1 |
commit: 036119a286cf69f29a0aad81ee98d5f1128cdf1f |
2 |
Author: klondike <klondike <AT> xiscosoft <DOT> es> |
3 |
AuthorDate: Mon Apr 2 15:49:09 2012 +0000 |
4 |
Commit: Francisco Blas Izquierdo Riera <klondike <AT> xiscosoft <DOT> es> |
5 |
CommitDate: Mon Apr 2 15:49:09 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=036119a2 |
7 |
|
8 |
WIP on the revdep-pax guide |
9 |
|
10 |
--- |
11 |
xml/revdep-pax.xml | 740 ++++++++++++++++++++++++++++++++++++++++++++++++++++ |
12 |
1 files changed, 740 insertions(+), 0 deletions(-) |
13 |
|
14 |
diff --git a/xml/revdep-pax.xml b/xml/revdep-pax.xml |
15 |
new file mode 100644 |
16 |
index 0000000..ba9f822 |
17 |
--- /dev/null |
18 |
+++ b/xml/revdep-pax.xml |
19 |
@@ -0,0 +1,740 @@ |
20 |
+<?xml version='1.0' encoding="UTF-8"?> |
21 |
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
22 |
+<!-- $Header: $ --> |
23 |
+ |
24 |
+<guide> |
25 |
+<title>Gentoo revdep-pax introduction</title> |
26 |
+ |
27 |
+<author title="Author"> |
28 |
+ <mail link="klondike"/> |
29 |
+</author> |
30 |
+ |
31 |
+<abstract> |
32 |
+This guide provides an introduction to revdep-pax and how to use it to propagate |
33 |
+the PaC markings caused by libraries requiring them, for example, libraries |
34 |
+requiring RWX memory in order to process JIT code. |
35 |
+</abstract> |
36 |
+ |
37 |
+<!-- The content of this document is licensed under the CC-BY-SA license --> |
38 |
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
39 |
+<license/> |
40 |
+ |
41 |
+<version>1</version> |
42 |
+<date>2012-02-19</date> |
43 |
+ |
44 |
+<chapter> |
45 |
+<title>What's <c>revdep-pax</c> about?</title> |
46 |
+ |
47 |
+<p by="Geroge Orwell"> |
48 |
+Since the early days of PaX it was known that all programs were equal although |
49 |
+some were more equal than others and needed an environment with less |
50 |
+restrictions in order to be able to run. Thus, in order to have a secure way of |
51 |
+allowing system administrators and users telling the system which binaries |
52 |
+needed this lessened environment the PaX marks were created. |
53 |
+</p> |
54 |
+ |
55 |
+<section> |
56 |
+<title>A quick introduction to PaX markings.</title> |
57 |
+<body> |
58 |
+ |
59 |
+<p> |
60 |
+There are some programs which won't be able to run in an environment with all |
61 |
+the PaX features enabled, for example you may have a program which has so called |
62 |
+<e>text relocations</e> or you may have a language interpreter doing JIT code |
63 |
+compilation and requiring <e>RWX</e> mappings you may also have a program that |
64 |
+saves data including internal pointers into an mmaped file and which needs to be |
65 |
+restored in the same place no matter what. You could also be holding a security |
66 |
+competition and need to disable the execution restrictions and force it to |
67 |
+use fixed addresses on a particular program so it can be exploited doing a |
68 |
+simple nop sled based stack overflow to get to the next level. For taking into |
69 |
+account these issues binaries can be marked to force on or off some of the PaX |
70 |
+features. |
71 |
+</p> |
72 |
+ |
73 |
+<p> |
74 |
+Currently, the PaX features that can be lessened or enforced to allow programs |
75 |
+to run are: |
76 |
+</p> |
77 |
+ |
78 |
+<dl> |
79 |
+ <dt><b>PAGEEXEC</b></dt> |
80 |
+ <dd>Paging based execution restrictions. This is what other OSes know as |
81 |
+ <e>NX</e>.</dd> |
82 |
+ <dt><b>EMUTRAMP</b></dt> |
83 |
+ <dd>Trampoline emulation. Required by for amongst other things code with |
84 |
+ nested functions.</dd> |
85 |
+ <dt><b>MPROTECT</b></dt> |
86 |
+ <dd>Prevents the introduction of new executable code in the task. This is the |
87 |
+ one you are more likely to need disabling with libraries generating JIT code. |
88 |
+ </dd> |
89 |
+ <dt><b>RANDMMAP</b></dt> |
90 |
+ <dd>Randomizes the addresses where mappings are made unless the program |
91 |
+ explicitly requests one (using the MAP_FIXED flag).</dd> |
92 |
+ <dt><b>RANDEXEC</b></dt> |
93 |
+ <dd>This flag is currently deprecated and was used to enforce random placement |
94 |
+ of the executable part of the binary.</dd> |
95 |
+ <dt><b>SEGMEXEC</b></dt> |
96 |
+ <dd>This flag enables segmentation based execution protection. This feature is |
97 |
+ not available on the amd64 architecture so in that architecture is disables by |
98 |
+ default.</dd> |
99 |
+</dl> |
100 |
+ |
101 |
+<p> |
102 |
+There are various ways in which this advice to lessen the environment can be |
103 |
+provided to the system, amongst others Mandatory Access Control rules, extended |
104 |
+attributes and two kinds of markings on the binaries themselves, the legacy ones |
105 |
+which abuse an unused field in the ELF headers and the new ones which add a new |
106 |
+specific section to the ELF file with the markings. |
107 |
+</p> |
108 |
+ |
109 |
+<p> |
110 |
+All this markings though are only read in the executable and not in the |
111 |
+libraries linked by it to prevent some possible attacks (like libraries being |
112 |
+injected via LD_PRELOAD) and because it eases a lot the implementation since the |
113 |
+kernel shouldn't be aware of linking details. |
114 |
+</p> |
115 |
+ |
116 |
+<p> |
117 |
+This system has a problem: if we have a binary linking to a library which |
118 |
+requires, for example, trampoline emulation because it uses nested functions how |
119 |
+can we make sure the binary gets the propper markings? Yeah we could add PaX |
120 |
+marks to the library to state it needs trampoline emulation but still we haven't |
121 |
+fixed the issue since the kernel will only read the marks on the binary being |
122 |
+called. In order to solve this issue we have created <c>revdep-pax</c>. |
123 |
+</p> |
124 |
+ |
125 |
+</body> |
126 |
+</section> |
127 |
+<section> |
128 |
+<title>What's <c>revdep-pax</c>?</title> |
129 |
+<body> |
130 |
+ |
131 |
+<p> |
132 |
+<c>revdep-pax</c> is a tool that allows to check for differences in PaX markings |
133 |
+between elf objects linking to libraries (for example <path>/bin/bash</path>) |
134 |
+and the libraries themselves (for example <path>/lib64/libc.so.6</path>). |
135 |
+</p> |
136 |
+ |
137 |
+<p> |
138 |
+<c>revdep-pax</c> is able to do this in various ways, it can check for |
139 |
+differences <e>forward</e> from one binary to all the libraries it links and it |
140 |
+can also check for PaX marking differences <e>backwards</e> from one library to |
141 |
+all the binaries linking to it (which may include other libraries too). In a |
142 |
+similar way it is possible to have all the forward and reverse mappings in the |
143 |
+system checked to try finding issues. |
144 |
+</p> |
145 |
+ |
146 |
+<p> |
147 |
+<c>revdep-pax</c> is also able to propagate these markings both forward to the |
148 |
+libraries linked by an object and backwards to the objects linked by a library. |
149 |
+</p> |
150 |
+ |
151 |
+</body> |
152 |
+</section> |
153 |
+</chapter> |
154 |
+ |
155 |
+<chapter> |
156 |
+<title>Using <c>revdep-pax</c></title> |
157 |
+ |
158 |
+<p by="The Emperor"> |
159 |
+In order to witness the firepower of this fully ARMED and OPERATIONAL tool |
160 |
+you'll first need to learn how to use it, once you are done, you'll be |
161 |
+able to fire at will. |
162 |
+</p> |
163 |
+ |
164 |
+<section> |
165 |
+<title>Propagating PaX marks backwards from a library to objects that link at it |
166 |
+</title> |
167 |
+<body> |
168 |
+ |
169 |
+<p> |
170 |
+This is going to be probably the main way in which you are going to use this |
171 |
+utility. What it does is check all the libraries linked statically |
172 |
+The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package. |
173 |
+With this application you can print out information specific to the ELF |
174 |
+structure of a binary. The following table sums up the various options. |
175 |
+</p> |
176 |
+ |
177 |
+<table> |
178 |
+<tr> |
179 |
+ <th>Option</th> |
180 |
+ <th>Long Option</th> |
181 |
+ <th>Description</th> |
182 |
+</tr> |
183 |
+<tr> |
184 |
+ <ti>-p</ti> |
185 |
+ <ti>--path</ti> |
186 |
+ <ti>Scan all directories in PATH environment</ti> |
187 |
+</tr> |
188 |
+<tr> |
189 |
+ <ti>-l</ti> |
190 |
+ <ti>--ldpath</ti> |
191 |
+ <ti>Scan all directories in /etc/ld.so.conf</ti> |
192 |
+</tr> |
193 |
+<tr> |
194 |
+ <ti>-R</ti> |
195 |
+ <ti>--recursive</ti> |
196 |
+ <ti>Scan directories recursively</ti> |
197 |
+</tr> |
198 |
+<tr> |
199 |
+ <ti>-m</ti> |
200 |
+ <ti>--mount</ti> |
201 |
+ <ti>Don't recursively cross mount points</ti> |
202 |
+</tr> |
203 |
+<tr> |
204 |
+ <ti>-y</ti> |
205 |
+ <ti>--symlink</ti> |
206 |
+ <ti>Don't scan symlinks</ti> |
207 |
+</tr> |
208 |
+<tr> |
209 |
+ <ti>-A</ti> |
210 |
+ <ti>--archives</ti> |
211 |
+ <ti>Scan archives (.a files)</ti> |
212 |
+</tr> |
213 |
+<tr> |
214 |
+ <ti>-L</ti> |
215 |
+ <ti>--ldcache</ti> |
216 |
+ <ti>Utilize ld.so.cache information (use with -r/-n)</ti> |
217 |
+</tr> |
218 |
+<tr> |
219 |
+ <ti>-X</ti> |
220 |
+ <ti>--fix</ti> |
221 |
+ <ti>Try and 'fix' bad things (use with -r/-e)</ti> |
222 |
+</tr> |
223 |
+<tr> |
224 |
+ <ti>-z [arg]</ti> |
225 |
+ <ti>--setpax [arg]</ti> |
226 |
+ <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti> |
227 |
+</tr> |
228 |
+<tr> |
229 |
+ <th>Option</th> |
230 |
+ <th>Long Option</th> |
231 |
+ <th>Description</th> |
232 |
+</tr> |
233 |
+<tr> |
234 |
+ <ti>-x</ti> |
235 |
+ <ti>--pax</ti> |
236 |
+ <ti>Print PaX markings</ti> |
237 |
+</tr> |
238 |
+<tr> |
239 |
+ <ti>-e</ti> |
240 |
+ <ti>--header</ti> |
241 |
+ <ti>Print GNU_STACK/PT_LOAD markings</ti> |
242 |
+</tr> |
243 |
+<tr> |
244 |
+ <ti>-t</ti> |
245 |
+ <ti>--textrel</ti> |
246 |
+ <ti>Print TEXTREL information</ti> |
247 |
+</tr> |
248 |
+<tr> |
249 |
+ <ti>-r</ti> |
250 |
+ <ti>--rpath</ti> |
251 |
+ <ti>Print RPATH information</ti> |
252 |
+</tr> |
253 |
+<tr> |
254 |
+ <ti>-n</ti> |
255 |
+ <ti>--needed</ti> |
256 |
+ <ti>Print NEEDED information</ti> |
257 |
+</tr> |
258 |
+<tr> |
259 |
+ <ti>-i</ti> |
260 |
+ <ti>--interp</ti> |
261 |
+ <ti>Print INTERP information</ti> |
262 |
+</tr> |
263 |
+<tr> |
264 |
+ <ti>-b</ti> |
265 |
+ <ti>--bind</ti> |
266 |
+ <ti>Print BIND information</ti> |
267 |
+</tr> |
268 |
+<tr> |
269 |
+ <ti>-S</ti> |
270 |
+ <ti>--soname</ti> |
271 |
+ <ti>Print SONAME information</ti> |
272 |
+</tr> |
273 |
+<tr> |
274 |
+ <ti>-s [arg]</ti> |
275 |
+ <ti>--symbol [arg]</ti> |
276 |
+ <ti>Find a specified symbol</ti> |
277 |
+</tr> |
278 |
+<tr> |
279 |
+ <ti>-k [arg]</ti> |
280 |
+ <ti>--section [arg]</ti> |
281 |
+ <ti>Find a specified section</ti> |
282 |
+</tr> |
283 |
+<tr> |
284 |
+ <ti>-N [arg]</ti> |
285 |
+ <ti>--lib [arg]</ti> |
286 |
+ <ti>Find a specified library</ti> |
287 |
+</tr> |
288 |
+<tr> |
289 |
+ <ti>-g</ti> |
290 |
+ <ti>--gmatch</ti> |
291 |
+ <ti>Use strncmp to match libraries. (use with -N)</ti> |
292 |
+</tr> |
293 |
+<tr> |
294 |
+ <ti>-T</ti> |
295 |
+ <ti>--textrels</ti> |
296 |
+ <ti>Locate cause of TEXTREL</ti> |
297 |
+</tr> |
298 |
+<tr> |
299 |
+ <ti>-E [arg]</ti> |
300 |
+ <ti>--etype [arg]</ti> |
301 |
+ <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti> |
302 |
+</tr> |
303 |
+<tr> |
304 |
+ <ti>-M [arg]</ti> |
305 |
+ <ti>--bits [arg]</ti> |
306 |
+ <ti>Print only ELF files matching numeric bits</ti> |
307 |
+</tr> |
308 |
+<tr> |
309 |
+ <ti>-a</ti> |
310 |
+ <ti>--all</ti> |
311 |
+ <ti>Print all scanned info (-x -e -t -r -b)</ti> |
312 |
+</tr> |
313 |
+<tr> |
314 |
+ <th>Option</th> |
315 |
+ <th>Long Option</th> |
316 |
+ <th>Description</th> |
317 |
+</tr> |
318 |
+<tr> |
319 |
+ <ti>-q</ti> |
320 |
+ <ti>--quiet</ti> |
321 |
+ <ti>Only output 'bad' things</ti> |
322 |
+</tr> |
323 |
+<tr> |
324 |
+ <ti>-v</ti> |
325 |
+ <ti>--verbose</ti> |
326 |
+ <ti>Be verbose (can be specified more than once)</ti> |
327 |
+</tr> |
328 |
+<tr> |
329 |
+ <ti>-F [arg]</ti> |
330 |
+ <ti>--format [arg]</ti> |
331 |
+ <ti>Use specified format for output</ti> |
332 |
+</tr> |
333 |
+<tr> |
334 |
+ <ti>-f [arg]</ti> |
335 |
+ <ti>--from [arg]</ti> |
336 |
+ <ti>Read input stream from a filename</ti> |
337 |
+</tr> |
338 |
+<tr> |
339 |
+ <ti>-o [arg]</ti> |
340 |
+ <ti>--file [arg]</ti> |
341 |
+ <ti>Write output stream to a filename</ti> |
342 |
+</tr> |
343 |
+<tr> |
344 |
+ <ti>-B</ti> |
345 |
+ <ti>--nobanner</ti> |
346 |
+ <ti>Don't display the header</ti> |
347 |
+</tr> |
348 |
+<tr> |
349 |
+ <ti>-h</ti> |
350 |
+ <ti>--help</ti> |
351 |
+ <ti>Print this help and exit</ti> |
352 |
+</tr> |
353 |
+<tr> |
354 |
+ <ti>-V</ti> |
355 |
+ <ti>--version</ti> |
356 |
+ <ti>Print version and exit</ti> |
357 |
+</tr> |
358 |
+</table> |
359 |
+ |
360 |
+<p> |
361 |
+The format specifiers for the <c>-F</c> option are given in the following table. |
362 |
+Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly. |
363 |
+</p> |
364 |
+ |
365 |
+<table> |
366 |
+<tr> |
367 |
+ <th>Specifier</th> |
368 |
+ <th>Full Name</th> |
369 |
+ <th>Specifier</th> |
370 |
+ <th>Full Name</th> |
371 |
+</tr> |
372 |
+<tr> |
373 |
+ <ti>F</ti> |
374 |
+ <ti>Filename</ti> |
375 |
+ <ti>x</ti> |
376 |
+ <ti>PaX Flags</ti> |
377 |
+</tr> |
378 |
+<tr> |
379 |
+ <ti>e</ti> |
380 |
+ <ti>STACK/RELRO</ti> |
381 |
+ <ti>t</ti> |
382 |
+ <ti>TEXTREL</ti> |
383 |
+</tr> |
384 |
+<tr> |
385 |
+ <ti>r</ti> |
386 |
+ <ti>RPATH</ti> |
387 |
+ <ti>n</ti> |
388 |
+ <ti>NEEDED</ti> |
389 |
+</tr> |
390 |
+<tr> |
391 |
+ <ti>i</ti> |
392 |
+ <ti>INTERP</ti> |
393 |
+ <ti>b</ti> |
394 |
+ <ti>BIND</ti> |
395 |
+</tr> |
396 |
+<tr> |
397 |
+ <ti>s</ti> |
398 |
+ <ti>Symbol</ti> |
399 |
+ <ti>N</ti> |
400 |
+ <ti>Library</ti> |
401 |
+</tr> |
402 |
+<tr> |
403 |
+ <ti>o</ti> |
404 |
+ <ti>Type</ti> |
405 |
+ <ti>p</ti> |
406 |
+ <ti>File name</ti> |
407 |
+</tr> |
408 |
+<tr> |
409 |
+ <ti>f</ti> |
410 |
+ <ti>Base file name</ti> |
411 |
+ <ti>k</ti> |
412 |
+ <ti>Section</ti> |
413 |
+</tr> |
414 |
+<tr> |
415 |
+ <ti>a</ti> |
416 |
+ <ti>ARCH/e_machine</ti> |
417 |
+ <ti> </ti> |
418 |
+ <ti> </ti> |
419 |
+</tr> |
420 |
+</table> |
421 |
+ |
422 |
+</body> |
423 |
+</section> |
424 |
+<section> |
425 |
+<title>Using scanelf for Text Relocations</title> |
426 |
+<body> |
427 |
+ |
428 |
+<p> |
429 |
+As an example, we will use <c>scanelf</c> to find binaries containing text |
430 |
+relocations. |
431 |
+</p> |
432 |
+ |
433 |
+<p> |
434 |
+A relocation is an operation that rewrites an address in a loaded segment. Such |
435 |
+an address rewrite can happen when a segment has references to a shared object |
436 |
+and that shared object is loaded in memory. In this case, the references are |
437 |
+substituted with the real address values. Similar events can occur inside the |
438 |
+shared object itself. |
439 |
+</p> |
440 |
+ |
441 |
+<p> |
442 |
+A text relocation is a relocation in the text segment. Since text segments |
443 |
+contain executable code, system administrators might prefer not to have these |
444 |
+segments writable. This is perfectly possible, but since text relocations |
445 |
+actually write in the text segment, it is not always feasible. |
446 |
+</p> |
447 |
+ |
448 |
+<p> |
449 |
+If you want to eliminate text relocations, you will need to make sure |
450 |
+that the application and shared object is built with <e>Position Independent |
451 |
+Code</e> (PIC), making references obsolete. This not only increases security, |
452 |
+but also increases the performance in case of shared objects (allowing writes in |
453 |
+the text segment requires a swap space reservation and a private copy of the |
454 |
+shared object for each application that uses it). |
455 |
+</p> |
456 |
+ |
457 |
+<p> |
458 |
+The following example will search your library paths recursively, without |
459 |
+leaving the mounted file system and ignoring symbolic links, for any ELF binary |
460 |
+containing a text relocation: |
461 |
+</p> |
462 |
+ |
463 |
+<pre caption="Scanning the system for text relocation binaries"> |
464 |
+# <i>scanelf -lqtmyR</i> |
465 |
+</pre> |
466 |
+ |
467 |
+<p> |
468 |
+If you want to scan your entire system for <e>any</e> file containing text |
469 |
+relocations: |
470 |
+</p> |
471 |
+ |
472 |
+<pre caption="Scanning the entire system for text relocation files"> |
473 |
+# <i>scanelf -qtmyR /</i> |
474 |
+</pre> |
475 |
+ |
476 |
+</body> |
477 |
+</section> |
478 |
+<section> |
479 |
+<title>Using scanelf for Specific Header</title> |
480 |
+<body> |
481 |
+ |
482 |
+<p> |
483 |
+The scanelf util can be used to quickly identify files that contain a |
484 |
+given section header using the -k .section option. |
485 |
+</p> |
486 |
+ |
487 |
+<p> |
488 |
+In this example we are looking for all files in /usr/lib/debug |
489 |
+recursively using a format modifier with quiet mode enabled that have been |
490 |
+stripped. A stripped elf will lack a .symtab entry, so we use the '!' |
491 |
+to invert the matching logic. |
492 |
+</p> |
493 |
+ |
494 |
+<pre caption="Scanning for stripped or non stripped executables"> |
495 |
+# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i> |
496 |
+</pre> |
497 |
+ |
498 |
+</body> |
499 |
+</section> |
500 |
+<section> |
501 |
+<title>Using scanelf for Specific Segment Markings</title> |
502 |
+<body> |
503 |
+ |
504 |
+<p> |
505 |
+Each segment has specific flags assigned to it in the Program Header of the |
506 |
+binary. One of those flags is the type of the segment. Interesting values are |
507 |
+PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the |
508 |
+segment contains dynamic linking information), PT_INTERP (the segment |
509 |
+contains the name of the program interpreter), PT_GNU_STACK (a GNU extension |
510 |
+for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS |
511 |
+(a PaX extension for the ELF format, used by the security-minded |
512 |
+<uri link="http://pax.grsecurity.net/">PaX Project</uri>. |
513 |
+</p> |
514 |
+ |
515 |
+<p> |
516 |
+If we want to scan all executables in the current working directory, PATH |
517 |
+environment and library paths and report those who have a writable and |
518 |
+executable PT_LOAD or PT_GNU_STACK marking, you could use the following command: |
519 |
+</p> |
520 |
+ |
521 |
+<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK"> |
522 |
+# <i>scanelf -lpqe .</i> |
523 |
+</pre> |
524 |
+ |
525 |
+</body> |
526 |
+</section> |
527 |
+<section> |
528 |
+<title>Using scanelf's Format Modifier Handler</title> |
529 |
+<body> |
530 |
+ |
531 |
+<p> |
532 |
+A useful feature of the <c>scanelf</c> utility is the format modifier handler. |
533 |
+With this option you can control the output of <c>scanelf</c>, thereby |
534 |
+simplifying parsing the output with scripts. |
535 |
+</p> |
536 |
+ |
537 |
+<p> |
538 |
+As an example, we will use <c>scanelf</c> to print the file names that contain |
539 |
+text relocations: |
540 |
+</p> |
541 |
+ |
542 |
+<pre caption="Example of the scanelf format modifier handler"> |
543 |
+# <i>scanelf -l -p -R -q -F "%F #t"</i> |
544 |
+</pre> |
545 |
+ |
546 |
+</body> |
547 |
+</section> |
548 |
+</chapter> |
549 |
+ |
550 |
+<chapter id="pspax"> |
551 |
+<title>Listing PaX Flags and Capabilities</title> |
552 |
+<section> |
553 |
+<title>About PaX</title> |
554 |
+<body> |
555 |
+ |
556 |
+<p> |
557 |
+<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri |
558 |
+link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri |
559 |
+link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main |
560 |
+goal is "to research various defense mechanisms against the exploitation of |
561 |
+software bugs that give an attacker arbitrary read/write access to the |
562 |
+attacked task's address space. This class of bugs contains among others |
563 |
+various forms of buffer overflow bugs (be they stack or heap based), user |
564 |
+supplied format string bugs, etc." |
565 |
+</p> |
566 |
+ |
567 |
+<p> |
568 |
+To be able to benefit from these defense mechanisms, you need to run a Linux |
569 |
+kernel patched with the latest PaX code. The <uri |
570 |
+link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and |
571 |
+its parent project, grsecurity. The supported kernel package is |
572 |
+<c>sys-kernel/hardened-sources</c>. |
573 |
+</p> |
574 |
+ |
575 |
+<p> |
576 |
+The Gentoo/Hardened project has a <uri |
577 |
+link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri> |
578 |
+for your reading pleasure. |
579 |
+</p> |
580 |
+ |
581 |
+</body> |
582 |
+</section> |
583 |
+<section> |
584 |
+<title>Flags and Capabilities</title> |
585 |
+<body> |
586 |
+ |
587 |
+<p> |
588 |
+If your toolchain supports it, your binaries can have additional PaX flags in |
589 |
+their Program Header. The following flags are supported: |
590 |
+</p> |
591 |
+ |
592 |
+<table> |
593 |
+<tr> |
594 |
+ <th>Flag</th> |
595 |
+ <th>Name</th> |
596 |
+ <th>Description</th> |
597 |
+</tr> |
598 |
+<tr> |
599 |
+ <ti>P</ti> |
600 |
+ <ti>PAGEEXEC</ti> |
601 |
+ <ti> |
602 |
+ Refuse code execution on writable pages based on the NX bit |
603 |
+ (or emulated NX bit) |
604 |
+ </ti> |
605 |
+</tr> |
606 |
+<tr> |
607 |
+ <ti>S</ti> |
608 |
+ <ti>SEGMEXEC</ti> |
609 |
+ <ti> |
610 |
+ Refuse code execution on writable pages based on the |
611 |
+ segmentation logic of IA-32 |
612 |
+ </ti> |
613 |
+</tr> |
614 |
+<tr> |
615 |
+ <ti>E</ti> |
616 |
+ <ti>EMUTRAMP</ti> |
617 |
+ <ti> |
618 |
+ Allow known code execution sequences on writable pages that |
619 |
+ should not cause any harm |
620 |
+ </ti> |
621 |
+</tr> |
622 |
+<tr> |
623 |
+ <ti>M</ti> |
624 |
+ <ti>MPROTECT</ti> |
625 |
+ <ti> |
626 |
+ Prevent the creation of new executable code to the process |
627 |
+ address space |
628 |
+ </ti> |
629 |
+</tr> |
630 |
+<tr> |
631 |
+ <ti>R</ti> |
632 |
+ <ti>RANDMMAP</ti> |
633 |
+ <ti> |
634 |
+ Randomize the stack base to prevent certain stack overflow |
635 |
+ attacks from being successful |
636 |
+ </ti> |
637 |
+</tr> |
638 |
+<tr> |
639 |
+ <ti>X</ti> |
640 |
+ <ti>RANDEXEC</ti> |
641 |
+ <ti> |
642 |
+ Randomize the address where the application maps to prevent |
643 |
+ certain attacks from being exploitable |
644 |
+ </ti> |
645 |
+</tr> |
646 |
+</table> |
647 |
+ |
648 |
+<p> |
649 |
+The default Linux kernel also supports certain capabilities, grouped in the |
650 |
+so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those |
651 |
+capabilities in our <uri |
652 |
+link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document. |
653 |
+</p> |
654 |
+ |
655 |
+</body> |
656 |
+</section> |
657 |
+<section> |
658 |
+<title>Using pspax</title> |
659 |
+<body> |
660 |
+ |
661 |
+<p> |
662 |
+The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the |
663 |
+run-time capabilities of all programs you have permission for. On Linux kernels |
664 |
+with additional support for extended attributes (such as SELinux) those |
665 |
+attributes are shown as well. |
666 |
+</p> |
667 |
+ |
668 |
+<p> |
669 |
+When ran, <c>pspax</c> shows the following information: |
670 |
+</p> |
671 |
+ |
672 |
+<table> |
673 |
+<tr> |
674 |
+ <th>Column</th> |
675 |
+ <th>Description</th> |
676 |
+</tr> |
677 |
+<tr> |
678 |
+ <ti>USER</ti> |
679 |
+ <ti>Owner of the process</ti> |
680 |
+</tr> |
681 |
+<tr> |
682 |
+ <ti>PID</ti> |
683 |
+ <ti>Process id</ti> |
684 |
+</tr> |
685 |
+<tr> |
686 |
+ <ti>PAX</ti> |
687 |
+ <ti>Run-time PaX flags (if applicable)</ti> |
688 |
+</tr> |
689 |
+<tr> |
690 |
+ <ti>MAPS</ti> |
691 |
+ <ti>Write/eXecute markings for the process map</ti> |
692 |
+</tr> |
693 |
+<tr> |
694 |
+ <ti>ELF_TYPE</ti> |
695 |
+ <ti>Process executable type: ET_DYN or ET_EXEC</ti> |
696 |
+</tr> |
697 |
+<tr> |
698 |
+ <ti>NAME</ti> |
699 |
+ <ti>Name of the process</ti> |
700 |
+</tr> |
701 |
+<tr> |
702 |
+ <ti>CAPS</ti> |
703 |
+ <ti>POSIX.1e capabilities (see note)</ti> |
704 |
+</tr> |
705 |
+<tr> |
706 |
+ <ti>ATTR</ti> |
707 |
+ <ti>Extended attributes (if applicable)</ti> |
708 |
+</tr> |
709 |
+</table> |
710 |
+ |
711 |
+<note> |
712 |
+<c>pspax</c> only displays these capabilities when it is linked with |
713 |
+the external capabilities library. This requires you to build <c>pax-utils</c> |
714 |
+with -DWANT_SYSCAP. |
715 |
+</note> |
716 |
+ |
717 |
+<p> |
718 |
+By default, <c>pspax</c> does not show any kernel processes. If you want those |
719 |
+to be taken as well, use the <c>-a</c> switch. |
720 |
+</p> |
721 |
+ |
722 |
+</body> |
723 |
+</section> |
724 |
+</chapter> |
725 |
+ |
726 |
+<chapter id="dumpelf"> |
727 |
+<title>Programming with ELF files</title> |
728 |
+<section> |
729 |
+<title>The dumpelf Utility</title> |
730 |
+<body> |
731 |
+ |
732 |
+<p> |
733 |
+With the <c>dumpelf</c> utility you can convert a ELF file into human readable C |
734 |
+code that defines a structure with the same image as the original ELF file. |
735 |
+</p> |
736 |
+ |
737 |
+<pre caption="dumpelf example"> |
738 |
+$ <i>dumpelf /bin/hostname</i> |
739 |
+#include <elf.h> |
740 |
+ |
741 |
+<comment>/* |
742 |
+ * ELF dump of '/bin/hostname' |
743 |
+ * 10276 (0x2824) bytes |
744 |
+ */</comment> |
745 |
+ |
746 |
+struct { |
747 |
+ Elf32_Ehdr ehdr; |
748 |
+ Elf32_Phdr phdrs[8]; |
749 |
+ Elf32_Shdr shdrs[26]; |
750 |
+} dumpedelf_0 = { |
751 |
+ |
752 |
+.ehdr = { |
753 |
+<comment>(... Output stripped ...)</comment> |
754 |
+</pre> |
755 |
+ |
756 |
+</body> |
757 |
+</section> |
758 |
+</chapter> |
759 |
+</guide> |