Re: [gentoo-hardened] grsecurity_and_PaX_config - gentoo-hardened

From:	Ned Ludd <solar@g.o>
To:	Rumen Yotov <rumen_yotov@×××.bg>
Cc:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] grsecurity_and_PaX_config
Date:	Thu, 17 Jun 2004 14:02:22
Message-Id:	`1087480689.10075.19.camel@simple`
In Reply to:	[gentoo-hardened] grsecurity_and_PaX_config by Rumen Yotov

1

On Thu, 2004-06-17 at 00:54, Rumen Yotov wrote:

2

> Hi all,

3

> Tried to push grsec&PaX settings to the limits. Used quite all settings from quickstart-guide and got this with paxtest-0.9.5:

4

> ...BEGIN CUT ...

5

> PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org>

6

> Released under the GNU Public Licence version 2 or later

7

>

8

> It may take a while for the tests to complete

9

> Test results:

10

> PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org>

11

> Released under the GNU Public Licence version 2 or later

12

>

13

> Executable anonymous mapping             : Killed

14

> Executable bss                           : Killed

15

> Executable data                          : Killed

16

> Executable heap                          : Killed

17

> Executable stack                         : Killed

18

> Executable anonymous mapping (mprotect)  : Killed

19

> Executable bss (mprotect)                : Killed

20

> Executable data (mprotect)               : Killed

21

> Executable heap (mprotect)               : Killed

22

> Executable shared library bss (mprotect) : Killed

23

> Executable shared library data (mprotect): Killed

24

> Executable stack (mprotect)              : Killed

25

> Anonymous mapping randomisation test     : 16 bits (guessed)

26

> Heap randomisation test (ET_EXEC)        : 25 bits (guessed)

27

> Heap randomisation test (ET_DYN)         : 25 bits (guessed)

28

> Main executable randomisation (ET_EXEC)  : 17 bits (guessed)

29

> Main executable randomisation (ET_DYN)   : 17 bits (guessed)

30

> Shared library randomisation test        : 16 bits (guessed)

31

> Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)

32

> Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)

33

> Return to function (strcpy)              : Vulnerable

34

> Return to function (strcpy, RANDEXEC)    : Vulnerable

35

> Return to function (memcpy)              : Vulnerable

36

> Return to function (memcpy, RANDEXEC)    : Vulnerable

37

> Executable shared library bss            : Killed

38

> Executable shared library data           : Killed

39

> Writable text segments                   : Killed

40

> ... END CUT ...

41

42

43

> 1.Could something be done about this 4 'Vuln.' left?

44

No thats expected. The goal of paxtest was not to show you how safe you

45

were but infact how vuln you are. So.. If you notice in the Makefile it

46

explicitly disables -fstack-protector which covers 2 of the remaining 4

47

areas which exploitation can happen via. Seeing that it's vuln should

48

prove the point why you want/need

49

-fstack-protector/-fstack-protector-all which is handled automatically

50

with USE=hardened =sys-devel/gcc-3.3.3-r6 

51

52

53

> PS: can't use ACL for now as i'm on reiserfs3, so no easy acl support still. Am i wrong?

54

From reading below it looks like your going to be using grsec. grsec is

55

file system independent.

56

57

> 2.Also managed to get xorg-X11-6.7.0-r1 to work using these settings,

58

> compiled it with USE="static -hardened" so no modules loading (thanks

59

> to forums.grsecurity.net). But can't get it to work with the

60

> binary-nvidia driver 'nvidia' works only with 2-D 'nv' driver, but for

61

> now it's enough for me. Nvidia-kernel module is loaded, so maybe it's

62

> something to do with loading kernel-glx module and xorg-x11

63

> being'static'. Suggestions?

64

No easy work around here if your trying to use 3rd party modules.

65

66

> 3.Problems with paxtest-0.9.6 (still not in portage). Took it from adamantix.org project page. Can't compile it some error there:

67

sigh yeah.... I've sent Peter Busser patches for this a number of times

68

but for whatever reason he is busy working on other stuff.. The solution

69

is easy enough if I recall. add -lpthread to the LDFLAGS in the Makefile

70

71

72

> ..BEGIN CUT...

73

> make gentoo

74

> make -f Makefile.Gentoo

75

> make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6'

76

> gcc -specs=dumpspecs  -o anonmap body.o anonmap.o

77

> body.o(.text+0x131): In function `main':

78

> : undefined reference to `pthread_create'

79

> body.o(.text+0x14a): In function `main':

80

> : undefined reference to `pthread_kill'

81

> collect2: ld returned 1 exit status

82

> make[1]: *** [anonmap] Error 1

83

> make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6'

84

> make: *** [gentoo] Error 2

85

> ...END CUT...

86

87

> i'm compiling with grsec turned ON and GCC-3.3.3-r6 (hardened i think).

88

> paxtest-0.9.5 compiles OK.

89

> TIA.

90

> Rumen

91

--

92

Ned Ludd <solar@g.o>

93

Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

Gentoo Archives: gentoo-hardened

Attachments

Replies

1	On Thu, 2004-06-17 at 00:54, Rumen Yotov wrote:
2	> Hi all,
3	> Tried to push grsec&PaX settings to the limits. Used quite all settings from quickstart-guide and got this with paxtest-0.9.5:
4	> ...BEGIN CUT ...
5	> PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org>
6	> Released under the GNU Public Licence version 2 or later
7	>
8	> It may take a while for the tests to complete
9	> Test results:
10	> PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org>
11	> Released under the GNU Public Licence version 2 or later
12	>
13	> Executable anonymous mapping : Killed
14	> Executable bss : Killed
15	> Executable data : Killed
16	> Executable heap : Killed
17	> Executable stack : Killed
18	> Executable anonymous mapping (mprotect) : Killed
19	> Executable bss (mprotect) : Killed
20	> Executable data (mprotect) : Killed
21	> Executable heap (mprotect) : Killed
22	> Executable shared library bss (mprotect) : Killed
23	> Executable shared library data (mprotect): Killed
24	> Executable stack (mprotect) : Killed
25	> Anonymous mapping randomisation test : 16 bits (guessed)
26	> Heap randomisation test (ET_EXEC) : 25 bits (guessed)
27	> Heap randomisation test (ET_DYN) : 25 bits (guessed)
28	> Main executable randomisation (ET_EXEC) : 17 bits (guessed)
29	> Main executable randomisation (ET_DYN) : 17 bits (guessed)
30	> Shared library randomisation test : 16 bits (guessed)
31	> Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
32	> Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
33	> Return to function (strcpy) : Vulnerable
34	> Return to function (strcpy, RANDEXEC) : Vulnerable
35	> Return to function (memcpy) : Vulnerable
36	> Return to function (memcpy, RANDEXEC) : Vulnerable
37	> Executable shared library bss : Killed
38	> Executable shared library data : Killed
39	> Writable text segments : Killed
40	> ... END CUT ...
41
42
43	> 1.Could something be done about this 4 'Vuln.' left?
44	No thats expected. The goal of paxtest was not to show you how safe you
45	were but infact how vuln you are. So.. If you notice in the Makefile it
46	explicitly disables -fstack-protector which covers 2 of the remaining 4
47	areas which exploitation can happen via. Seeing that it's vuln should
48	prove the point why you want/need
49	-fstack-protector/-fstack-protector-all which is handled automatically
50	with USE=hardened =sys-devel/gcc-3.3.3-r6
51
52
53	> PS: can't use ACL for now as i'm on reiserfs3, so no easy acl support still. Am i wrong?
54	From reading below it looks like your going to be using grsec. grsec is
55	file system independent.
56
57	> 2.Also managed to get xorg-X11-6.7.0-r1 to work using these settings,
58	> compiled it with USE="static -hardened" so no modules loading (thanks
59	> to forums.grsecurity.net). But can't get it to work with the
60	> binary-nvidia driver 'nvidia' works only with 2-D 'nv' driver, but for
61	> now it's enough for me. Nvidia-kernel module is loaded, so maybe it's
62	> something to do with loading kernel-glx module and xorg-x11
63	> being'static'. Suggestions?
64	No easy work around here if your trying to use 3rd party modules.
65
66	> 3.Problems with paxtest-0.9.6 (still not in portage). Took it from adamantix.org project page. Can't compile it some error there:
67	sigh yeah.... I've sent Peter Busser patches for this a number of times
68	but for whatever reason he is busy working on other stuff.. The solution
69	is easy enough if I recall. add -lpthread to the LDFLAGS in the Makefile
70
71
72	> ..BEGIN CUT...
73	> make gentoo
74	> make -f Makefile.Gentoo
75	> make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6'
76	> gcc -specs=dumpspecs -o anonmap body.o anonmap.o
77	> body.o(.text+0x131): In function `main':
78	> : undefined reference to `pthread_create'
79	> body.o(.text+0x14a): In function `main':
80	> : undefined reference to `pthread_kill'
81	> collect2: ld returned 1 exit status
82	> make[1]: *** [anonmap] Error 1
83	> make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6'
84	> make: *** [gentoo] Error 2
85	> ...END CUT...
86
87	> i'm compiling with grsec turned ON and GCC-3.3.3-r6 (hardened i think).
88	> paxtest-0.9.5 compiles OK.
89	> TIA.
90	> Rumen
91	--
92	Ned Ludd <solar@g.o>
93	Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer