Grsecurity - Theoretical and Practical Application
1. G. Geshev
Open Fest 2010
20 - 21 November
Sofia, Bulgaria
GRSECURITY/PAX
Theoretical & Practical Application
2. About GRSECURITY (Greater Security)
▪ Back in the days.. 2000/2001
▪ Port of the Owl project to Linux 2.4.1
▪ Set of Kernel Patches Enhancing System Security
▪ Memory Corruption Bugs Exploitation Mitigation,
▪ Role-Based Access Control System,
▪ Filesystem Security Enhancements,
▪ Enhanced chroot(),
▪ Kernel Auditing, etc.
3. Components (most of ‘em)
▪ PaX (NX not to be confused with W^X (OBSD), ASLR),
▪ paxctl (user-space PaX flags control utility)
▪ pspax, scanelf, dumpelf (pax-utils)
▪ paxtest (buffer overflow protection test suite)
▪ Role-Based Access Control (RBAC) System,
▪ gradm (RBAC Administration Console)
▪ Enhanced chroot(),
▪ Miscellaneous Features (Improved Filesystem Security), etc
4. I n v o l v e m e n t
▪ The PaX Developers –
pageexec@freemail.hu
▪ Brad Spengler (not Brad Spender) -
spender@grsecurity.net
▪ Zbyniu Krzystolik
▪ Michael Dalton
6. Detection (cont.)
▪ Mount / Umount logging (GRKERNSEC_AUDIT_MOUNT)
▪ Signal logging (GRKERNSEC_SIGNAL)
▪ Fork failure logging (GRKERNSEC_FORKFAIL)
▪ Time change logging (GRKERNSEC_TIME)
▪ /proc/<pid>/ipaddr support
(GRKERNSEC_PROC_IPADDR)
▪ Denied RWX mmap/mprotect logging
(GRKERNSEC_RWXMAP_LOG)
7. Detection (cont.)
▪ ELF text relocations logging (GRKERNSEC_AUDIT_TEXTREL)
▪ Logging Options -
▪ Seconds in between log messages (min)
(GRKERNSEC_FLOODTIME)
▪ Number of messages in a burst (max)
(GRKERNSEC_FLOODBURST)
14. ▪ PAX_PAGEEXEC Paging based non-executable pages
▪ NX bit support - alpha, ppc, parisc, sparc, sparc64, amd64, ia64
▪ PAX_SEGMEXEC Segmentation based non-executable pages
▪ Duplicating every executable page in the lower half of the
address space into the upper half.
▪ Code Segment
▪ Data Segment
15. Address Space Layout Randomization
▪ User space stack delta_stack (24 bits)
▪ Kernel space stack delta_exec (24 bits)
▪ Mmap-managed heap delta_mmap (16 bits)
▪ Executable image (16 bits)
▪ Brk-managed heap (12 bits)
▪ Library images