[gentoo-hardened] Security Level: high/server/workstation/virtualization - gentoo-hardened

From:	Alex Efros <powerman@××××××××.name>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Security Level: high/server/workstation/virtualization
Date:	Fri, 27 Jan 2012 13:27:58
Message-Id:	`20120127132626.GA5332@home.power`

1

Hi!

2

3

If you ever wonder how exactly differs predefined security levels, you'll

4

find this information here. :) I've compared them, plus I did some

5

benchmarking (Core2Duo E6600, 32bit OS, hardened-sources-3.1.5,

6

single-user mode, kernel compile with -j3 as average user+sys time in 3 tests).

7

8

This information shouldn't surprise hardened developers, but if there are

9

some bugs with these levels then chances are you'll notice them now.

10

11

I didn't tested low and medium levels because I don't think they have any

12

real use.

13

14

First table: differences between these security levels.

15

    "-" mean this level switch off that option

16

    "+" mean this level switch on that option

17

    " " mean this level doesn't change that option

18

19

                                high    server  ws      virt    

20

CONFIG_X86_32_LAZY_GS           -       -                       

21

CONFIG_CC_STACKPROTECTOR        -       -                       

22

CONFIG_GRKERNSEC_IO                     +                       

23

CONFIG_GRKERNSEC_KERN_LOCKOUT   +                               

24

CONFIG_GRKERNSEC_PROC_ADD       +       +                       

25

CONFIG_GRKERNSEC_SYSFS_RESTRICT +                               

26

CONFIG_GRKERNSEC_PROC_IPADDR            +       +       +       

27

CONFIG_GRKERNSEC_RWXMAP_LOG             +       +       +       

28

CONFIG_GRKERNSEC_SYSCTL                 +       +       +       

29

CONFIG_GRKERNSEC_SYSCTL_ON              +       +       +       

30

CONFIG_PAX_PER_CPU_PGD          +       +       +       -       

31

CONFIG_PAX_ELFRELOCS            +                               

32

CONFIG_PAX_KERNEXEC             +       +       +       -       

33

CONFIG_PAX_KERNEXEC_MODULE_TEXT 4       4       4       -       

34

CONFIG_PAX_MEMORY_SANITIZE              +       +       +       

35

CONFIG_PAX_MEMORY_UDEREF        +       +               -       

36

37

As you can see, if you switch between several levels you may end with

38

different options on same level - for example, switching from server to

39

workstation result in UDEREF on, while switching from virtualization to

40

workstation result in UDEREF off. That's correct, but you should keep this

41

in mind and re-check configuration after switching security level.

42

43

Next, list of options which doesn't changed by any of these security

44

levels, i.e. they are left completely up to user's choice. I'll show them

45

both in CONFIG and menuconfig formats:

46

47

CONFIG_GRKERNSEC_ACL_HIDEKERN  

48

CONFIG_GRKERNSEC_EXECLOG       

49

CONFIG_GRKERNSEC_CHROOT_EXECLOG

50

CONFIG_GRKERNSEC_AUDIT_PTRACE  

51

CONFIG_GRKERNSEC_AUDIT_CHDIR   

52

CONFIG_GRKERNSEC_AUDIT_TEXTREL 

53

CONFIG_GRKERNSEC_BLACKHOLE     

54

CONFIG_PAX_EMUTRAMP            

55

CONFIG_PAX_MPROTECT_COMPAT     

56

CONFIG_PAX_MEMORY_STACKLEAK    

57

58

    Grsecurity  --->                                                                 

59

        [*] Grsecurity                                                               

60

              Role Based Access Control Options  --->                                

61

                [ ] Hide kernel processes                                            

62

              Kernel Auditing  --->                                                  

63

                [ ] Exec logging                                                     

64

                [ ] Log execs within chroot                                          

65

                [ ] Ptrace logging                                                   

66

                [ ] Chdir logging                                                    

67

                [ ] ELF text relocations logging (READ HELP)                         

68

              Network Protections  --->                                              

69

                [ ] TCP/UDP blackhole and LAST_ACK DoS prevention                    

70

    PaX  --->                                                                        

71

        [*] Enable various PaX features                                              

72

              Non-executable pages  --->                                             

73

                [ ] Emulate trampolines                                              

74

                [ ]   Use legacy/compat protection demoting (read help)              

75

            Miscellaneous hardening features  --->                                   

76

                [ ] Sanitize kernel stack                                            

77

78

All other GrSecurity/PaX options are switched on by all these security levels.

79

80

Now, about benchmarking. I've enabled as much options as possible on

81

workstation: server security level PLUS all good optional options MINUS

82

CONFIG_GRKERNSEC_IO (for Xorg). And compared it to completely non-hardened

83

environment (kernel with GrSecurity/PaX switched off and vanilla gcc).

84

85

This way hardened was ~5% slower.

86

Without CONFIG_PAX_MEMORY_STACKLEAK it become ~3% slower.

87

Without CONFIG_PAX_MEMORY_STACKLEAK and CONFIG_PAX_MEMORY_SANITIZE - ~1% slower.

88

89

As for me, spending ~1% performance for ~all hardened is good trade off,

90

but spending 4% more for protection against leaking information in freed

91

memory is too much for workstation (and for most servers too), so I

92

recommend to change workstation security level to not enable

93

CONFIG_PAX_MEMORY_SANITIZE by default.

94

95

--

96

			WBR, Alex.

Subject	Author
Re: [gentoo-hardened] Security Level: high/server/workstation/virtualization	Kevin Chadwick <ma1l1ists@××××××××.uk>
Re: [gentoo-hardened] Security Level: high/server/workstation/virtualization	Pavel Labushev <p.labushev@×××××.com>
Re: [gentoo-hardened] Security Level: high/server/workstation/virtualization	Alex Efros <powerman@××××××××.name>

Gentoo Archives: gentoo-hardened

Replies

1	Hi!
2
3	If you ever wonder how exactly differs predefined security levels, you'll
4	find this information here. :) I've compared them, plus I did some
5	benchmarking (Core2Duo E6600, 32bit OS, hardened-sources-3.1.5,
6	single-user mode, kernel compile with -j3 as average user+sys time in 3 tests).
7
8	This information shouldn't surprise hardened developers, but if there are
9	some bugs with these levels then chances are you'll notice them now.
10
11	I didn't tested low and medium levels because I don't think they have any
12	real use.
13
14	First table: differences between these security levels.
15	"-" mean this level switch off that option
16	"+" mean this level switch on that option
17	" " mean this level doesn't change that option
18
19	high server ws virt
20	CONFIG_X86_32_LAZY_GS - -
21	CONFIG_CC_STACKPROTECTOR - -
22	CONFIG_GRKERNSEC_IO +
23	CONFIG_GRKERNSEC_KERN_LOCKOUT +
24	CONFIG_GRKERNSEC_PROC_ADD + +
25	CONFIG_GRKERNSEC_SYSFS_RESTRICT +
26	CONFIG_GRKERNSEC_PROC_IPADDR + + +
27	CONFIG_GRKERNSEC_RWXMAP_LOG + + +
28	CONFIG_GRKERNSEC_SYSCTL + + +
29	CONFIG_GRKERNSEC_SYSCTL_ON + + +
30	CONFIG_PAX_PER_CPU_PGD + + + -
31	CONFIG_PAX_ELFRELOCS +
32	CONFIG_PAX_KERNEXEC + + + -
33	CONFIG_PAX_KERNEXEC_MODULE_TEXT 4 4 4 -
34	CONFIG_PAX_MEMORY_SANITIZE + + +
35	CONFIG_PAX_MEMORY_UDEREF + + -
36
37	As you can see, if you switch between several levels you may end with
38	different options on same level - for example, switching from server to
39	workstation result in UDEREF on, while switching from virtualization to
40	workstation result in UDEREF off. That's correct, but you should keep this
41	in mind and re-check configuration after switching security level.
42
43	Next, list of options which doesn't changed by any of these security
44	levels, i.e. they are left completely up to user's choice. I'll show them
45	both in CONFIG and menuconfig formats:
46
47	CONFIG_GRKERNSEC_ACL_HIDEKERN
48	CONFIG_GRKERNSEC_EXECLOG
49	CONFIG_GRKERNSEC_CHROOT_EXECLOG
50	CONFIG_GRKERNSEC_AUDIT_PTRACE
51	CONFIG_GRKERNSEC_AUDIT_CHDIR
52	CONFIG_GRKERNSEC_AUDIT_TEXTREL
53	CONFIG_GRKERNSEC_BLACKHOLE
54	CONFIG_PAX_EMUTRAMP
55	CONFIG_PAX_MPROTECT_COMPAT
56	CONFIG_PAX_MEMORY_STACKLEAK
57
58	Grsecurity --->
59	[*] Grsecurity
60	Role Based Access Control Options --->
61	[ ] Hide kernel processes
62	Kernel Auditing --->
63	[ ] Exec logging
64	[ ] Log execs within chroot
65	[ ] Ptrace logging
66	[ ] Chdir logging
67	[ ] ELF text relocations logging (READ HELP)
68	Network Protections --->
69	[ ] TCP/UDP blackhole and LAST_ACK DoS prevention
70	PaX --->
71	[*] Enable various PaX features
72	Non-executable pages --->
73	[ ] Emulate trampolines
74	[ ] Use legacy/compat protection demoting (read help)
75	Miscellaneous hardening features --->
76	[ ] Sanitize kernel stack
77
78	All other GrSecurity/PaX options are switched on by all these security levels.
79
80	Now, about benchmarking. I've enabled as much options as possible on
81	workstation: server security level PLUS all good optional options MINUS
82	CONFIG_GRKERNSEC_IO (for Xorg). And compared it to completely non-hardened
83	environment (kernel with GrSecurity/PaX switched off and vanilla gcc).
84
85	This way hardened was ~5% slower.
86	Without CONFIG_PAX_MEMORY_STACKLEAK it become ~3% slower.
87	Without CONFIG_PAX_MEMORY_STACKLEAK and CONFIG_PAX_MEMORY_SANITIZE - ~1% slower.
88
89	As for me, spending ~1% performance for ~all hardened is good trade off,
90	but spending 4% more for protection against leaking information in freed
91	memory is too much for workstation (and for most servers too), so I
92	recommend to change workstation security level to not enable
93	CONFIG_PAX_MEMORY_SANITIZE by default.
94
95	--
96	WBR, Alex.