1 |
Great news for amd64 users. |
2 |
|
3 |
Today the PaX Team has completed the amd64 port of PaX thanks to the |
4 |
recent developer resource that was made available to us. |
5 |
|
6 |
For those of you that don't know PaX is a kernel patch to the linux |
7 |
kernel which supports non executable stack,heap, kernel pages and the |
8 |
such not to mention full address space randomizations to prevent/reduce |
9 |
the chances that a return to libc style attack would ever succeed. |
10 |
|
11 |
This port significantly raises the bar for amd64 security. I don't think |
12 |
any solutions existed till now and yes you saw it here first in Gentoo |
13 |
Linux Baby :) |
14 |
|
15 |
-------------------------------------------------------------------- |
16 |
|
17 |
The protected memory mapping structure now looks like |
18 |
|
19 |
solar@amd64 20031004 $ cat /proc/self/maps |
20 |
0000000000400000-0000000000404000 R-Xp 0000000000000000 03:03 113150 |
21 |
/bin/cat |
22 |
0000000000504000-0000000000505000 RW-p 0000000000004000 03:03 113150 |
23 |
/bin/cat |
24 |
0000000000505000-0000000000527000 RW-p 0000000000000000 00:00 0 |
25 |
000000398f8e8000-000000398f8fc000 R-Xp 0000000000000000 03:03 103391 |
26 |
/lib/ld-2.3.2.so |
27 |
000000398f8fc000-000000398f8fd000 RW-p 0000000000000000 00:00 0 |
28 |
000000398f9fc000-000000398f9fd000 RW-p 0000000000014000 03:03 103391 |
29 |
/lib/ld-2.3.2.so |
30 |
000000398f9fd000-000000398fb35000 R-Xp 0000000000000000 03:03 103247 |
31 |
/lib/libc-2.3.2.so |
32 |
000000398fb35000-000000398fbfd000 +-+p 0000000000138000 03:03 103247 |
33 |
/lib/libc-2.3.2.so |
34 |
000000398fbfd000-000000398fc3a000 RW-p 0000000000100000 03:03 103247 |
35 |
/lib/libc-2.3.2.so |
36 |
000000398fc3a000-000000398fc3e000 RW-p 0000000000000000 00:00 0 |
37 |
0000007dbb209000-0000007dbb20b000 RW-p fffffffffffff000 00:00 0 |
38 |
|
39 |
-------------------------------------------------------------------- |
40 |
|
41 |
The default unprotected memory mapping structure looks like |
42 |
|
43 |
0000000000400000-0000000000404000 r-xp 0000000000000000 03:03 113150 |
44 |
/bin/cat |
45 |
0000000000504000-0000000000505000 rw-p 0000000000004000 03:03 113150 |
46 |
/bin/cat |
47 |
0000000000505000-0000000000526000 rwxp 0000000000000000 00:00 0 |
48 |
0000002a95556000-0000002a9556a000 r-xp 0000000000000000 03:03 103391 |
49 |
/lib/ld-2.3.2.so |
50 |
0000002a9556a000-0000002a9556b000 rw-p 0000000000000000 00:00 0 |
51 |
0000002a9566a000-0000002a9566b000 rw-p 0000000000014000 03:03 103391 |
52 |
/lib/ld-2.3.2.so |
53 |
0000002a9566b000-0000002a957a3000 r-xp 0000000000000000 03:03 103247 |
54 |
/lib/libc-2.3.2.so |
55 |
0000002a957a3000-0000002a9586b000 ---p 0000000000138000 03:03 103247 |
56 |
/lib/libc-2.3.2.so |
57 |
0000002a9586b000-0000002a958a8000 rw-p 0000000000100000 03:03 103247 |
58 |
/lib/libc-2.3.2.so |
59 |
0000002a958a8000-0000002a958ac000 rw-p 0000000000000000 00:00 0 |
60 |
0000007fbfffe000-0000007fc0000000 rwxp fffffffffffff000 00:00 0 |
61 |
|
62 |
-------------------------------------------------------------------- |
63 |
|
64 |
quote from #pax |
65 |
|
66 |
upcase/+ means that the VM_MAY* flags are enabled |
67 |
so RW- means that the given mapping has VM_READ and VM_MAYREAD but not |
68 |
VM_EXEC neither VM_MAYEXEC |
69 |
RW+ means the same as above except that the mapping has VM_MAYEXEC as |
70 |
well. |
71 |
|
72 |
i.e. and mprotect(PROT_EXEC) would be successful on it |
73 |
|
74 |
-------------------------------------------------------------------- |
75 |
|
76 |
Now to verify its really true and it works. With a little help from |
77 |
paxtest we were able to preform the following regression tests. |
78 |
|
79 |
100% successful |
80 |
|
81 |
Executable anonymous mapping : Killed |
82 |
Executable bss : Killed |
83 |
Executable data : Killed |
84 |
Executable heap : Killed |
85 |
Executable stack : Killed |
86 |
Executable anonymous mapping (mprotect) : Killed |
87 |
Executable bss (mprotect) : Killed |
88 |
Executable data (mprotect) : Killed |
89 |
Executable heap (mprotect) : Killed |
90 |
Executable shared library bss (mprotect) : Killed |
91 |
Executable shared library data (mprotect): Killed |
92 |
Executable stack (mprotect) : Killed |
93 |
Anonymous mapping randomisation test : 25 bits (guessed) |
94 |
Heap randomisation test (ET_EXEC) : 12 bits (guessed) |
95 |
Main executable randomisation (ET_EXEC) : No randomisation |
96 |
Shared library randomisation test : 25 bits (guessed) |
97 |
Stack randomisation test (SEGMEXEC) : 32 bits (guessed) |
98 |
Stack randomisation test (PAGEEXEC) : 32 bits (guessed) |
99 |
Return to function (strcpy) : Killed |
100 |
Return to function (memcpy) : Executable shared library |
101 |
bss : Killed |
102 |
Executable shared library data : Killed |
103 |
Writable text segments : Killed |
104 |
|
105 |
--------------------------------------------------------------- |
106 |
|
107 |
Whats left to do? |
108 |
|
109 |
* We will need to need to do some assembly hacking on a position |
110 |
independent startS so that we may achieve full user land randomizations |
111 |
(aka Framework for hgcc) |
112 |
* Wait till tomorrows release of chpax-0.5 and bump/merge it when it |
113 |
becomes available upstream. |
114 |
* Wait for an official release of the kernel patch on the pageexec site. |
115 |
* Stability tests (ie. somebody needs to make use of it longterm) |
116 |
* Performance benchmarking |
117 |
|
118 |
|
119 |
-- |
120 |
Ned Ludd <solar@g.o> |
121 |
Gentoo Linux Developer |