Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Grsecurity - Theoretical and Practical Application

2.436 visualizaciones

Publicado el

Enhanced Linux System Security

  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Grsecurity - Theoretical and Practical Application

  1. 1. G. Geshev Open Fest 2010 20 - 21 November Sofia, Bulgaria GRSECURITY/PAX Theoretical & Practical Application
  2. 2. About GRSECURITY (Greater Security) ▪ Back in the days.. 2000/2001 ▪ Port of the Owl project to Linux 2.4.1 ▪ Set of Kernel Patches Enhancing System Security ▪ Memory Corruption Bugs Exploitation Mitigation, ▪ Role-Based Access Control System, ▪ Filesystem Security Enhancements, ▪ Enhanced chroot(), ▪ Kernel Auditing, etc.
  3. 3. Components (most of ‘em) ▪ PaX (NX not to be confused with W^X (OBSD), ASLR), ▪ paxctl (user-space PaX flags control utility) ▪ pspax, scanelf, dumpelf (pax-utils) ▪ paxtest (buffer overflow protection test suite) ▪ Role-Based Access Control (RBAC) System, ▪ gradm (RBAC Administration Console) ▪ Enhanced chroot(), ▪ Miscellaneous Features (Improved Filesystem Security), etc
  4. 4. I n v o l v e m e n t ▪ The PaX Developers – pageexec@freemail.hu ▪ Brad Spengler (not Brad Spender) - spender@grsecurity.net ▪ Zbyniu Krzystolik ▪ Michael Dalton
  5. 5. Detection ▪ Enhanced Kernel Auditing (GRKERNSEC_AUDIT_GROUP, GRKERNSEC_AUDIT_GID) ▪ Exec logging (GRKERNSEC_EXECLOG) ▪ Resource logging (GRKERNSEC_RESLOG, GRKERNSEC_FORKFAIL) ▪ Log execs within chroot (GRKERNSEC_CHROOT_EXECLOG) ▪ Ptrace logging (GRKERNSEC_AUDIT_PTRACE) ▪ Chdir logging (GRKERNSEC_AUDIT_CHDIR)
  6. 6. Detection (cont.) ▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT) ▪ Signal logging (GRKERNSEC_SIGNAL) ▪ Fork failure logging (GRKERNSEC_FORKFAIL) ▪ Time change logging (GRKERNSEC_TIME) ▪ /proc/<pid>/ipaddr support (GRKERNSEC_PROC_IPADDR) ▪ Denied RWX mmap/mprotect logging (GRKERNSEC_RWXMAP_LOG)
  7. 7. Detection (cont.) ▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL) ▪ Logging Options - ▪ Seconds in between log messages (min) (GRKERNSEC_FLOODTIME) ▪ Number of messages in a burst (max) (GRKERNSEC_FLOODBURST)
  8. 8. Prevention ▪ Executable Protections – ▪ Deter ptrace-based process snooping (GRKERNSEC_HARDEN_PTRACE) ▪ Trusted Path Execution (GRKERNSEC_TPE, GRKERNSEC_TPE_ALL, GRKERNSEC_TPE_GID, GRKERNSEC_TPE_INVERT)
  9. 9. Prevention (cont.) ▪ Network Protections – ▪ Larger entropy pools (GRKERNSEC_RANDNET) ▪ TCP/UDP blackhole (GRKERNSEC_BLACKHOLE) ▪ Socket restrictions (GRKERNSEC_SOCKET, GRKERNSEC_SOCKET_ALL, GRKERNSEC_SOCKET_ALL_GID, GRKERNSEC_SOCKET_CLIENT, GRKERNSEC_SOCKET_CLIENT_GID, GRKERNSEC_SOCKET_SERVER, GRKERNSEC_SOCKET_SERVER_GID)
  10. 10. Prevention (cont.) ▪ Address Space Protection - ▪ Remove addresses from /proc/<pid>/[smaps|maps|stat] (GRKERNSEC_PROC_MEMMAP) ▪ Deny writing to /dev/kmem, /dev/mem, and /dev/port (GRKERNSEC_KMEM) ▪ Deter exploit bruteforcing (GRKERNSEC_BRUTE) ▪ Harden module auto-loading (GRKERNSEC_MODHARDEN) ▪ Hide kernel symbols (GRKERNSEC_HIDESYM) ▪ Hide kernel processes (GRKERNSEC_ACL_HIDEKERN)
  11. 11. Prevention (cont.) ▪ Maximum tries before password lockout (GRKERNSEC_ACL_MAXTRIES,GRKERNSEC_ACL_TIMEOUT) ▪ Filesystem Protections - ▪ Proc restrictions (GRKERNSEC_PROC, GRKERNSEC_PROC_USER, GRKERNSEC_PROC_USERGROUP, GRKERNSEC_PROC_ADD) ▪ Linking restrictions (GRKERNSEC_LINK) ▪ FIFO restrictions (GRKERNSEC_FIFO) ▪ Runtime read-only mount protection (GRKERNSEC_ROFS) ▪
  12. 12. Prevention (cont.) ▪ Chroot jail restrictions - (GRKERNSEC_CHROOT, GRKERNSEC_CHROOT_MOUNT, GRKERNSEC_CHROOT_DOUBLE, GRKERNSEC_CHROOT_PIVOT, GRKERNSEC_CHROOT_CHDIR, GRKERNSEC_CHROOT_CHMOD, GRKERNSEC_CHROOT_FCHDIR, GRKERNSEC_CHROOT_MKNOD, GRKERNSEC_CHROOT_SYSCTL) ▪
  13. 13. Prevention (cont.) Address Space Modification Protection ▪ NOEXEC (least privilege enforcement) ▪ PAGEEXEC, SEGMEXEC ▪ MPROTECT ▪ KERNEXEC ▪ Address Space Layout Randomization ▪ RANDUSTACK (delta_stack) ▪ RANDEXEC (delta_exec) ▪ RANDMMAP (delta_mmap) ▪ RANDKSTACK
  14. 14. ▪ PAX_PAGEEXEC Paging based non-executable pages ▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64 ▪ PAX_SEGMEXEC Segmentation based non-executable pages ▪ Duplicating every executable page in the lower half of the address space into the upper half. ▪ Code Segment ▪ Data Segment
  15. 15. Address Space Layout Randomization ▪ User space stack delta_stack (24 bits) ▪ Kernel space stack delta_exec (24 bits) ▪ Mmap-managed heap delta_mmap (16 bits) ▪ Executable image (16 bits) ▪ Brk-managed heap (12 bits) ▪ Library images
  16. 16. Refs http://www.phrack.org/issues.html?issue=66&id=2#article http://www.phrack.org/issues.html?issue=52&id=6#article http://www.grsecurity.net/~spender/ http://pax.grsecurity.net/ http://www.gentoo.org/proj/en/hardened/ https://xorl.wordpress.com/category/grsecurity/
  17. 17. apropos(); Questions?
  18. 18. exit(); Thank you for attending this lecture. Feedback – mailto: root@fsck-labs.exploits-bg.com

×