| 1 |
Great news for amd64 users. |
| 2 |
|
| 3 |
Today the PaX Team has completed the amd64 port of PaX thanks to the |
| 4 |
recent developer resource that was made available to us. |
| 5 |
|
| 6 |
For those of you that don't know PaX is a kernel patch to the linux |
| 7 |
kernel which supports non executable stack,heap, kernel pages and the |
| 8 |
such not to mention full address space randomizations to prevent/reduce |
| 9 |
the chances that a return to libc style attack would ever succeed. |
| 10 |
|
| 11 |
This port significantly raises the bar for amd64 security. I don't think |
| 12 |
any solutions existed till now and yes you saw it here first in Gentoo |
| 13 |
Linux Baby :) |
| 14 |
|
| 15 |
-------------------------------------------------------------------- |
| 16 |
|
| 17 |
The protected memory mapping structure now looks like |
| 18 |
|
| 19 |
solar@amd64 20031004 $ cat /proc/self/maps |
| 20 |
0000000000400000-0000000000404000 R-Xp 0000000000000000 03:03 113150 |
| 21 |
/bin/cat |
| 22 |
0000000000504000-0000000000505000 RW-p 0000000000004000 03:03 113150 |
| 23 |
/bin/cat |
| 24 |
0000000000505000-0000000000527000 RW-p 0000000000000000 00:00 0 |
| 25 |
000000398f8e8000-000000398f8fc000 R-Xp 0000000000000000 03:03 103391 |
| 26 |
/lib/ld-2.3.2.so |
| 27 |
000000398f8fc000-000000398f8fd000 RW-p 0000000000000000 00:00 0 |
| 28 |
000000398f9fc000-000000398f9fd000 RW-p 0000000000014000 03:03 103391 |
| 29 |
/lib/ld-2.3.2.so |
| 30 |
000000398f9fd000-000000398fb35000 R-Xp 0000000000000000 03:03 103247 |
| 31 |
/lib/libc-2.3.2.so |
| 32 |
000000398fb35000-000000398fbfd000 +-+p 0000000000138000 03:03 103247 |
| 33 |
/lib/libc-2.3.2.so |
| 34 |
000000398fbfd000-000000398fc3a000 RW-p 0000000000100000 03:03 103247 |
| 35 |
/lib/libc-2.3.2.so |
| 36 |
000000398fc3a000-000000398fc3e000 RW-p 0000000000000000 00:00 0 |
| 37 |
0000007dbb209000-0000007dbb20b000 RW-p fffffffffffff000 00:00 0 |
| 38 |
|
| 39 |
-------------------------------------------------------------------- |
| 40 |
|
| 41 |
The default unprotected memory mapping structure looks like |
| 42 |
|
| 43 |
0000000000400000-0000000000404000 r-xp 0000000000000000 03:03 113150 |
| 44 |
/bin/cat |
| 45 |
0000000000504000-0000000000505000 rw-p 0000000000004000 03:03 113150 |
| 46 |
/bin/cat |
| 47 |
0000000000505000-0000000000526000 rwxp 0000000000000000 00:00 0 |
| 48 |
0000002a95556000-0000002a9556a000 r-xp 0000000000000000 03:03 103391 |
| 49 |
/lib/ld-2.3.2.so |
| 50 |
0000002a9556a000-0000002a9556b000 rw-p 0000000000000000 00:00 0 |
| 51 |
0000002a9566a000-0000002a9566b000 rw-p 0000000000014000 03:03 103391 |
| 52 |
/lib/ld-2.3.2.so |
| 53 |
0000002a9566b000-0000002a957a3000 r-xp 0000000000000000 03:03 103247 |
| 54 |
/lib/libc-2.3.2.so |
| 55 |
0000002a957a3000-0000002a9586b000 ---p 0000000000138000 03:03 103247 |
| 56 |
/lib/libc-2.3.2.so |
| 57 |
0000002a9586b000-0000002a958a8000 rw-p 0000000000100000 03:03 103247 |
| 58 |
/lib/libc-2.3.2.so |
| 59 |
0000002a958a8000-0000002a958ac000 rw-p 0000000000000000 00:00 0 |
| 60 |
0000007fbfffe000-0000007fc0000000 rwxp fffffffffffff000 00:00 0 |
| 61 |
|
| 62 |
-------------------------------------------------------------------- |
| 63 |
|
| 64 |
quote from #pax |
| 65 |
|
| 66 |
upcase/+ means that the VM_MAY* flags are enabled |
| 67 |
so RW- means that the given mapping has VM_READ and VM_MAYREAD but not |
| 68 |
VM_EXEC neither VM_MAYEXEC |
| 69 |
RW+ means the same as above except that the mapping has VM_MAYEXEC as |
| 70 |
well. |
| 71 |
|
| 72 |
i.e. and mprotect(PROT_EXEC) would be successful on it |
| 73 |
|
| 74 |
-------------------------------------------------------------------- |
| 75 |
|
| 76 |
Now to verify its really true and it works. With a little help from |
| 77 |
paxtest we were able to preform the following regression tests. |
| 78 |
|
| 79 |
100% successful |
| 80 |
|
| 81 |
Executable anonymous mapping : Killed |
| 82 |
Executable bss : Killed |
| 83 |
Executable data : Killed |
| 84 |
Executable heap : Killed |
| 85 |
Executable stack : Killed |
| 86 |
Executable anonymous mapping (mprotect) : Killed |
| 87 |
Executable bss (mprotect) : Killed |
| 88 |
Executable data (mprotect) : Killed |
| 89 |
Executable heap (mprotect) : Killed |
| 90 |
Executable shared library bss (mprotect) : Killed |
| 91 |
Executable shared library data (mprotect): Killed |
| 92 |
Executable stack (mprotect) : Killed |
| 93 |
Anonymous mapping randomisation test : 25 bits (guessed) |
| 94 |
Heap randomisation test (ET_EXEC) : 12 bits (guessed) |
| 95 |
Main executable randomisation (ET_EXEC) : No randomisation |
| 96 |
Shared library randomisation test : 25 bits (guessed) |
| 97 |
Stack randomisation test (SEGMEXEC) : 32 bits (guessed) |
| 98 |
Stack randomisation test (PAGEEXEC) : 32 bits (guessed) |
| 99 |
Return to function (strcpy) : Killed |
| 100 |
Return to function (memcpy) : Executable shared library |
| 101 |
bss : Killed |
| 102 |
Executable shared library data : Killed |
| 103 |
Writable text segments : Killed |
| 104 |
|
| 105 |
--------------------------------------------------------------- |
| 106 |
|
| 107 |
Whats left to do? |
| 108 |
|
| 109 |
* We will need to need to do some assembly hacking on a position |
| 110 |
independent startS so that we may achieve full user land randomizations |
| 111 |
(aka Framework for hgcc) |
| 112 |
* Wait till tomorrows release of chpax-0.5 and bump/merge it when it |
| 113 |
becomes available upstream. |
| 114 |
* Wait for an official release of the kernel patch on the pageexec site. |
| 115 |
* Stability tests (ie. somebody needs to make use of it longterm) |
| 116 |
* Performance benchmarking |
| 117 |
|
| 118 |
|
| 119 |
-- |
| 120 |
Ned Ludd <solar@g.o> |
| 121 |
Gentoo Linux Developer |
Archives