Gentoo Hardened debugging

-What's <c>revdep-pax</c>? +What's revdep-pax? =20

@@ -134,7 +140,10 @@ libraries linked by an object and backwards to the o= bjects linked by a library. =20 -Using <c>revdep-pax</c> +Using revdep-pax + +

+ =20

In order to witness the firepower of this fully ARMED and OPERATIONAL to= ol @@ -142,6 +151,9 @@ you'll first need to learn how to use it, once you ar= e done, you'll be able to fire at will.

=20 + +

+ =20

Propagating PaX marks backwards from a library to objects that li= nk at it @@ -149,592 +161,36 @@ able to fire at will. =20

This is going to be probably the main way in which you are going to use = this -utility. What it does is check all the libraries linked statically=20 -The scanelf application is part of the app-misc/pax-utils = package. -With this application you can print out information specific to the ELF -structure of a binary. The following table sums up the various options. -

- - - - - - - - - -p - --path - Scan all directories in PATH environment - - - -l - --ldpath - Scan all directories in /etc/ld.so.conf - - - -R - --recursive - Scan directories recursively - - - -m - --mount - Don't recursively cross mount points - - - -y - --symlink - Don't scan symlinks - - - -A - --archives - Scan archives (.a files) - - - -L - --ldcache - Utilize ld.so.cache information (use with -r/-n) - - - -X - --fix - Try and 'fix' bad things (use with -r/-e) - - - -z [arg] - --setpax [arg] - Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx) - - - - - - - - -x - --pax - Print PaX markings - - - -e - --header - Print GNU_STACK/PT_LOAD markings - - - -t - --textrel - Print TEXTREL information - - - -r - --rpath - Print RPATH information - - - -n - --needed - Print NEEDED information - - - -i - --interp - Print INTERP information - - - -b - --bind - Print BIND information - - - -S - --soname - Print SONAME information - - - -s [arg] - --symbol [arg] - Find a specified symbol - - - -k [arg] - --section [arg] - Find a specified section - - - -N [arg] - --lib [arg] - Find a specified library - - - -g - --gmatch - Use strncmp to match libraries. (use with -N) - - - -T - --textrels - Locate cause of TEXTREL - - - -E [arg] - --etype [arg] - Print only ELF files matching etype ET_DYN,ET_EXEC ... - - - -M [arg] - --bits [arg] - Print only ELF files matching numeric bits - - - -a - --all - Print all scanned info (-x -e -t -r -b) - - - - - - - - -q - --quiet - Only output 'bad' things - - - -v - --verbose - Be verbose (can be specified more than once) - - - -F [arg] - --format [arg] - Use specified format for output - - - -f [arg] - --from [arg] - Read input stream from a filename - - - -o [arg] - --file [arg] - Write output stream to a filename - - - -B - --nobanner - Don't display the header - - - -h - --help - Print this help and exit - - - -V - --version - Print version and exit - -

Option	Long Option	Description
Option	Long Option	Description
Option	Long Option	Description

- -

-The format specifiers for the -F option are given in the followin= g table. -Prefix each specifier with % (verbose) or # (silent) accor= dingly. -

- - - - - - - - - - F - Filename - x - PaX Flags - - - e - STACK/RELRO - t - TEXTREL - - - r - RPATH - n - NEEDED - - - i - INTERP - b - BIND - - - s - Symbol - N - Library - - - o - Type - p - File name - - - f - Base file name - k - Section - - - a - ARCH/e_machine - - - -

Specifier	Full Name	Specifier	Full Name

- - -

-Using scanelf for Text Relocations - - -

-As an example, we will use scanelf to find binaries containing te= xt -relocations. -

- -

-A relocation is an operation that rewrites an address in a loaded segmen= t. Such -an address rewrite can happen when a segment has references to a shared = object -and that shared object is loaded in memory. In this case, the references= are -substituted with the real address values. Similar events can occur insid= e the=20 -shared object itself. -

- -

-A text relocation is a relocation in the text segment. Since text segmen= ts -contain executable code, system administrators might prefer not to have = these -segments writable. This is perfectly possible, but since text relocation= s -actually write in the text segment, it is not always feasible.=20 -

- -

-If you want to eliminate text relocations, you will need to make sure -that the application and shared object is built with Position Indepen= dent -Code (PIC), making references obsolete. This not only increases secu= rity, -but also increases the performance in case of shared objects (allowing w= rites in -the text segment requires a swap space reservation and a private copy of= the -shared object for each application that uses it). -

- -

-The following example will search your library paths recursively, withou= t -leaving the mounted file system and ignoring symbolic links, for any ELF= binary -containing a text relocation: -

- -

-# scanelf -lqtmyR
-

- -

-If you want to scan your entire system for any file containing te= xt -relocations: -

- -

-# scanelf -qtmyR /
-

- - -

-Using scanelf for Specific Header - - -

-The scanelf util can be used to quickly identify files that contain a=20 -given section header using the -k .section option. -

- -

-In this example we are looking for all files in /usr/lib/debug=20 -recursively using a format modifier with quiet mode enabled that have be= en=20 -stripped. A stripped elf will lack a .symtab entry, so we use the '!'=20 -to invert the matching logic. -

- -

-# scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k
-

- - -

-Using scanelf for Specific Segment Markings - - -

-Each segment has specific flags assigned to it in the Program Header of = the -binary. One of those flags is the type of the segment. Interesting value= s are -PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (th= e -segment contains dynamic linking information), PT_INTERP (the segment=20 -contains the name of the program interpreter), PT_GNU_STACK (a GNU exten= sion -for the ELF format, used by some stack protection mechanisms), and PT_PA= X_FLAGS -(a PaX extension for the ELF format, used by the security-minded=20 -PaX Project. -

- -

-If we want to scan all executables in the current working directory, PAT= H -environment and library paths and report those who have a writable and -executable PT_LOAD or PT_GNU_STACK marking, you could use the following = command: -

- -

-# scanelf -lpqe .
-

- - -

-Using scanelf's Format Modifier Handler - - -

-A useful feature of the scanelf utility is the format modifier ha= ndler. =20 -With this option you can control the output of scanelf, thereby=20 -simplifying parsing the output with scripts. -

- -

-As an example, we will use scanelf to print the file names that c= ontain -text relocations: -

- -

-# scanelf -l -p -R -q -F "%F #t" +utility. What it does is check all the libraries linked statically by th= e +binaries using ldd and then smartly add the paxmarks of those lib= raries +to generate the new set. As a result if /usr/games/bin/armagetrona= d +links with /usr/lib64/libGL.so.1 which has the -m Pa= X mark +(allow RWX mappings) because you are using a llvm requiring graphics dri= ver +you'll get that binary marked with the -m PaX mark too since it n= eeds it. +Below you can see how to run it. +

+ +

+# mv /etc/grsec/learning.roles /etc/grsec/policy
+# chmod 0600 /etc/grsec/policy

=20 - -

- - - -Listing PaX Flags and Capabilities -

-About PaX - - -

-PaX is a project hosted by= the grsecurity project. Quoting the= PaX documentation,= its main=20 -goal is "to research various defense mechanisms against the exploitation= of=20 -software bugs that give an attacker arbitrary read/write access to the=20 -attacked task's address space. This class of bugs contains among others=20 -various forms of buffer overflow bugs (be they stack or heap based), use= r -supplied format string bugs, etc." -

- -

-To be able to benefit from these defense mechanisms, you need to run a L= inux -kernel patched with the latest PaX code. The Hardened Gentoo project suppor= ts PaX and -its parent project, grsecurity. The supported kernel package is -sys-kernel/hardened-sources. -

- -

-The Gentoo/Hardened project has a Gentoo PaX Quickstart Guid= e -for your reading pleasure. -

- - -

-Flags and Capabilities - - -

-If your toolchain supports it, your binaries can have additional PaX fla= gs in -their Program Header. The following flags are supported: -

- - - - - - - - - P - PAGEEXEC - - Refuse code execution on writable pages based on the NX bit - (or emulated NX bit) - - - - S - SEGMEXEC - - Refuse code execution on writable pages based on the - segmentation logic of IA-32 - - - - E - EMUTRAMP - - Allow known code execution sequences on writable pages that - should not cause any harm - - - - M - MPROTECT - - Prevent the creation of new executable code to the process - address space - - - - R - RANDMMAP - - Randomize the stack base to prevent certain stack overflow - attacks from being successful - - - - X - RANDEXEC - - Randomize the address where the application maps to prevent - certain attacks from being exploitable - - -

Flag	Name	Description

- -

-The default Linux kernel also supports certain capabilities, grouped in = the -so-called POSIX.1e Capabilities. You can find a listing of those -capabilities in our POSIX Capabilities doc= ument. -

- - -

-Using pspax - - -

-The pspax application, part of the pax-utils package, disp= lays the -run-time capabilities of all programs you have permission for. On Linux = kernels -with additional support for extended attributes (such as SELinux) those -attributes are shown as well. -

- -

-When ran, pspax shows the following information: -

- - - - - - - - USER - Owner of the process - - - PID - Process id - - - PAX - Run-time PaX flags (if applicable) - - - MAPS - Write/eXecute markings for the process map - - - ELF_TYPE - Process executable type: ET_DYN or ET_EXEC - - - NAME - Name of the process - - - CAPS - POSIX.1e capabilities (see note) - - - ATTR - Extended attributes (if applicable) - -

Column	Description

=20 -pspax only displays these capabilities when it is linked with -the external capabilities library. This requires you to build pax-uti= ls -with -DWANT_SYSCAP. +Due to the way in which ldd works you'll get all the libraries re= quired +at runtime, even those required by libraries you link to (and so on recu= rsively) +as a result revdep-pax will detect all dependencies in a single p= ass. If +the behaviour of ldd changes so may change the behaviour of +revdep-pax =20

-By default, pspax does not show any kernel processes. If you want= those -to be taken as well, use the -a switch. -

- - -

- - - -Programming with ELF files -

-The dumpelf Utility - - -

-With the dumpelf utility you can convert a ELF file into human re= adable C -code that defines a structure with the same image as the original ELF fi= le. +The scanelf application is part of the app-misc/pax-utils = package. +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options.

=20 -

-$ dumpelf /bin/hostname
-#include <elf.h>
-
-/*
- * ELF dump of '/bin/hostname'
- *     10276 (0x2824) bytes
- */
-
-struct {
-        Elf32_Ehdr ehdr;
-        Elf32_Phdr phdrs[8];
-        Elf32_Shdr shdrs[26];
-} dumpedelf_0 =3D {
-
-.ehdr =3D {
-(... Output stripped ...)
-

- + \ No newline at end of file