grsecurity forums

[john_anderson_ii]

Hello everyone,

anybody here who can send me johns xen patchset, i´ll put them on a permanent stable location. his links are dead since a few days

And. anyone tried to modify johns x64 patches for newer kernel versions, yet? (2.6.17/2.6.18)?

Thanks

Juergen

Sorry I've been out of the loop for a while.

Here are links to the patches.

Kernel source tree patch.
Xen -sparse tree


I'd pretty much dropped the subject of integrating grsec/PAX with Xen for the time being. I've got several production 2.6.16.13 Xen/grsec/PAX boxes up and running with great success, and I'm hoping that they will suffice until Xen goes mainstream and it becomes a grsec/PAX 'supported' architecture .

If I find the time I'll try to tinker with some of terran's work and see what we can come up with.

However, a more permanent place for these patches and any revisions/fixes would be greatly appreciated.

[shivajee_rs]

A more permanent place for johns xen patchset

Kernel source tree patch
Xen -sparse tree

Thanks for the great work....

[john_anderson_ii]

Deleted double post...

[john_anderson_ii]

Xen-3.1.0-testing (linux-2.6.18) is booting and running with grsecurity-2.1.9-2.6.18-200610021833.

I got the latest testing branch from xen booting and running with GRSecurity/PAX applied. Again, only in x86-64.

I am noticing something strange with PAX through:

In the Xen Dom0 paxtest results are:

Mode: blackhat
Linux xen-ecs1.ecsuite.com 2.6.18-xen-grsec #1 SMP Fri Sep 7 11:40:06 MST 2007 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed

And in the DomU the results are:

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux base-dev.ccbill.com 2.6.18-xen-grsec #2 SMP Fri Sep 7 12:43:47 MST 2007 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed

I'm running the same exact kernel image in both the Dom0 and the DomU so I don't understand the discrepancy. I will be compiling a DomU specific kernel for testing this.

Which part of PAX is responsible for ET_EXEC? Is it code placed throughout the kernel, or is it primarily in one area?

I just got this up, so I don't have distributable patches yet, but once I get this reproduced, I'll put together a patch set for it.

[bplant]

Hi John,

I've got xen 3.1 running on 2.6.18.8 with grsec also. I've been running this since about the week after xen 3.1 was released so it's been tested a while now. I'll look at uploading the patches somewhere this week.

I've also got a 2.6.20 kernel running, but I haven't tested this version as much. Not sure if I will keep using this one or just jump to 2.6.21. These other releases are based on fedora kernels: http://koji.fedoraproject.org/koji/packageinfo?packageID=1170

Cheers,

Brad

[john_anderson_ii]

Good god man! Why didn't you share?

Can you show me your paxtest output so I can compare?

Thanks!

[bplant]

Hi John,

Here is the paxtest output. First dom0:

Code: Select all

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 40 bits (guessed)
Heap randomisation test (ET_DYN)         : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : 33 bits (guessed)
Main executable randomisation (ET_DYN)   : 33 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
Stack randomisation test (SEGMEXEC)      : No randomisation
Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Return to function (strcpy)              : Killed
Return to function (memcpy)              : Killed
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed


And domU:

Code: Select all

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 40 bits (guessed)
Heap randomisation test (ET_DYN)         : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : 33 bits (guessed)
Main executable randomisation (ET_DYN)   : 33 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
Stack randomisation test (SEGMEXEC)      : No randomisation
Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Return to function (strcpy)              : Killed
Return to function (memcpy)              : Killed
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed


Paxtest version is: 0.9.7_pre4

Cheers,

Brad

[bplant]

Ok, finally got around to getting it up. You can find them at http://ayuda.com.au/pub

It applies against a Gentoo Linux Xen patch, but it should still work against anything else too. Just a note, the patch is x86_64 only!

Cheers,

Brad

[Kp]

In the Xen Dom0 paxtest results are:

Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation

And in the DomU the results are:

Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation

I'm running the same exact kernel image in both the Dom0 and the DomU so I don't understand the discrepancy. I will be compiling a DomU specific kernel for testing this.

You highlighted different results in the two quote blocks. Was that intentional? Ignoring the difference in which lines are bold, the results match between Dom0 and DomU.

[john_anderson_ii]

Yes, it was an error. I was trying to highlight the parts where No Randomization was the result. I'm pretty sure these areas should be randomized, so there is obviously something wrong the changes I made.

[bplant]

Hi,

I have rolled grsecurity-2.1.10-200704241759 which was originally based on 2.6.20.7 for 2.6.20.20 with xen. Note that this is based gentoo's xen-sources-2.6.20-r6.ebuild. My ebuild and patch can be found at http://ayuda.com.au/pub/. As before, this only works on x86_64.

The only change that I have noticed from the 2.1.9 version is that any subject that binds to a port, e.g. sshd, requires the CAP_NET_ADMIN option. However this capability allows many things (http://www.lids.org/lids-howto/node48.html) that sshd should not be able to do like modify the firewall. Currently I am denying CAP_NET_ADMIN to all services (as per my policy with 2.1.9) and they all seem to work correctly so I'm betting on a bug somewhere.

Cheers,

Brad

[jfreund]

Hi John and Brad,

thank you very much for you great efforts. I set up a Gentoo server using Brad's ebuild for the 2.6.20 and it worked immediately!
Should you need any further space for mirroring, please let me know (since this is something I could contribute).

Regards,
Jesco

[cormander]

Hey Guys,

I forward ported the grsecurity 2.1.9 patch linked from this thread to xen 3.2.0 on the linux-2.6.18.8 kernel from xen.org's mercurial repo that is kept very up to date:

http://download.ravencore.com/packages/ ... xen-grsec/

Pre-built RPMs for it:

http://download.ravencore.com/xen/kernel/x86_64/RPMS/

As stated before, still only works on 64bit. When I get it to work on 32bit or the latest 2.6.25 xen kernel to work with grsecurity/pax I'll post some more links.

[egosh]

hi
I would like to use grsecurity in xen's dom0 on gentoo (2.6.18-r12-kernel). Are there any actual patches of grsecurity for this kernel?

[quote="cormander"]
I forward ported the grsecurity 2.1.9 patch linked from this thread to xen 3.2.0 on the linux-2.6.18.8 kernel from xen.org's mercurial repo that is kept very up to date:
http://download.ravencore.com/packages/ ... xen-grsec/
[/quote]
i'd like to try it out, but the link does not work