1 profile which |
| 77 |
is flag soup frankly! |
| 78 |
|
| 79 |
> |
| 80 |
> marsupilami ~ # gcc-config -l |
| 81 |
|
| 82 |
[snip] |
| 83 |
|
| 84 |
> [6] i686-pc-linux-gnu-3.4.4 |
| 85 |
|
| 86 |
This profile enables the standard gcc specs. |
| 87 |
|
| 88 |
> [7] i686-pc-linux-gnu-3.4.4-hardened |
| 89 |
|
| 90 |
This profile enables the fully hardened specs. PIE support is enabled |
| 91 |
to force ELF executables to be built as position independent (normally |
| 92 |
this would occur only for ELF libraries). Furthermore, SSP is enabled |
| 93 |
(-fstack-protector basically) and the linker is always invoked with |
| 94 |
the "now" and "relro" options. Resulting binaries that are dynamically |
| 95 |
linked force the dynamic linker to resolve all symbols as soon as the |
| 96 |
program is started rather than to be deferred (which is sometimes |
| 97 |
referred to as "lazy" run-time binding). See the ld manpage for more |
| 98 |
information. Basically it works out more or less as: CFLAGS="-fPIE |
| 99 |
-fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro". Further |
| 100 |
reading: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml. |
| 101 |
|
| 102 |
> [8] i686-pc-linux-gnu-3.4.4-hardenednopie |
| 103 |
|
| 104 |
Same, but no PIE. |
| 105 |
|
| 106 |
> [9] i686-pc-linux-gnu-3.4.4-hardenednopiessp |
| 107 |
|
| 108 |
Same but no PIE and no SSP (i.e. pretty much only the linker flags |
| 109 |
options are effected). I would actually say this is a good idea for |
| 110 |
all server setups - even if you have no interest in any of the other |
| 111 |
stuff. |
| 112 |
|
| 113 |
> [10] i686-pc-linux-gnu-3.4.4-hardenednossp |
| 114 |
|
| 115 |
Same, but no SSP. |
| 116 |
|
| 117 |
> |
| 118 |
> somewhere it says that on x86 the performance penalty for PIE is |
| 119 |
> considerable... guess i have to get some AMD64 boxes... |
| 120 |
|
| 121 |
On x86 there is indeed a penalty. In practice I cannot say that I have |
| 122 |
noticed it at all. This leads me on to another interesting point. |
| 123 |
There is a performance penalty associated with the W^X protection |
| 124 |
offered by PaX on processors that do *not* offer a so-called "nx" bit |
| 125 |
(recent P4 models, and AMD processors do offer this bit, check the |
| 126 |
flags in /proc/cpuinfo). There are two mechanisms to enforce this form |
| 127 |
of protection in PaX, PAGEEXEC and SEGMEXEC. PAGEXEC is the method |
| 128 |
that should be chosen if either (1) your processor has an "nx" bit or |
| 129 |
(2) you are *not* using a P4. Unfortunately, PAGEEXEC seems to be |
| 130 |
perform quite poorly on the P4 architecture so in that case I would |
| 131 |
recommend SEGMEXEC which is what I am using. I've found that it works |
| 132 |
great and the performance penalty is minimal. The only caveat is that |
| 133 |
it halves the memory address space visible to any running process from |
| 134 |
3G to 1.5G (*not* the amount of memory available fortunately). Here is |
| 135 |
a very interesting study on the topic: |
| 136 |
http://www.pjvenda.org/linux/doc/pax-performance/. Note that recent P4 |
| 137 |
cores do support an NX bit and also work fine and dandy with amd64 |
| 138 |
gentoo setups :) |
| 139 |
|
| 140 |
For those who are concerned that these features may break things, |
| 141 |
please bear in mind that all features and options that have been |
| 142 |
described are optional. With regard to PaX, specific protections can |
| 143 |
be enabled/disabled on a per-executable basis by using the paxctl tool |
| 144 |
to assert suitable "markings" in the header of the executable |
| 145 |
concerned. As for grsec, it is possible to run it in such a way that |
| 146 |
any option can be enabled/disabled via the /proc interface. This makes |
| 147 |
it very easy to play with the various options (eventually you can |
| 148 |
"echo 1 > /proc/sys/kernel/grsecurity/grsec_lock" which will render |
| 149 |
all of the options immutable until the next boot). Furthermore, 3 |
| 150 |
basic profiles are selectable when configuring the kernel - low, |
| 151 |
medium and high. In my experience it is extremely unlikely that any |
| 152 |
applications will break when using the "low" or "medium" option |
| 153 |
profiles. In fact, as of recent releases I have yet to find an |
| 154 |
application that falls foul of the "high" profile. That's not to say |
| 155 |
that they don't exist of course. |
| 156 |
|
| 157 |
Those interested in running a fully hardened toolchain and building a |
| 158 |
PIE enabled user-land and leveraging the full extent of the memory |
| 159 |
protections offered by PaX should note that one of the most irksome |
| 160 |
problems faced by the hardened developers (and users alike) are |
| 161 |
binaries that exhibit TEXTRELs. It's quite a complex topic which is |
| 162 |
expounded upon furthere by Kevin Quinn here: |
| 163 |
http://www.nabble.com/Re:-Textrels-in-packages-policy-p1936024.html. |
| 164 |
TEXTRELs are highly undesirable and make it impossible to take the |
| 165 |
fullest advantage of PaX protections. In some cases, the solution is |
| 166 |
to relax the policy applied to the application/binaries concerned. |
| 167 |
|
| 168 |
Personally, I've configured my kernel in such a way that textrels |
| 169 |
simply won't be tolerated. Since running a server-based hardened setup |
| 170 |
the only packages I've encountered thus far that had any problems in |
| 171 |
this regard were hylafax and elinks. In the case of hylafax I realised |
| 172 |
that installing a newer version of the jbigkit library then rebuilding |
| 173 |
hylafax solved the issue (I filed a bug which was attended to). In the |
| 174 |
case of elinks I found that the spidermonkey library used to support |
| 175 |
javascript (if you set USE="javascript" has many textrels. So I'm |
| 176 |
using links instead for now. |
| 177 |
|
| 178 |
The reason I mention the above is that there are caveats and that, |
| 179 |
depending on the number of protections you enable and the packages you |
| 180 |
run, you may sometimes need to assert exemptions for affected packages |
| 181 |
or do a bit of research to find out what the situation is. I have to |
| 182 |
say though, that these problems really tend to bite desktop users much |
| 183 |
more. Avid users may have noticed that portage has recently begun |
| 184 |
depending on pax-utils and now flags textrels as a QA issue. The |
| 185 |
hardened team are ever vigilant in tracking and dealing with this |
| 186 |
problem (which is undesirable for all users for a number of reasons). |
| 187 |
|
| 188 |
> |
| 189 |
> perhaps some hardened and server people should get together and write a |
| 190 |
> short overview... i am in! |
| 191 |
> |
| 192 |
|
| 193 |
That's a good idea. I hope that the above has proved to be partially |
| 194 |
informative at least! I'd also like to say that I jumped on the |
| 195 |
hardened bandwagon not so long ago and am not looking back. The level |
| 196 |
of protection offered by the grsec/pax combo is simply incredible and |
| 197 |
gentoo is probably now the leading distribution in terms of |
| 198 |
pro-actively applying these remarkable technologies. I strongly |
| 199 |
recommend anyone who is interested to investigate further and see what |
| 200 |
it can do for them. For those who are nervous to experiment I |
| 201 |
recommend qemu is a great conduit for doing just that. |
| 202 |
|
| 203 |
Cheers, |
| 204 |
|
| 205 |
--Kerin Millar |
| 206 |
|
| 207 |
-- |
| 208 |
gentoo-server@g.o mailing list |
Archives