1 |
On 25/01/06, Thilo Bangert <thilo.bangert@×××.net> wrote: |
2 |
> > I have often considered and even tried a couple of times to setup a |
3 |
> > hardened box however I get confused between all the different options |
4 |
> > and all the different implications. What with Selinux Grsecurity 1/2 |
5 |
> > RSBAC PIE etc. etc. |
6 |
> > |
7 |
> > |
8 |
> |
9 |
> yeah - same here. although i am interested and wouldn't even mind a small |
10 |
> performance hit i have not had the guts to follow through... |
11 |
|
12 |
I'll try to summarise some of the most interesting aspects thereof: |
13 |
|
14 |
* grsecurity refers to a single kernel patch which provides a series |
15 |
of miscellaneous and very valuable "hardening" options, all of which |
16 |
are *completely* optional. |
17 |
|
18 |
* These options are fall within any of the following 8 categories: |
19 |
address space protection, role based access control, filesystem |
20 |
protections, kernel auditing, executable protections, network |
21 |
protections, sysctl support and logging options. |
22 |
|
23 |
* The options are all quite clearly documented and provide a diverse |
24 |
range of useful protections (even for those not running fully |
25 |
"hardened" systems). Highlights include denying writes to /dev/kmem, |
26 |
rendering kernel symbols invisible to regular users, chroot |
27 |
restrictions, /proc visibility restrictions, exec logging, restriction |
28 |
of access to dmesg, randomised TCP source ports and many more. |
29 |
|
30 |
* This patch also includes and provides PaX for optional and |
31 |
comprehensive W^X memory protections, even on architectures that do |
32 |
not support a so-called NX bit. The premise of W^X is that memory |
33 |
regions can be marked writable or executable but *not* both at the |
34 |
same time. PaX also allows for full randomisation of the address space |
35 |
belonging to a process. The stated goal of the project is to put an |
36 |
end to "arbitrary code execution". Highly recommended reading: |
37 |
http://en.wikipedia.org/wiki/PaX. |
38 |
|
39 |
* To best leverage the protections offered by PaX, it should be |
40 |
judiciously combined with various grsec options. Also, the user-land |
41 |
should be (at the very least) built with a PIE enabled gcc profile in |
42 |
order to build position independent executables. For more information |
43 |
on PIE and other related topics I recommend: |
44 |
http://www.gentoo.org/proj/en/hardened/primer.xml. |
45 |
|
46 |
* Although I'm not going to touch upon it much here (mainly because I |
47 |
have no real experience with it), grsecurity offers a full RBAC system |
48 |
for those how want to use it. The user-land tool used to manage and |
49 |
control policy is called "sys-apps/gradm" and features a remarkable |
50 |
learning mode in order to reduce the burden of developing a sensible |
51 |
policy in the first instance. Note that this is not the only RBAC |
52 |
mechanism at the disposal of hardened gentoo users (consider |
53 |
rsbac-sources and selinux as alternatives for instance). |
54 |
|
55 |
> |
56 |
> the craziest thing is, that i seem to get a hardened toolchain built by |
57 |
> default - without using the hardened profile |
58 |
|
59 |
Yes, that's absolutely correct. However if gcc is built with |
60 |
USE="hardened" then the fully hardened specs are just set to be the |
61 |
default (see below) and the profile that enables the conventional |
62 |
specs have the term "-vanilla" appended instead. |
63 |
|
64 |
For other packages the "hardened" USE flag has varying effects. For |
65 |
example, syslog-ng will install a policy that doesn't suck and creates |
66 |
a log file specifically to track pax policy violations. The "pic" USE |
67 |
flag is also quite important. Actually, there are not many stable |
68 |
packages left in the tree that care about this flag but some still |
69 |
need it so that special patches are applied to make sure that the |
70 |
results are fully position independent (or to work around quirks in |
71 |
the code in lieu of this topic). The hardened team usually try to get |
72 |
such work accepted upstream. |
73 |
|
74 |
Of course, the hardened portage profile sets these flags as necessary |
75 |
and also exhibits a no-nonsence USE flag policy which is very well |
76 |
suited to servers. Compare this to the standard 2005.1 profile which |
77 |
is flag soup frankly! |
78 |
|
79 |
> |
80 |
> marsupilami ~ # gcc-config -l |
81 |
|
82 |
[snip] |
83 |
|
84 |
> [6] i686-pc-linux-gnu-3.4.4 |
85 |
|
86 |
This profile enables the standard gcc specs. |
87 |
|
88 |
> [7] i686-pc-linux-gnu-3.4.4-hardened |
89 |
|
90 |
This profile enables the fully hardened specs. PIE support is enabled |
91 |
to force ELF executables to be built as position independent (normally |
92 |
this would occur only for ELF libraries). Furthermore, SSP is enabled |
93 |
(-fstack-protector basically) and the linker is always invoked with |
94 |
the "now" and "relro" options. Resulting binaries that are dynamically |
95 |
linked force the dynamic linker to resolve all symbols as soon as the |
96 |
program is started rather than to be deferred (which is sometimes |
97 |
referred to as "lazy" run-time binding). See the ld manpage for more |
98 |
information. Basically it works out more or less as: CFLAGS="-fPIE |
99 |
-fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro". Further |
100 |
reading: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml. |
101 |
|
102 |
> [8] i686-pc-linux-gnu-3.4.4-hardenednopie |
103 |
|
104 |
Same, but no PIE. |
105 |
|
106 |
> [9] i686-pc-linux-gnu-3.4.4-hardenednopiessp |
107 |
|
108 |
Same but no PIE and no SSP (i.e. pretty much only the linker flags |
109 |
options are effected). I would actually say this is a good idea for |
110 |
all server setups - even if you have no interest in any of the other |
111 |
stuff. |
112 |
|
113 |
> [10] i686-pc-linux-gnu-3.4.4-hardenednossp |
114 |
|
115 |
Same, but no SSP. |
116 |
|
117 |
> |
118 |
> somewhere it says that on x86 the performance penalty for PIE is |
119 |
> considerable... guess i have to get some AMD64 boxes... |
120 |
|
121 |
On x86 there is indeed a penalty. In practice I cannot say that I have |
122 |
noticed it at all. This leads me on to another interesting point. |
123 |
There is a performance penalty associated with the W^X protection |
124 |
offered by PaX on processors that do *not* offer a so-called "nx" bit |
125 |
(recent P4 models, and AMD processors do offer this bit, check the |
126 |
flags in /proc/cpuinfo). There are two mechanisms to enforce this form |
127 |
of protection in PaX, PAGEEXEC and SEGMEXEC. PAGEXEC is the method |
128 |
that should be chosen if either (1) your processor has an "nx" bit or |
129 |
(2) you are *not* using a P4. Unfortunately, PAGEEXEC seems to be |
130 |
perform quite poorly on the P4 architecture so in that case I would |
131 |
recommend SEGMEXEC which is what I am using. I've found that it works |
132 |
great and the performance penalty is minimal. The only caveat is that |
133 |
it halves the memory address space visible to any running process from |
134 |
3G to 1.5G (*not* the amount of memory available fortunately). Here is |
135 |
a very interesting study on the topic: |
136 |
http://www.pjvenda.org/linux/doc/pax-performance/. Note that recent P4 |
137 |
cores do support an NX bit and also work fine and dandy with amd64 |
138 |
gentoo setups :) |
139 |
|
140 |
For those who are concerned that these features may break things, |
141 |
please bear in mind that all features and options that have been |
142 |
described are optional. With regard to PaX, specific protections can |
143 |
be enabled/disabled on a per-executable basis by using the paxctl tool |
144 |
to assert suitable "markings" in the header of the executable |
145 |
concerned. As for grsec, it is possible to run it in such a way that |
146 |
any option can be enabled/disabled via the /proc interface. This makes |
147 |
it very easy to play with the various options (eventually you can |
148 |
"echo 1 > /proc/sys/kernel/grsecurity/grsec_lock" which will render |
149 |
all of the options immutable until the next boot). Furthermore, 3 |
150 |
basic profiles are selectable when configuring the kernel - low, |
151 |
medium and high. In my experience it is extremely unlikely that any |
152 |
applications will break when using the "low" or "medium" option |
153 |
profiles. In fact, as of recent releases I have yet to find an |
154 |
application that falls foul of the "high" profile. That's not to say |
155 |
that they don't exist of course. |
156 |
|
157 |
Those interested in running a fully hardened toolchain and building a |
158 |
PIE enabled user-land and leveraging the full extent of the memory |
159 |
protections offered by PaX should note that one of the most irksome |
160 |
problems faced by the hardened developers (and users alike) are |
161 |
binaries that exhibit TEXTRELs. It's quite a complex topic which is |
162 |
expounded upon furthere by Kevin Quinn here: |
163 |
http://www.nabble.com/Re:-Textrels-in-packages-policy-p1936024.html. |
164 |
TEXTRELs are highly undesirable and make it impossible to take the |
165 |
fullest advantage of PaX protections. In some cases, the solution is |
166 |
to relax the policy applied to the application/binaries concerned. |
167 |
|
168 |
Personally, I've configured my kernel in such a way that textrels |
169 |
simply won't be tolerated. Since running a server-based hardened setup |
170 |
the only packages I've encountered thus far that had any problems in |
171 |
this regard were hylafax and elinks. In the case of hylafax I realised |
172 |
that installing a newer version of the jbigkit library then rebuilding |
173 |
hylafax solved the issue (I filed a bug which was attended to). In the |
174 |
case of elinks I found that the spidermonkey library used to support |
175 |
javascript (if you set USE="javascript" has many textrels. So I'm |
176 |
using links instead for now. |
177 |
|
178 |
The reason I mention the above is that there are caveats and that, |
179 |
depending on the number of protections you enable and the packages you |
180 |
run, you may sometimes need to assert exemptions for affected packages |
181 |
or do a bit of research to find out what the situation is. I have to |
182 |
say though, that these problems really tend to bite desktop users much |
183 |
more. Avid users may have noticed that portage has recently begun |
184 |
depending on pax-utils and now flags textrels as a QA issue. The |
185 |
hardened team are ever vigilant in tracking and dealing with this |
186 |
problem (which is undesirable for all users for a number of reasons). |
187 |
|
188 |
> |
189 |
> perhaps some hardened and server people should get together and write a |
190 |
> short overview... i am in! |
191 |
> |
192 |
|
193 |
That's a good idea. I hope that the above has proved to be partially |
194 |
informative at least! I'd also like to say that I jumped on the |
195 |
hardened bandwagon not so long ago and am not looking back. The level |
196 |
of protection offered by the grsec/pax combo is simply incredible and |
197 |
gentoo is probably now the leading distribution in terms of |
198 |
pro-actively applying these remarkable technologies. I strongly |
199 |
recommend anyone who is interested to investigate further and see what |
200 |
it can do for them. For those who are nervous to experiment I |
201 |
recommend qemu is a great conduit for doing just that. |
202 |
|
203 |
Cheers, |
204 |
|
205 |
--Kerin Millar |
206 |
|
207 |
-- |
208 |
gentoo-server@g.o mailing list |