[gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[Radoslaw Madej]

Hi Guys,

For anyone interested, I'd like to announce that the second part of my 
comparison between different Linux distros and their security features (which 
includes Gentoo Hardened of course! ;) ) can be found here:
http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/

As always - all feedback is appreciated. Also please note that the previous 
feedback is not to be forgotten and I shall address these ((-fstack-protector 
vs. -fstack-protector-all, cookie strength and prelink) in my fourth post :)

Also - congrats to Zorry for becoming the new Gentoo Hardened lead and thanks 
for all your support! :)

Regards,
Radek Madej

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[Daniel Kuehn]

On Thu, 2 Sep 2010 23:43:33 +0100
Radoslaw Madej <radegand@o2.pl> wrote:

> Hi Guys,
> 
> For anyone interested, I'd like to announce that the second part of my 
> comparison between different Linux distros and their security features (which 
> includes Gentoo Hardened of course! ;) ) can be found here:
> http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/
> 
> As always - all feedback is appreciated. Also please note that the previous 
> feedback is not to be forgotten and I shall address these ((-fstack-protector 
> vs. -fstack-protector-all, cookie strength and prelink) in my fourth post :)
> 
> Also - congrats to Zorry for becoming the new Gentoo Hardened lead and thanks 
> for all your support! :)
> 
> Regards,
> Radek Madej
> 

A very interesting article again my friend :)

The randomisation bit was particularily interesting because as far as I
understand that is one of the better security measures we can use. 

Shame on fedora for only 3-bits randomisation for shared libs :P

-- 
Mvh
Daniel Kuehn, 073-181 577 2
Data@UrService
Homepage: http://www.dataaturservice.se

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[pageexec]

On 3 Sep 2010 at 11:56, Daniel Kuehn wrote:

> The randomisation bit was particularily interesting because as far as I
> understand that is one of the better security measures we can use. 

actually, if you ask me, ASLR is the least useful security feature :P. it's not
even really security, it's mere obfuscation, and it's great when it's works but
it'll never provide guarantees (which is what we prefer in security).

> Shame on fedora for only 3-bits randomisation for shared libs :P

a note here: fedora uses exec-shield which maps libraries in two different
regions: ascii-armor (lower 16MB) and the rest. i think what paxtest measured
there is the former where the usable entropy is necessarily less than elsewhere
and may not be representative of real life apps and their address spaces (not
saying the whole ascii-armor region is worth anything for security though ;).

PS: when discussing null deref protections, it's worth mentioning UDEREF which
is a tad bit more general and useful than mmap_min_addr ;).

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[radegand]

Hi,
Thanks for your feedback.

Dnia 8 września 2010 0:27 pageexec@freemail.hu napisał(a):
> 
> > On 3 Sep 2010 at 11:56, Daniel Kuehn wrote:
> 
> > The randomisation bit was particularily interesting because as far as I
> > understand that is one of the better security measures we can use. 
> 
> actually, if you ask me, ASLR is the least useful security feature :P. it's not
> even really security, it's mere obfuscation, and it's great when it's works but
> it'll never provide guarantees (which is what we prefer in security).

I'd agree. Nevertheless, IMHO, even if no guarantees can be given, ASLR when done correctly (and together with PIE) makes exploitation way harder and is reasonably (?) easy to implement and maintain. Why making attacker's life easier? ;)
> 
> > Shame on fedora for only 3-bits randomisation for shared libs :P
> 
> a note here: fedora uses exec-shield which maps libraries in two different
> regions: ascii-armor (lower 16MB) and the rest. i think what paxtest measured
> there is the former where the usable entropy is necessarily less than elsewhere
> and may not be representative of real life apps and their address spaces (not
> saying the whole ascii-armor region is worth anything for security though ;).

Seems like I need to find out more about exec-shield then... :)
> 
> PS: when discussing null deref protections, it's worth mentioning UDEREF which
> is a tad bit more general and useful than mmap_min_addr ;).
> 
Oopps, yep, I totally missed UDEREF, my bad...!

Regards,
Radek

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[Dale Pontius]

On 09/02/10 18:43, Radoslaw Madej wrote:
> Hi Guys,
>
> For anyone interested, I'd like to announce that the second part of my
> comparison between different Linux distros and their security features (which
> includes Gentoo Hardened of course! ;) ) can be found here:
> http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/
>
> As always - all feedback is appreciated. Also please note that the previous
> feedback is not to be forgotten and I shall address these ((-fstack-protector
> vs. -fstack-protector-all, cookie strength and prelink) in my fourth post :)
>
> Also - congrats to Zorry for becoming the new Gentoo Hardened lead and thanks
> for all your support! :)
>
I read this today, too.  Quite interesting, but it leaves me asking a 
simple question...

I've been running my servers for years on hardened Gentoo, but I always 
figured it would be too problematic for my deskside and laptop machines.

Is this true?  Have things gotten better, and is it perfectly reasonable 
to run hardened Gentoo for general purpose use?

Two problem factors...  My family likes YouTube and the like, and for my 
job I have to run proprietary binary-only software.  (Silicon CAD tools)

Thanks,
Dale Pontius

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

["Tóth Attila"]

You 'll have to make a compromise. I run hardened gentoo on my laptop.
Everyday use requires loosening the security settings here-and-there.

-- 
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962

2010.Szeptember 17.(P) 01:35 időpontban Dale Pontius ezt írta:
> On 09/02/10 18:43, Radoslaw Madej wrote:
>> Hi Guys,
>>
>> For anyone interested, I'd like to announce that the second part of my
>> comparison between different Linux distros and their security features
>> (which
>> includes Gentoo Hardened of course! ;) ) can be found here:
>> http://labs.mwrinfosecurity.com/notices/assessing_the_tux_strength_part_2_into_the_kernel/
>>
>> As always - all feedback is appreciated. Also please note that the
>> previous
>> feedback is not to be forgotten and I shall address these
>> ((-fstack-protector
>> vs. -fstack-protector-all, cookie strength and prelink) in my fourth
>> post :)
>>
>> Also - congrats to Zorry for becoming the new Gentoo Hardened lead and
>> thanks
>> for all your support! :)
>>
> I read this today, too.  Quite interesting, but it leaves me asking a
> simple question...
>
> I've been running my servers for years on hardened Gentoo, but I always
> figured it would be too problematic for my deskside and laptop machines.
>
> Is this true?  Have things gotten better, and is it perfectly reasonable
> to run hardened Gentoo for general purpose use?
>
> Two problem factors...  My family likes YouTube and the like, and for my
> job I have to run proprietary binary-only software.  (Silicon CAD tools)
>
> Thanks,
> Dale Pontius
>

Re: [gentoo-hardened] Assessing the Tux Strength: Part 2 - Into the Kernel

[Radoslaw Madej]

On Friday 17 September 2010 00:35:20 you wrote:
> I've been running my servers for years on hardened Gentoo, but I always
> figured it would be too problematic for my deskside and laptop machines.
> 
> Is this true?  Have things gotten better, and is it perfectly reasonable
> to run hardened Gentoo for general purpose use?
> 
> Two problem factors...  My family likes YouTube and the like, and for my
> job I have to run proprietary binary-only software.  (Silicon CAD tools)
> 
> Thanks,
> Dale Pontius

Hi,

IMHO, short answer: if you don't need to run binary video drivers and Flash, 
hardened desktop will be just fine...

Longer answer: I'd say it's a matter of risk management :) ..and available 
resources (time mainly).

Flash is an issue (security-wise but also getting it to work with hardened 
:D), but then again - you could always use different browser with flash and 
without hardened stuff (for example Opera will run it fine on grsec kernel 
with mprotect disabled and you can't harden it anyway) and lock it down using 
RBAC? Or simply use VM for that? Again, depends how far you want/have to go to 
mitigate the risk...

Back to your original question - personally I believe in hardened desktop ;] 
I'm running three of these (one laptop) and more or less everything works 
(running KDE4) but yes, you need to compromise few things 
sometimes...Flash/Gnash is a nightmare...getting X11 to works sometimes too, 
all depending on your card, nvidia binary stopped working ages ago (not sure 
if it works now), nouveau breaks every now and then regardless of hardened  ;) 
so you're left out with fairly stable nv drivers but no 3D accel...from my 
experience ATI seems to be more hardened friendly (OS driver, binary probably 
not). I'm soon to try the Intel chipset - hopefully it will be better! (or 
fixable at least ;)).

Not sure if this helps, but there you go - my two cents ;)

BTW - maybe it would be worth documenting somewhere issues with hardened-
gentoo desktops? I'll have plenty to share! ;)

Regards,
Radek