2.6.24-zen4-pax "speed meets security Redux"

[kernelOfTruth]

Hi ladies & gentlement,

(this is split out of the zen-sources thread):

anyone interested in an pax-patch for 2.6.24-zen4 ?

update:

sorry, no patch , the patch I created was 140 MB big

so here's the zen-sources tarball with grsecurity's pax-patch (http://www.grsecurity.com/test/pax-linu ... st31.patch) [February 29 2008 12:15:15],
zen-sources' state should be from commit: 04d280d4e981b4a2b3a14eae36aa7a0796566163

kudos to spender for his great work for making linux more secure, waninkoko, rmh3093, and all the others involved in zen-sources

"speed meets security Redux"



Link to the tarball: linux-2.6.24-zen4_pax.tbz2


Instruction:

1.) compile in softmode-support, then
if you need to install apps, scan something with xsane ,etc etc which doesn't work with pax:

temporarily disable pax by echoing "1" to
/proc/sys/kernel/pax/softmode

Code: Select all

echo "1" > /proc/sys/kernel/pax/softmode

output of paxtest with pax enabled:

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 40 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : 33 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed

output of paxtest with softmode enabled:

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : 29 bits (guessed)
Shared library randomisation test : 29 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed

2.) if you have problems with nvidia-drivers try the following:

http://forums.gentoo.org/viewtopic-t-57 ... ight-.html

3.) to find out, which files were altered by me:

go to the directory where the tarball got extracted then:

Code: Select all

find . | grep .rej

have fun

Disclaimer:

I take no responsibility if it kills your data, your kittens, pulls away your girlfriend or anything else
I've tested it on amd64 system with gcc 4.2.3 hardened gcc and glibc 2.7 & currently am using it for all my sensitive data, so it should be fine
no guarantee it will work on x86 however [if it works on amd64 it however should at least boot on x86]

[kernelOfTruth]

example kernel-config for amd64
(P5W DH Deluxe, with some cflags, ldflags, etc optimizations)

http://phpfi.com/299908

[lightseeker]

Hi!

I've managed to compile and install "Redux" , but I have problems starting X when using ati-drivers 8.02 (and yes, I've
disabled pax like you suggested).

Xorg.0.log says

Code: Select all

(II) Loading /usr/lib/xorg/modules//glesx.so
dlopen: /usr/lib/xorg/modules//glesx.so: cannot make segment writable for relocation: Permission denied
(EE) Failed to load /usr/lib/xorg/modules//glesx.so

Any hints ?

Many thanks in advance.

[kernelOfTruth]

Hi!

I've managed to compile and install "Redux" , but I have problems starting X when using ati-drivers 8.02 (and yes, I've
disabled pax like you suggested).

Xorg.0.log says

Code: Select all

(II) Loading /usr/lib/xorg/modules//glesx.so
dlopen: /usr/lib/xorg/modules//glesx.so: cannot make segment writable for relocation: Permission denied
(EE) Failed to load /usr/lib/xorg/modules//glesx.so

Any hints ?

Many thanks in advance.

nice

I actually never really got ati-drivers to work in the last years with pax

you need to

Code: Select all

emerge chpax paxctl

then you can play with those files producing problems:

paxctl --help
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC

-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)

e.g.

Code: Select all

paxctl -pEmrxs

or

chpax --help
chpax 0.7 .::. Manage PaX flags for binaries
Usage: chpax OPTIONS FILE1 FILE2 FILEN ...
-P enforce paging based non-executable pages
-p do not enforce paging based non-executable pages
-E emulate trampolines
-e do not emulate trampolines
-M restrict mprotect()
-m do not restrict mprotect()
-R randomize mmap() base [ELF only]
-r do not randomize mmap() base [ELF only]
-X randomize ET_EXEC base [ELF only]
-x do not randomize ET_EXEC base [ELF only]
-S enforce segmentation based non-executable pages
-s do not enforce segmentation based non-executable pages
-v view current flag mask
-z zero flag mask (next flags still apply)

The flags only have effect when running the patched Linux kernel.

Code: Select all

chpax -pEmrxs

you can try to disable all of them in the beginning, but often disabling mprotect (

Code: Select all

chpax -m

) or (

Code: Select all

paxctl -m

) should suffice

if you're not running hardened profile you might need to recompile your system with PIC-support

references:
http://www.gentoo.org/proj/en/hardened/

[lightseeker]

Hi!

Thanks for the reply kernelOfThruth.

I am running hardened, well, sort of. I'm not using hardened profile, but hardened toolchain (gcc 4.2.2 pie/ssp and stuff from Kevin Quinn's overlay) and ~x86.

Anyway, I've played with paxctl, but X still refuses to start. I've managed to disable all flags for Xorg, but I get the same error as before. As for /usr/lib/xorg/modules/glesx.so paxctl refuses to do anything, complaining that file does not have vaild ELF header an refuses to convert it or apply any changes to the binary.

Thanks anyway man , I've learned a lot of usefull new stuff about gentoo, and will try to "convert" my laptop later this week.

Cheers

[kernelOfTruth]

update:

new kernel-release

2.6.24-zen4_pax-r2

http://d01.megashares.com/?d01=03ceee6

Filename
linux-2.6.24-zen4_pax-r2.tbz2
Filesize
199.83 MB
Description
2.6.24-zen4_pax-r2

(sorry, it's a little big, I found no time to make a nice little patch out of it, there are probably some unneeded additionally files from git but it should compile & work fine, updated to latest state of 2.6.24-zen4, as of 14th of March 2008)

[obrut<-]

hi!
unfortunately your link is now invalid. can i get it elsewhere?
tia

[kernelOfTruth]

hi!
unfortunately your link is now invalid. can i get it elsewhere?
tia

Hi,

here you go:

mirror1: hosting by 2shared.com (takes some time until download-link appears )

mirror2: directory of zen-sources_pax (thanks to MrGreen for hosting !)

[obrut<-]

muchas gracias!
mirror1 works, mirror2 doesn't. it gives me

Forbidden
You don't have permission to access /zen-sources_pax/linux-2.6.24-zen4_pax-r2.tbz2 on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

[kernelOfTruth]

muchas gracias!
mirror1 works, mirror2 doesn't. it gives me

Forbidden
You don't have permission to access /zen-sources_pax/linux-2.6.24-zen4_pax-r2.tbz2 on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

fixed

thanks for reporting

[lightseeker]

Hi!
I'm still using your "older" release on my laptop and it works like a charm

But today I tried compilng this new hot stuff and it gave me this

Code: Select all

ERROR: "sqlzma_fin" [fs/squashfs/squashfs.ko] undefined!
ERROR: "sqlzma_un" [fs/squashfs/squashfs.ko] undefined!
ERROR: "sqlzma_init" [fs/squashfs/squashfs.ko] undefined!

Squashfs/lzma compiles ok on "pure" zen sources checkout (from last week or so)

Many thanks in advance man.

[obrut<-]

my laptop just won't boot. kernel displays nothing but command line, kernel and initrd size and address (?) and hangs. tomorrow i'll look into it hoping to find the error.

[lightseeker]

Ok, silly me.
I just saw that "redux" is based on 2.6.24-zen4 (squashfs/lzma was broken there too, right ? ). I have zen5, and squashfs works there. No biggie

@kernelOfTruth are you still using this pax patch: http://www.grsecurity.com/test/pax-linu ... st31.patch ?
I'd like to try to apply it myself.

Thanks.

@obrut<-: Good luck, man. Older version works fine for me.

[obrut<-]

i tried disabling some things i've never found in gentoo-sources (automatic optimisation for example), but i won't get a "kernel alive" after grub loaded the kernel. i hoped i could test pax without waiting for hardened 2.6.24. older kernels wouldn't work because i need xts cipher mode for my encrypted harddisk. want to see if my 4.2.3 gcc with hardened patches does what it should.

@ lightseeker:
thanks

[kernelOfTruth]

@kernelOfTruth are you still using this pax patch: http://www.grsecurity.com/test/pax-linu ... st31.patch ?
I'd like to try to apply it myself.

@lightseeker:
yeah, I'm still using that patch
just go ahead

beware: googleearth and some other 32bit- opengl apps don't work under amd64 (yet <-- I don't have the time to investigate what pax-flags need to be relaxed)

i tried disabling some things i've never found in gentoo-sources (automatic optimisation for example), but i won't get a "kernel alive" after grub loaded the kernel. i hoped i could test pax without waiting for hardened 2.6.24. older kernels wouldn't work because i need xts cipher mode for my encrypted harddisk. want to see if my 4.2.3 gcc with hardened patches does what it should.

sorry, no idea what might prevent your system from booting, like lightseeker suggest, please try the earlier release

good luck

[kernelOfTruth]

here a set of "testing" flags for zen-sources (copy & paste !):

Code: Select all

#
# Custom flags
#
CONFIG_CUSTOM_CFLAGS="-O2 -ftree-pre -ftree-ch -fomit-frame-pointer -freorder-blocks -freorder-blocks-and-partition -fearly-inlining -ffunction-cse -fgcse-sm -fgcse-las -fgcse-after-reload -fno-ident -fstack-protector -march=native -fforce-addr -maccumulate-outgoing-args -msse3 -minline-all-stringops -mno-align-stringops -combine -s -pipe --param max-gcse-passes=8 -fmodulo-sched -freschedule-modulo-scheduled-loops -ftree-loop-im -ftree-loop-ivcanon -fivopts -funroll-loops -fsplit-ivs-in-unroller -fvariable-expansion-in-unroller -fpeel-loops -funswitch-loops -fprefetch-loop-arrays -fpie -D_FORTIFY_SOURCE=2"
CONFIG_CUSTOM_LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -pie"
CONFIG_CUSTOM_AFLAGS=""
CONFIG_CUSTOM_MAKEFLAGS="-S"

adjust flags to your liking but leave -pie, -fstack-protector and FORTIFY_SOURCE=2 in it (== randomisation)

this way you'll always get the latest & greatest of zen-sources and still have (semi-)maximum protection (without pax or grsecurity ! ),
in this case even flash, googleearth, mono-apps & wine-apps, 32-bit 3D-apps work

only requirement is a hardened gcc-compiler / toolchain

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : 28 bits (guessed)
Heap randomisation test (ET_DYN) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : 28 bits (guessed)
Main executable randomisation (ET_DYN) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed

[lightseeker]

Hi!

@kernelOfTruth: I don't quite understand . Wouldn't that just "harden" the kernel itself, not the userland and stuff ?

BTW, I've managed to apply pax patch to zen5 (man that was hard), so if anyone's interested I can upload it somewhere.

:bye: