grsecurity forums

by **fixinko** » Wed Jun 13, 2007 8:39 am

Hello,
I'm using grsecurity&pax on gentoo (arch amd64) running on 2.6.21-hardened-r3. And ran paxtest blackhat. The results was:

phoenix ~ # paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux phoenix 2.6.21-hardened-r3 #1 SMP Wed Jun 13 09:34:07 CEST 2007 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed

And this is mine configuration of grsec&pax in linux kernel:

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_ON is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set

What can I do, if I want to randomize ET_DYN, SEGMEXEC, and kill the memcpy (RANDEXEC) vulnerability.

by **zakalwe** » Wed Jun 13, 2007 9:52 am

You need to be running gentoo hardened profile. That will give you PIE (ET_DYN) userspace, and SSP by using the hardened gcc toolchain.

http://www.gentoo.org/proj/en/hardened/primer.xml

by **fixinko** » Wed Jun 13, 2007 9:58 am

zakalwe: i'm running on the hardened profile:

phoenix ~ # emerge --info
Portage 2.1.2.7 (hardened/amd64, gcc-4.1.1, glibc-2.5-r3, 2.6.21-hardened-r3 x86_64)
=================================================================
System uname: 2.6.21-hardened-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 13 Jun 2007 05:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.4-r7
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.60
sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.21

by **PaX Team** » Sun Jun 17, 2007 5:50 am

fixinko wrote:Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation

paxtest is really i386-only, it happens to mostly work on other archs by chance. in this case, PIE is not used on amd64 (if you execute getheap2 and getmain2 by hand, you'll see them say so themselves).

Stack randomisation test (SEGMEXEC) : No randomisation

again, SEGMEXEC is a i386 specific feature, you don't need to worry about it on other archs.

Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable

http://forums.grsecurity.net/viewtopic.php?p=5558

# CONFIG_PAX_NOELFRELOCS is not set

any reason you disabled this? the amd64 ABI forbids textrels, so you should really not have a problem with this feature.

by **Dwokfur** » Tue Jun 26, 2007 11:29 pm

There are different flavors of Hardened Gentoo. SELinux folks tend to miss the importance of pie-ssp toolchain, that's why there are hardened profiles out there without it. Although glibc-2.5 has benn stabilized recently, gcc-4.x is still not stable for pie-ssp profiles, so you are probably using one without pie-ssp. You should go for pie-ssp hardened toolchain to get the most out of your system (from the security point of view). That means switching to an older hardened profile. It's not straightforward to downgrade gcc.

Dw.

fixinko wrote:zakalwe: i'm running on the hardened profile:
phoenix ~ # emerge --info
Portage 2.1.2.7 (hardened/amd64, gcc-4.1.1, glibc-2.5-r3, 2.6.21-hardened-r3 x86_64)
=================================================================
System uname: 2.6.21-hardened-r3 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 13 Jun 2007 05:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.4-r7
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.60
sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.21

grsecurity forums

paxtest on 2.6.21-hardened-r3 x86_64

paxtest on 2.6.21-hardened-r3 x86_64

Re: paxtest on 2.6.21-hardened-r3 x86_64