| 1 |
First a great Thanks, |
| 2 |
|
| 3 |
On 17 Jun 2004 09:58:09 -0400 |
| 4 |
Ned Ludd <solar@g.o> wrote: |
| 5 |
|
| 6 |
> On Thu, 2004-06-17 at 00:54, Rumen Yotov wrote: |
| 7 |
> > Hi all, |
| 8 |
> > Tried to push grsec&PaX settings to the limits. Used quite all settings from quickstart-guide and got this with paxtest-0.9.5: |
| 9 |
> > ...BEGIN CUT ... |
| 10 |
> > PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
| 11 |
> > Released under the GNU Public Licence version 2 or later |
| 12 |
> > |
| 13 |
> > It may take a while for the tests to complete |
| 14 |
> > Test results: |
| 15 |
> > PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
| 16 |
> > Released under the GNU Public Licence version 2 or later |
| 17 |
> > |
| 18 |
> > Executable anonymous mapping : Killed |
| 19 |
> > Executable bss : Killed |
| 20 |
> > Executable data : Killed |
| 21 |
> > Executable heap : Killed |
| 22 |
> > Executable stack : Killed |
| 23 |
> > Executable anonymous mapping (mprotect) : Killed |
| 24 |
> > Executable bss (mprotect) : Killed |
| 25 |
> > Executable data (mprotect) : Killed |
| 26 |
> > Executable heap (mprotect) : Killed |
| 27 |
> > Executable shared library bss (mprotect) : Killed |
| 28 |
> > Executable shared library data (mprotect): Killed |
| 29 |
> > Executable stack (mprotect) : Killed |
| 30 |
> > Anonymous mapping randomisation test : 16 bits (guessed) |
| 31 |
> > Heap randomisation test (ET_EXEC) : 25 bits (guessed) |
| 32 |
> > Heap randomisation test (ET_DYN) : 25 bits (guessed) |
| 33 |
> > Main executable randomisation (ET_EXEC) : 17 bits (guessed) |
| 34 |
> > Main executable randomisation (ET_DYN) : 17 bits (guessed) |
| 35 |
> > Shared library randomisation test : 16 bits (guessed) |
| 36 |
> > Stack randomisation test (SEGMEXEC) : 23 bits (guessed) |
| 37 |
> > Stack randomisation test (PAGEEXEC) : 23 bits (guessed) |
| 38 |
> > Return to function (strcpy) : Vulnerable |
| 39 |
> > Return to function (strcpy, RANDEXEC) : Vulnerable |
| 40 |
> > Return to function (memcpy) : Vulnerable |
| 41 |
> > Return to function (memcpy, RANDEXEC) : Vulnerable |
| 42 |
> > Executable shared library bss : Killed |
| 43 |
> > Executable shared library data : Killed |
| 44 |
> > Writable text segments : Killed |
| 45 |
> > ... END CUT ... |
| 46 |
> |
| 47 |
> |
| 48 |
> > 1.Could something be done about this 4 'Vuln.' left? |
| 49 |
> No thats expected. The goal of paxtest was not to show you how safe you |
| 50 |
> were but infact how vuln you are. So.. If you notice in the Makefile it |
| 51 |
> explicitly disables -fstack-protector which covers 2 of the remaining 4 |
| 52 |
> areas which exploitation can happen via. Seeing that it's vuln should |
| 53 |
> prove the point why you want/need |
| 54 |
> -fstack-protector/-fstack-protector-all which is handled automatically |
| 55 |
> with USE=hardened =sys-devel/gcc-3.3.3-r6 |
| 56 |
> |
| 57 |
OK. Done that.But which two, i think: Return to function (strcpy) & Return to function (memcpy), the other two must be handled by PaX RANDEXEC feature? |
| 58 |
> |
| 59 |
> > PS: can't use ACL for now as i'm on reiserfs3, so no easy acl support still. Am i wrong? |
| 60 |
> From reading below it looks like your going to be using grsec. grsec is |
| 61 |
> file system independent. |
| 62 |
> |
| 63 |
Risking being very wrong i know that ACL is a framework over regular filesystem in order to provide stricter control through new extended file attr. and as a result new way top control permissions on files. A week or two ago checked and acl was supported only on ext3 and xfs, reiserfs3 required some patches. So when using gradm2 i think it works with acl to provide additional security, but none on reiserfs3 as it doesn't have extended attributes (ACL). Opinions? |
| 64 |
Beside grsec i'm also planning on installing RSBAC-unabled kernel, but thats later. Had adamantix-1.0.3 installed on another partition but now think i'll move it to Gentoo. |
| 65 |
TIA. |
| 66 |
> > 2.Also managed to get xorg-X11-6.7.0-r1 to work using these settings, |
| 67 |
> > compiled it with USE="static -hardened" so no modules loading (thanks |
| 68 |
> > to forums.grsecurity.net). But can't get it to work with the |
| 69 |
> > binary-nvidia driver 'nvidia' works only with 2-D 'nv' driver, but for |
| 70 |
> > now it's enough for me. Nvidia-kernel module is loaded, so maybe it's |
| 71 |
> > something to do with loading kernel-glx module and xorg-x11 |
| 72 |
> > being'static'. Suggestions? |
| 73 |
> No easy work around here if your trying to use 3rd party modules. |
| 74 |
> |
| 75 |
So no surprise here. |
| 76 |
> > 3.Problems with paxtest-0.9.6 (still not in portage). Took it from adamantix.org project page. Can't compile it some error there: |
| 77 |
> sigh yeah.... I've sent Peter Busser patches for this a number of times |
| 78 |
> but for whatever reason he is busy working on other stuff.. The solution |
| 79 |
> is easy enough if I recall. add -lpthread to the LDFLAGS in the Makefile |
| 80 |
> |
| 81 |
> |
| 82 |
Thanks again, i'll try it. |
| 83 |
> > ..BEGIN CUT... |
| 84 |
> > make gentoo |
| 85 |
> > make -f Makefile.Gentoo |
| 86 |
> > make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6' |
| 87 |
> > gcc -specs=dumpspecs -o anonmap body.o anonmap.o |
| 88 |
> > body.o(.text+0x131): In function `main': |
| 89 |
> > : undefined reference to `pthread_create' |
| 90 |
> > body.o(.text+0x14a): In function `main': |
| 91 |
> > : undefined reference to `pthread_kill' |
| 92 |
> > collect2: ld returned 1 exit status |
| 93 |
> > make[1]: *** [anonmap] Error 1 |
| 94 |
> > make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6' |
| 95 |
> > make: *** [gentoo] Error 2 |
| 96 |
> > ...END CUT... |
| 97 |
> |
| 98 |
> > i'm compiling with grsec turned ON and GCC-3.3.3-r6 (hardened i think). |
| 99 |
> > paxtest-0.9.5 compiles OK. |
| 100 |
> > TIA. |
| 101 |
> > Rumen |
| 102 |
> -- |
| 103 |
> Ned Ludd <solar@g.o> |
| 104 |
> Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
| 105 |
> |
| 106 |
Rumen. |
Archives