Enhanced Linux System Security

1. G. Geshev
Open Fest 2010
20 - 21 November
Sofia, Bulgaria
GRSECURITY/PAX
Theoretical & Practical Application

2. About GRSECURITY (Greater Security)
▪ Back in the days.. 2000/2001
▪ Port of the Owl project to Linux 2.4.1
▪ Set of Kernel Patches Enhancing System Security
▪ Memory Corruption Bugs Exploitation Mitigation,
▪ Role-Based Access Control System,
▪ Filesystem Security Enhancements,
▪ Enhanced chroot(),
▪ Kernel Auditing, etc.

3. Components (most of ‘em)
▪ PaX (NX not to be confused with W^X (OBSD), ASLR),
▪ paxctl (user-space PaX flags control utility)
▪ pspax, scanelf, dumpelf (pax-utils)
▪ paxtest (buffer overflow protection test suite)
▪ Role-Based Access Control (RBAC) System,
▪ gradm (RBAC Administration Console)
▪ Enhanced chroot(),
▪ Miscellaneous Features (Improved Filesystem Security), etc

4. I n v o l v e m e n t
▪ The PaX Developers –
pageexec@freemail.hu
▪ Brad Spengler (not Brad Spender) -
spender@grsecurity.net
▪ Zbyniu Krzystolik
▪ Michael Dalton

5. Detection
▪ Enhanced Kernel Auditing
(GRKERNSEC_AUDIT_GROUP, GRKERNSEC_AUDIT_GID)
▪ Exec logging (GRKERNSEC_EXECLOG)
▪ Resource logging
(GRKERNSEC_RESLOG, GRKERNSEC_FORKFAIL)
▪ Log execs within chroot (GRKERNSEC_CHROOT_EXECLOG)
▪ Ptrace logging (GRKERNSEC_AUDIT_PTRACE)
▪ Chdir logging (GRKERNSEC_AUDIT_CHDIR)

6. Detection (cont.)
▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT)
▪ Signal logging (GRKERNSEC_SIGNAL)
▪ Fork failure logging (GRKERNSEC_FORKFAIL)
▪ Time change logging (GRKERNSEC_TIME)
▪ /proc/<pid>/ipaddr support
(GRKERNSEC_PROC_IPADDR)
▪ Denied RWX mmap/mprotect logging
(GRKERNSEC_RWXMAP_LOG)

7. Detection (cont.)
▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL)
▪ Logging Options -
▪ Seconds in between log messages (min)
(GRKERNSEC_FLOODTIME)
▪ Number of messages in a burst (max)
(GRKERNSEC_FLOODBURST)

8. Prevention
▪ Executable Protections –
▪ Deter ptrace-based process snooping
(GRKERNSEC_HARDEN_PTRACE)
▪ Trusted Path Execution
(GRKERNSEC_TPE, GRKERNSEC_TPE_ALL,
GRKERNSEC_TPE_GID, GRKERNSEC_TPE_INVERT)

9. Prevention (cont.)
▪ Network Protections –
▪ Larger entropy pools (GRKERNSEC_RANDNET)
▪ TCP/UDP blackhole (GRKERNSEC_BLACKHOLE)
▪ Socket restrictions
(GRKERNSEC_SOCKET, GRKERNSEC_SOCKET_ALL,
GRKERNSEC_SOCKET_ALL_GID, GRKERNSEC_SOCKET_CLIENT,
GRKERNSEC_SOCKET_CLIENT_GID,
GRKERNSEC_SOCKET_SERVER,
GRKERNSEC_SOCKET_SERVER_GID)

10. Prevention (cont.)
▪ Address Space Protection -
▪ Remove addresses from /proc/<pid>/[smaps|maps|stat]
(GRKERNSEC_PROC_MEMMAP)
▪ Deny writing to /dev/kmem, /dev/mem, and /dev/port
(GRKERNSEC_KMEM)
▪ Deter exploit bruteforcing (GRKERNSEC_BRUTE)
▪ Harden module auto-loading (GRKERNSEC_MODHARDEN)
▪ Hide kernel symbols (GRKERNSEC_HIDESYM)
▪ Hide kernel processes (GRKERNSEC_ACL_HIDEKERN)

11. Prevention (cont.)
▪ Maximum tries before password lockout
(GRKERNSEC_ACL_MAXTRIES,GRKERNSEC_ACL_TIMEOUT)
▪ Filesystem Protections -
▪ Proc restrictions (GRKERNSEC_PROC,
GRKERNSEC_PROC_USER, GRKERNSEC_PROC_USERGROUP,
GRKERNSEC_PROC_ADD)
▪ Linking restrictions (GRKERNSEC_LINK)
▪ FIFO restrictions (GRKERNSEC_FIFO)
▪ Runtime read-only mount protection (GRKERNSEC_ROFS)
▪

12. Prevention (cont.)
▪ Chroot jail restrictions -
(GRKERNSEC_CHROOT, GRKERNSEC_CHROOT_MOUNT,
GRKERNSEC_CHROOT_DOUBLE, GRKERNSEC_CHROOT_PIVOT,
GRKERNSEC_CHROOT_CHDIR, GRKERNSEC_CHROOT_CHMOD,
GRKERNSEC_CHROOT_FCHDIR, GRKERNSEC_CHROOT_MKNOD,
GRKERNSEC_CHROOT_SYSCTL)
▪

13. Prevention (cont.)
Address Space Modification Protection
▪ NOEXEC (least privilege enforcement)
▪ PAGEEXEC, SEGMEXEC
▪ MPROTECT
▪ KERNEXEC
▪ Address Space Layout Randomization
▪ RANDUSTACK (delta_stack)
▪ RANDEXEC (delta_exec)
▪ RANDMMAP (delta_mmap)
▪ RANDKSTACK

14. ▪ PAX_PAGEEXEC Paging based non-executable pages
▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64
▪ PAX_SEGMEXEC Segmentation based non-executable pages
▪ Duplicating every executable page in the lower half of the
address space into the upper half.
▪ Code Segment
▪ Data Segment

15. Address Space Layout Randomization
▪ User space stack delta_stack (24 bits)
▪ Kernel space stack delta_exec (24 bits)
▪ Mmap-managed heap delta_mmap (16 bits)
▪ Executable image (16 bits)
▪ Brk-managed heap (12 bits)
▪ Library images

16. Refs
http://www.phrack.org/issues.html?issue=66&id=2#article
http://www.phrack.org/issues.html?issue=52&id=6#article
http://www.grsecurity.net/~spender/
http://pax.grsecurity.net/
http://www.gentoo.org/proj/en/hardened/
https://xorl.wordpress.com/category/grsecurity/

17. apropos();
Questions?

18. exit();
Thank you for attending this lecture.
Feedback –
mailto: root@fsck-labs.exploits-bg.com