[gentoo-hardened] binary protection mechanisms in different Linux distros

[gentoo-hardened] binary protection mechanisms in different Linux distros

[Radoslaw Madej]

Hi guys,

I convinced the company I work for to allow me to spend some time on reviewing 
different security aspects of Linux OS and different distros. As it also 
involves Gentoo Hardened (which I also happily use on a daily basis), I 
thought I'd share. :)

http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news

There should be more to come in a near future. Any feedback appreciated :)

Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
Regards,
Radek Madej

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Daniel Kuehn]

On Thu, 1 Jul 2010 08:46:11 +0100
Radoslaw Madej <radegand@o2.pl> wrote:

> Hi guys,
> 
> I convinced the company I work for to allow me to spend some time on
> reviewing different security aspects of Linux OS and different distros. As it
> also involves Gentoo Hardened (which I also happily use on a daily basis), I 
> thought I'd share. :)
> 
> http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news
> 
> There should be more to come in a near future. Any feedback appreciated :)
> 
> Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
> Regards,
> Radek Madej
> 

A very good paper my friend, I enjoyed reading it :)

I think you go into enough detail to keep even the less interested people
reading and I hope that you manage to propagate this article (Maybe we could
put a reference to it in the hardened docs?) so that more people become aware.

Sure, some people are probably going to start question your testing methods and
such because, like you mention in the paper, assessing security enabled on
binaries can give false positives and negatives depending on how the code looks
like.

-- 
Mvh
Daniel Kuehn

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Javier Juan Martínez Cabezón]

Hi, I think it's a bad day to make comparisons with hardened gentoo.

Hardened gentoo traditionally doesn't use only -fstack-protector as
ubuntu does and some others, it use -fstack-protector-all in
everywhere it could. It's an important difference. I think that the
actually ssp bug in the last version isn't representative of what
hardened gentoo does (it's a bug, an exception). It has always shipped
-fstack-protector-all everywhere.

2010/7/1 Radoslaw Madej <radegand@o2.pl>
>
> Hi guys,
>
> I convinced the company I work for to allow me to spend some time on reviewing
> different security aspects of Linux OS and different distros. As it also
> involves Gentoo Hardened (which I also happily use on a daily basis), I
> thought I'd share. :)
>
> http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news
>
> There should be more to come in a near future. Any feedback appreciated :)
>
> Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
> Regards,
> Radek Madej
>

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Radoslaw Madej]

On Thursday 01 July 2010 09:16:17 you wrote:
> Hi, I think it's a bad day to make comparisons with hardened gentoo.
> 
> Hardened gentoo traditionally doesn't use only -fstack-protector as
> ubuntu does and some others, it use -fstack-protector-all in
> everywhere it could. It's an important difference. I think that the
> actually ssp bug in the last version isn't representative of what
> hardened gentoo does (it's a bug, an exception). It has always shipped
> -fstack-protector-all everywhere.

Hi,
Thanks for all the feedback :)

Javier: good point, I haven't really considered the differences between the 
use of  fstack-protector and fstack-protector-all - maybe something to do in 
the future. Would there be a way to find out which option was used on a given 
binary 'post mortem'? (read: after compilation? ;))

Regards,
Radek Madej

> 
> 2010/7/1 Radoslaw Madej <radegand@o2.pl>
> 
> > Hi guys,
> > 
> > I convinced the company I work for to allow me to spend some time on
> > reviewing different security aspects of Linux OS and different distros.
> > As it also involves Gentoo Hardened (which I also happily use on a daily
> > basis), I thought I'd share. :)
> > 
> > http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news
> > 
> > There should be more to come in a near future. Any feedback appreciated
> > :)
> > 
> > Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
> > Regards,
> > Radek Madej

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Kyle Bader]

> Javier: good point, I haven't really considered the differences between the
> use of  fstack-protector and fstack-protector-all - maybe something to do in
> the future. Would there be a way to find out which option was used on a given
> binary 'post mortem'? (read: after compilation? ;))

While it doesn't differentiate between fstack-protector and
fstack-protector-all this script [1] can detect RELRO, canary, NX/PAX
& PIE:

[509] kyle@blah:~/security-bin$ ./checksec-new.sh --file buggy
RELRO           STACK CANARY      NX/PaX        PIE                     FILE
No RELRO        Canary found      NX enabled    No PIE                  buggy

[1] http://tk-blog.blogspot.com/2009/02/checksec.html
-- 

Kyle

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Kyle Bader]

On Thu, Jul 1, 2010 at 2:08 PM, Kyle Bader <kyle.bader@gmail.com> wrote:
>> Javier: good point, I haven't really considered the differences between the
>> use of  fstack-protector and fstack-protector-all - maybe something to do in
>> the future. Would there be a way to find out which option was used on a given
>> binary 'post mortem'? (read: after compilation? ;))

Which was mentioned in TFA, my bad.

-- 

Kyle

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Radoslaw Madej]

On Thursday 01 July 2010 22:09:24 you wrote:
> 
> Which was mentioned in TFA, my bad.

Yep, I'm well aware of this script as this was a base of a python script I 
developed for this exercise - which apart from adding RELRO checks was meant 
to do some stats automatically so I didn't have to do any grep | sed | awk | 
wc magic ;)
I will publish it soon, too, hopefully :)
Regards,
Radek Madej

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 724 bytes --]

Here is the output of the script with gcc 4.4.4-r1.


sh checksec.sh --file /bin/grep
RELRO           STACK CANARY      NX            PIE                     FILE
Full RELRO      Canary found      NX enabled    PIE enabled
/bin/grep


On Thu, Jul 1, 2010 at 19:12, Radoslaw Madej <radegand@o2.pl> wrote:

> On Thursday 01 July 2010 22:09:24 you wrote:
> >
> > Which was mentioned in TFA, my bad.
>
> Yep, I'm well aware of this script as this was a base of a python script I
> developed for this exercise - which apart from adding RELRO checks was
> meant
> to do some stats automatically so I didn't have to do any grep | sed | awk
> |
> wc magic ;)
> I will publish it soon, too, hopefully :)
> Regards,
> Radek Madej
>
>

[-- Attachment #2: Type: text/html, Size: 1157 bytes --]

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Matthew Thode]

[-- Attachment #1.1: Type: text/plain, Size: 997 bytes --]

Also, here is a png of it running on all processes (I haven't rebooted this
server).  I also included one of a rebooted server.  I thing the ruby and
python processes skew this a bit.

On Thu, Jul 1, 2010 at 20:07, Matthew Thode <mthode@mthode.org> wrote:

> Here is the output of the script with gcc 4.4.4-r1.
>
>
> sh checksec.sh --file /bin/grep
> RELRO           STACK CANARY      NX            PIE
> FILE
> Full RELRO      Canary found      NX enabled    PIE enabled
> /bin/grep
>
>
> On Thu, Jul 1, 2010 at 19:12, Radoslaw Madej <radegand@o2.pl> wrote:
>
>> On Thursday 01 July 2010 22:09:24 you wrote:
>> >
>> > Which was mentioned in TFA, my bad.
>>
>> Yep, I'm well aware of this script as this was a base of a python script I
>> developed for this exercise - which apart from adding RELRO checks was
>> meant
>> to do some stats automatically so I didn't have to do any grep | sed | awk
>> |
>> wc magic ;)
>> I will publish it soon, too, hopefully :)
>> Regards,
>> Radek Madej
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 1705 bytes --]

[-- Attachment #2: all-proc-noreboot.png --]
[-- Type: image/png, Size: 97256 bytes --]

[-- Attachment #3: all-proc-reboot.png --]
[-- Type: image/png, Size: 22462 bytes --]

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Javier Juan Martínez Cabezón]

[-- Attachment #1: Type: text/plain, Size: 1793 bytes --]

Probably you could check if exists ssp related code in functions that hasn't
character arrays (AFAIK this is the difference between -fstack-protector
(doesn't protect them) and -fstack-protector-all). gdb could be your friend.

2010/7/1 Radoslaw Madej <radegand@o2.pl>

> On Thursday 01 July 2010 09:16:17 you wrote:
> > Hi, I think it's a bad day to make comparisons with hardened gentoo.
> >
> > Hardened gentoo traditionally doesn't use only -fstack-protector as
> > ubuntu does and some others, it use -fstack-protector-all in
> > everywhere it could. It's an important difference. I think that the
> > actually ssp bug in the last version isn't representative of what
> > hardened gentoo does (it's a bug, an exception). It has always shipped
> > -fstack-protector-all everywhere.
>
> Hi,
> Thanks for all the feedback :)
>
> Javier: good point, I haven't really considered the differences between the
> use of  fstack-protector and fstack-protector-all - maybe something to do
> in
> the future. Would there be a way to find out which option was used on a
> given
> binary 'post mortem'? (read: after compilation? ;))
>
> Regards,
> Radek Madej
>
> >
> > 2010/7/1 Radoslaw Madej <radegand@o2.pl>
> >
> > > Hi guys,
> > >
> > > I convinced the company I work for to allow me to spend some time on
> > > reviewing different security aspects of Linux OS and different distros.
> > > As it also involves Gentoo Hardened (which I also happily use on a
> daily
> > > basis), I thought I'd share. :)
> > >
> > > http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news
> > >
> > > There should be more to come in a near future. Any feedback appreciated
> > > :)
> > >
> > > Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
> > > Regards,
> > > Radek Madej
>
>

[-- Attachment #2: Type: text/html, Size: 2513 bytes --]

Re: [gentoo-hardened] binary protection mechanisms in different Linux distros

[Radoslaw Madej]

Hi,
Thanks for the useful info. Assessing strength of the cookie itself definitely 
sounds like a good idea (same for PIE + ASLR actually).

Unfortunately, seems like the attached file has been intercepted somewhere 
along the way... ;) Could you resend please? I'm curious to give it a go.

Thanks,
Radek Madej

On Friday 02 July 2010 08:41:46 you wrote:
> Hello,
> 
> In addition to checking if SSP is enabled for binaries, you might want
> to check the /strength/ of the cookie.
> 
> For example, some distros will use a full 32 bit cookie strength, where
> as others will use a 24 bit strength cookie (such as ubuntu 10.04),
> where they set a cookie like 0x00xxyyzz (for 32 bit little endian).
> 
> Presumably it is for off by one errors (buf[buflen] = 0) and maybe to
> prevent ssp bruteforcing in string copy routines :)
> 
> At any rate, I've attached a .c file you can use. depending on compiler
> version and stuff, you might need to modify the OFFSET parameter. You'll
> want to test it with -static as well (some distros have released setups
> where if you compile a binary statically, it will not initialize the
> cookie, etc :)
> 
> Thanks,
> Andrew Griffiths
> 
> On Thu, Jul 01, 2010 at 08:46:11AM +0100, Radoslaw Madej wrote:
> > Hi guys,
> > 
> > I convinced the company I work for to allow me to spend some time on
> > reviewing different security aspects of Linux OS and different distros.
> > As it also involves Gentoo Hardened (which I also happily use on a daily
> > basis), I thought I'd share. :)
> > 
> > http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news
> > 
> > There should be more to come in a near future. Any feedback appreciated
> > :)
> > 
> > Thanks to all hardened-dev for making the Hardened Gentoo happen! :)
> > Regards,
> > Radek Madej