grsecurity forums

[maxgorbachyov]

Hello.
Trying to get PaX working on xen domU kernel..
I've got this:

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed

I'm disappointed with that "Executable stack (mprotect) : Vulnerable"..
I used 2.6.18 with xen patches and pax-linux-2.6.18.4-test17.patch. There were minor fixes in arch/x86_64 to build pax kernel for xen -- changes made by pax-linux-2.6.18.4-test17.patch in arch/x86_64 were added to arch/x86_64/*-xen*. I guess that is not enough..

I tried both EI_PAX / chpax and PT_PAX_FLAGS / paxctl.
Some kernel config:
# zcat /proc/config.gz | grep PAX
CONFIG_RSBAC_PAX=y
# PAX Policy Options
# CONFIG_RSBAC_PAX_DEFAULT is not set
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set

Some ELF info:
# paxctl -v mprotstack
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: P-S-M-X-E-R- [mprotstack]
PAGEEXEC is enabled
SEGMEXEC is enabled
MPROTECT is enabled
RANDEXEC is enabled
EMUTRAMP is enabled
RANDMMAP is enabled

# chpax -v mprotstack

----[ chpax 0.7 : Current flags for mprotstack (PEMRXs) ]----

* Paging based PAGE_EXEC : enabled
* Trampolines : emulated
* mprotect() : restricted
* mmap() base : randomized
* ET_EXEC base : randomized
* Segmentation based PAGE_EXEC : disabled

I use paxtest-0.9.7-pre5.
Could you please suggest what shall i pay attention to?

[cormander]

The recent kernels have native xen domU support via paravirt_ops, and PaX has started to play nice with it as well starting in the 2.6.27 series. I suggest you give that a try as you'll get more support for it.

[maxgorbachyov]

The recent kernels have native xen domU support via paravirt_ops, and PaX has started to play nice with it as well starting in the 2.6.27 series. I suggest you give that a try as you'll get more support for it.

It's a good idea, but for some reasons i have to use 2.6.18 now. Anyway, thank you for reply.

[PaX Team]

I'm disappointed with that "Executable stack (mprotect) : Vulnerable"..

track down where the stack vma flags are set, it's probably an oversight in that version of PaX.

[maxgorbachyov]

I'm disappointed with that "Executable stack (mprotect) : Vulnerable"..

track down where the stack vma flags are set, it's probably an oversight in that version of PaX.

That's what i have now:

Test results:
Mode: blackhat

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed

It was my oversight. I had to add PaX changes to include/asm-x86_64/mach-xen/

Well, it's better now, but still:
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
, and i have no idea what else can be done.. Are there any suggestions?

[PaX Team]

Well, it's better now, but still:
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
, and i have no idea what else can be done.. Are there any suggestions?

nothing on the PaX side as those tests are meant to fail, something you could have figured out if you had searched the forum or the list . as for suggestions, people normally use an ssp compiled userland to have a partial solution, but that's a non-trivial exercise, just ask the hardened gentoo folks. a much better solution would be generic function ptr dereference checking (google for control flow integrity, software fault isolation, etc) but i know of no open source implementations, <insert rant here about the effort wasted on ssp that could have already created this>. mine's been coming for too long, no idea when i'll get it done.

[maxgorbachyov]

nothing on the PaX side as those tests are meant to fail, something you could have figured out if you had searched the forum or the list . as for suggestions, people normally use an ssp compiled userland to have a partial solution, but that's a non-trivial exercise, just ask the hardened gentoo folks. a much better solution would be generic function ptr dereference checking (google for control flow integrity, software fault isolation, etc) but i know of no open source implementations, <insert rant here about the effort wasted on ssp that could have already created this>. mine's been coming for too long, no idea when i'll get it done.

Hmm.. Again my oversight.. Well, I've found the answer, but it was hardened gentoo wiki.
Great thank you again