grsecurity in kernel? (PaX: The Guaranteed End of Arbitrary Code Execution)

Glenn glenn.mh.dk at gmail.com
Wed Dec 29 23:59:54 CET 2010 

At 23:38 +0100 29/12/10, Vinzenz Hersche wrote:
>Glenn, i like to try this for a kernel..  it should need just be a patched
>kernel (so need to recompile) and a loaded kernel or what do you think?
>i don't know so much about cross-compile, but i like to learn it.. if also
>someone else like to join the try or so, you're welcome :)
...
>-----------------------------------------------
>Timo schrieb am Mittwoch 29 Dezember 2010:
...

Found this:

http://grsecurity.net/papers.php

PaX: The Guaranteed End of Arbitrary Code Execution:
http://grsecurity.net/PaX-presentation_files/frame.htm

http://grsecurity.net/quickstart.pdf
Quote: "...
This guide will lead you through the process of downloading, 
configuring, installing, and maintaining grsecurity.
...
* You should be able to protect any third-party software you have 
installed, not only the software that is provided by your distribution
...
For a complete list of grsecurity's features, please visit 
http://www.grsecurity.net/features.php . Grsecurity includes several 
main features:
* Buffer overflow exploitation prevention from the PaX project
(http://pax.grsecurity.net)
* Role-Based Access Control (RBAC)
* Randomization of Process IDs and in the TCP/IP stack
* Restricted viewing of processes
* Change root (chroot) hardening
* /tmp race vulnerability protection
...
Address Space Protection
...
Logging options
This section allows you to specify flood rate and burst rate settings 
for all logs produced by grsecurity Configure this section as follows:
* Seconds in between log messages (minimum)	10
* Number of messages in a burst (maximum)	4
...
RBAC Overview
Since the general strategy of grsecurity is "detection, prevention, 
and containment," the RBAC system is key to the containment 
component. Grsecurity's RBAC system allows you to grant only the 
privileges necessary for a process or user to accomplish their tasks. 
Unlike other systems, grsecurity's RBAC system provides a functional, 
human-readable, centralized configuration file, and does not require 
much manual configuration.
...
Full-System Learning
Full-system learning will generate a least privilege policy for your 
entire system that anticipates normalized usage. In other words, it 
is not necessary to run the learning mode for weeks and use every 
single utility on your system several times in every possible 
combination. The learning mode will anticipate this usage while still 
enforcing a secure policy. Through graph and heuristic analysis, a 
secure policy is generated.
...
Maintaining grsecurity
Though grsecurity's design goal is to require little maintenance 
after installation, you should know a few things about maintaining 
your grsecurity-enabled system.
Monitoring Log Files
It is important to monitor your log files to look for intrusion 
attempts. A log from PaX about an execution attempt in a network 
service you are running signifies that an attacker was attempting to 
exploit an unpatched vulnerability in the network service.
...
Troubleshooting
If you execute an application and see "Killed" immediately after and 
a log on your system similar to:
PAX: execution attempt in: /usr/lib/tls/libGL.so.1.0.5336, 
22669000-22677000 0004b000
PAX: terminating task: /usr/bin/khelpcenter(khelpcenter):4143, 
uid/euid: 1001/1001,
PC: 2266ef20, SP: 5b404d10 PAX: bytes at
PC: b8 c8 ff ff ff e9 2b 73 fe ff b8 cc ff ff ff e9 31 73 fe ff
PAX: bytes at SP: 2264437a 20dc8c20 225b64f8 20dc8e58 5b404d54 
5b404d54 20dbe0de 00000001 5b404da4 5b404dac 5b404d98 20db2f3b 
5b404da0 20db3270 20dc8c20 00000013 20dc8e58 5b404d94 20dbe1ca 
225b64f8
The binary is using code that is not written properly, and thus PaX 
must be disabled on it.
..."

More information about the community mailing list