grsecurity in kernel? (PaX: The Guaranteed End of Arbitrary Code Execution)
glenn.mh.dk at gmail.com
Wed Dec 29 23:59:54 CET 2010
At 23:38 +0100 29/12/10, Vinzenz Hersche wrote:
>Glenn, i like to try this for a kernel.. it should need just be a patched
>kernel (so need to recompile) and a loaded kernel or what do you think?
>i don't know so much about cross-compile, but i like to learn it.. if also
>someone else like to join the try or so, you're welcome :)
>Timo schrieb am Mittwoch 29 Dezember 2010:
PaX: The Guaranteed End of Arbitrary Code Execution:
This guide will lead you through the process of downloading,
configuring, installing, and maintaining grsecurity.
* You should be able to protect any third-party software you have
installed, not only the software that is provided by your distribution
For a complete list of grsecurity's features, please visit
http://www.grsecurity.net/features.php . Grsecurity includes several
* Buffer overflow exploitation prevention from the PaX project
* Role-Based Access Control (RBAC)
* Randomization of Process IDs and in the TCP/IP stack
* Restricted viewing of processes
* Change root (chroot) hardening
* /tmp race vulnerability protection
Address Space Protection
This section allows you to specify flood rate and burst rate settings
for all logs produced by grsecurity Configure this section as follows:
* Seconds in between log messages (minimum) 10
* Number of messages in a burst (maximum) 4
Since the general strategy of grsecurity is "detection, prevention,
and containment," the RBAC system is key to the containment
component. Grsecurity's RBAC system allows you to grant only the
privileges necessary for a process or user to accomplish their tasks.
Unlike other systems, grsecurity's RBAC system provides a functional,
human-readable, centralized configuration file, and does not require
much manual configuration.
Full-system learning will generate a least privilege policy for your
entire system that anticipates normalized usage. In other words, it
is not necessary to run the learning mode for weeks and use every
single utility on your system several times in every possible
combination. The learning mode will anticipate this usage while still
enforcing a secure policy. Through graph and heuristic analysis, a
secure policy is generated.
Though grsecurity's design goal is to require little maintenance
after installation, you should know a few things about maintaining
your grsecurity-enabled system.
Monitoring Log Files
It is important to monitor your log files to look for intrusion
attempts. A log from PaX about an execution attempt in a network
service you are running signifies that an attacker was attempting to
exploit an unpatched vulnerability in the network service.
If you execute an application and see "Killed" immediately after and
a log on your system similar to:
PAX: execution attempt in: /usr/lib/tls/libGL.so.1.0.5336,
PAX: terminating task: /usr/bin/khelpcenter(khelpcenter):4143,
PC: 2266ef20, SP: 5b404d10 PAX: bytes at
PC: b8 c8 ff ff ff e9 2b 73 fe ff b8 cc ff ff ff e9 31 73 fe ff
PAX: bytes at SP: 2264437a 20dc8c20 225b64f8 20dc8e58 5b404d54
5b404d54 20dbe0de 00000001 5b404da4 5b404dac 5b404d98 20db2f3b
5b404da0 20db3270 20dc8c20 00000013 20dc8e58 5b404d94 20dbe1ca
The binary is using code that is not written properly, and thus PaX
must be disabled on it.
More information about the community