Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened-sources going forward
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Uzytkownik
Guru
Guru


Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US

PostPosted: Thu Apr 27, 2017 6:30 pm    Post subject: hardened-sources going forward Reply with quote

Given that grsecurity stopped releasing patches post-4.9 what is the status of hardened-sources going forward?
_________________
I've probably left my head... somwhere. Please wait untill I find it.
Back to top
View user's profile Send private message
GSF1200S
n00b
n00b


Joined: 26 May 2010
Posts: 10

PostPosted: Thu Apr 27, 2017 7:30 pm    Post subject: Re: hardened-sources going forward Reply with quote

Uzytkownik wrote:
Given that grsecurity stopped releasing patches post-4.9 what is the status of hardened-sources going forward?

I too would be eager to know what the plan is.

That said, even if the project- or the grsecurity part of it- dies, I'm thankful for all the time I did have on it, and the efforts of the Gentoo hardened maintainers. Sucks for them too- they've put tons of time into this project and they're basically getting hosed upstream.

Alpine Linux forked grsecurity for their purposes I think awhile ago, though I'm not very sure of the details. I know that some features dont seem to work. For example, I cant get the deny new usb grsecurity module to work under my Alpine VM (says the sysctl value doesnt exist). Im unsure what other derivations exist- I cant get the checksec script to run for discovering grsecurity kernel configuration like I can on Gentoo. I might try building a kernel for Alpine if possible and see if I can get a bead on what security features are present. Alpine does build all packages fullrelro/canary/pie/fortify, they use PAX aslr, etc.
Back to top
View user's profile Send private message
Uzytkownik
Guru
Guru


Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US

PostPosted: Thu Apr 27, 2017 8:09 pm    Post subject: Re: hardened-sources going forward Reply with quote

GSF1200S wrote:
That said, even if the project- or the grsecurity part of it- dies, I'm thankful for all the time I did have on it, and the efforts of the Gentoo hardened maintainers. Sucks for them too- they've put tons of time into this project


While I am not that quick to judge upstream I am sorry if I gave impression that I am anything but grateful for the hard work.
_________________
I've probably left my head... somwhere. Please wait untill I find it.
Back to top
View user's profile Send private message
GSF1200S
n00b
n00b


Joined: 26 May 2010
Posts: 10

PostPosted: Thu Apr 27, 2017 8:23 pm    Post subject: Re: hardened-sources going forward Reply with quote

Uzytkownik wrote:
GSF1200S wrote:
That said, even if the project- or the grsecurity part of it- dies, I'm thankful for all the time I did have on it, and the efforts of the Gentoo hardened maintainers. Sucks for them too- they've put tons of time into this project


While I am not that quick to judge upstream I am sorry if I gave impression that I am anything but grateful for the hard work.

Oh no man.. I didnt mean it that way. You asked a question plenty of us who ran hardened have now.

I guess I am a little quick to judge upstream. Its gotta be hard putting over a decade in a product, giving it away for free, and only ever hearing feedback when people bitch. Still, upstream in this case hasnt always been civil either, and it has hit a number of communities pretty much all at once (Arch had a grsec kernel, Debian has one in Sid and backported to Jessie, Gentoo hardened, etc). I dont have a right to bitch though...
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2039

PostPosted: Thu Apr 27, 2017 11:52 pm    Post subject: Reply with quote

History and official announcements for those of you who don't know.

https://www.grsecurity.net/announce.php
https://grsecurity.net/passing_the_baton.php

I'm curious if it's possible to get the patches on an individual basis? I emailed them to find out how much it would cost.
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 532

PostPosted: Fri Apr 28, 2017 12:00 am    Post subject: Reply with quote

The KSPP project remains:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

:?
Back to top
View user's profile Send private message
nbrogan
n00b
n00b


Joined: 15 Apr 2017
Posts: 5

PostPosted: Fri Apr 28, 2017 12:07 am    Post subject: Reply with quote

The best possible outcome of this would be an increased focus on the KSPP and hardening the kernel from upstream, but I'm not that hopeful that will happen.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2039

PostPosted: Fri Apr 28, 2017 12:08 am    Post subject: Reply with quote

Jacekalex wrote:
The KSPP project remains:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

:?


https://grsecurity.net/compare.php
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 532

PostPosted: Fri Apr 28, 2017 12:13 am    Post subject: Reply with quote

1clue wrote:
Jacekalex wrote:
The KSPP project remains:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

:?


https://grsecurity.net/compare.php


So far, many users and hackers have ignored KSPP, because they had Grsec / Pax with very good support in the Grsec forum.
An old saying says that "nature does not tolerate a vacuum".
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Fri Apr 28, 2017 12:16 am    Post subject: Reply with quote

1clue wrote:
Jacekalex wrote:
The KSPP project remains:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

:?


https://grsecurity.net/compare.php


I won't dispute what the table says, but I'm also sure that the items are selected to feature GRSecurity's advantages over the others. That said, I don't know how to create a neutral equivalent of such a table. One other thought... While KSPP may not be better than GRSecurity, AppArmor, or SELinux, it is better than a vanilla kernel. As I look at its recommendations, I think I might like to consider that on my next kernel builds.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3481
Location: Hamburg

PostPosted: Fri Apr 28, 2017 7:50 am    Post subject: Reply with quote

depontius wrote:
As I look at its recommendations, I think I might like to consider that on my next kernel builds.
+1
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 5751

PostPosted: Fri Apr 28, 2017 7:58 am    Post subject: Reply with quote

depontius wrote:
KSPP [...] is better than a vanilla kernel

Isn't it fully merged into vanilla kernel?
Back to top
View user's profile Send private message
rip_her_APART
n00b
n00b


Joined: 27 Mar 2016
Posts: 3

PostPosted: Fri Apr 28, 2017 10:26 pm    Post subject: Reply with quote

I feel so bad about this whole case. I don't know what to say or do :(
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4526

PostPosted: Sat Apr 29, 2017 1:38 am    Post subject: Reply with quote

KSPP intends to upstream code, which a responsible professional would have done all along. Beware of "security industry" people who try to sell you a cure using FUD and then run away and hide when someone points out it's poison.
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3788
Location: sleeping in the bathtub

PostPosted: Sat Apr 29, 2017 3:23 am    Post subject: Reply with quote

Ant P. wrote:
Beware of "security industry" people who try to sell you a cure using FUD and then run away and hide when someone points out it's poison.
There have been a number of major kernel exploits in recent years that were completely ineffective against properly configured grsecurity-patched kernels.

Say whatever else you want about these guys, but snake oil salesmen they are not.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 261
Location: Seattle

PostPosted: Sat Apr 29, 2017 3:42 am    Post subject: Reply with quote

Could the money trail on this actually lead beyond grsecurity?

That may be a very stupid question but I have an abundance of them. :lol:
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4526

PostPosted: Sat Apr 29, 2017 8:54 pm    Post subject: Reply with quote

Sadako wrote:
Ant P. wrote:
Beware of "security industry" people who try to sell you a cure using FUD and then run away and hide when someone points out it's poison.
There have been a number of major kernel exploits in recent years that were completely ineffective against properly configured grsecurity-patched kernels.

Say whatever else you want about these guys, but snake oil salesmen they are not.

They are. Their entire project is addressing a non-existent threat model only a demoscene wannabe sealed in an echo chamber for 20 years could dream up. Nobody bothers writing general purpose malware that targets the Linux kernel directly (except systemd), it's a million times easier to just abuse userspace.

Nobody gives a damn about root in this century when the contents of your dotfiles have monetary value and that unsecured wordpress install is all ready to relay spam.
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Sat Apr 29, 2017 10:55 pm    Post subject: Reply with quote

Ant P. wrote:

They are. Their entire project is addressing a non-existent threat model only a demoscene wannabe sealed in an echo chamber for 20 years could dream up. Nobody bothers writing general purpose malware that targets the Linux kernel directly (except systemd), it's a million times easier to just abuse userspace.

Abuse userspace, like exploiting memory corruptions of processes running in userspace to achieve arbitrary code execution?
Good thing that grsecurity helps alot with that, I guess.
Back to top
View user's profile Send private message
Nazzy
n00b
n00b


Joined: 26 May 2004
Posts: 34

PostPosted: Sun Apr 30, 2017 11:12 pm    Post subject: Reply with quote

Ant P. wrote:
Their entire project is addressing a non-existent threat model only a demoscene wannabe sealed in an echo chamber for 20 years could dream up. Nobody bothers writing general purpose malware that targets the Linux kernel directly (except systemd), it's a million times easier to just abuse userspace.

Nobody gives a damn about root in this century when the contents of your dotfiles have monetary value and that unsecured wordpress install is all ready to relay spam.


Sorry to report your assumptions are pretty much false. While userspace is certainly where they get in, privilege escalation is a good way to make sure you stay in.
Scriptkiddies might just want to pop wordpress installs and spam but not every attacker is that simplistic... the ones that are a real threat are interested in escaping whatever security you put in place and the kernel is the best vector for that. If your goal is to escape a virtualisation or containerised environment the kernel is pretty much your only vector.
People wanting to do botting, RAT, DoS, sip fraud, etc... the kind of threat that actually hoses you beyond reinstalling your wordpress instance is the kind of threat that cares about persistence in your environment, sometimes they care about locking you out if possible, and sometimes they care about making your life miserable.

Grsec and kernel hardening isn't about protecting against the idiots that litter obfuscated shells all over your out of date php webapp, making their life harder is just a useful byproduct.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Sun Apr 30, 2017 11:32 pm    Post subject: Reply with quote

mv wrote:
depontius wrote:
KSPP [...] is better than a vanilla kernel

Isn't it fully merged into vanilla kernel?


It has recommendations that I've never seen before. I'm saying that trying those recommendations will be better than the relatively vanilla kernels I've been using.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 4526

PostPosted: Mon May 01, 2017 7:06 pm    Post subject: Reply with quote

rob_dot_p wrote:
Ant P. wrote:

They are. Their entire project is addressing a non-existent threat model only a demoscene wannabe sealed in an echo chamber for 20 years could dream up. Nobody bothers writing general purpose malware that targets the Linux kernel directly (except systemd), it's a million times easier to just abuse userspace.

Abuse userspace, like exploiting memory corruptions of processes running in userspace to achieve arbitrary code execution?
Good thing that grsecurity helps alot with that, I guess.

I guess the line you ignored went right over your head. grsecurity does absolutely nothing to address exploits in most languages: Perl, Python, Bash, PHP, Ruby, C#, Java, Javascript, C+ASAN...
_________________
*.ebuild // /etc/service/*
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2039

PostPosted: Mon May 01, 2017 7:42 pm    Post subject: Reply with quote

Ant P. wrote:
rob_dot_p wrote:
Ant P. wrote:

They are. Their entire project is addressing a non-existent threat model only a demoscene wannabe sealed in an echo chamber for 20 years could dream up. Nobody bothers writing general purpose malware that targets the Linux kernel directly (except systemd), it's a million times easier to just abuse userspace.

Abuse userspace, like exploiting memory corruptions of processes running in userspace to achieve arbitrary code execution?
Good thing that grsecurity helps alot with that, I guess.

I guess the line you ignored went right over your head. grsecurity does absolutely nothing to address exploits in most languages: Perl, Python, Bash, PHP, Ruby, C#, Java, Javascript, C+ASAN...


Dude. It's kernel mods. Of course it does nothing to address exploits in most languages. Those exploits need to be dealt with in the language code not the kernel.
Back to top
View user's profile Send private message
NTU
Tux's lil' helper
Tux's lil' helper


Joined: 17 Jul 2015
Posts: 126

PostPosted: Tue May 02, 2017 1:33 am    Post subject: Reply with quote

FWIW, I've been working on splitting up the Grsecurity kernel patch blob into separate files, making it easier for other people to develop and work with, as well as solve merge conflicts with kernel releases not supported by the grsecurity team.

I've also been working on splitting up the KSPP patches and backporting hardened usercopy, ASLR, and virtually mapped kernel stacks to kernel 4.4, please note this is all a work-in-progress and not complete.

KSSS (my unsupported patchset I've gathered from 4.9) is the furthest along on ARM64, but will also support ARM and x86 platforms as well.

The patch collection for my fork that I've been working on can be found here, again these are specifically for kernel 4.4:

https://github.com/NTULINUX/kernel-patches/tree/master/security_backports

The patch collection for grsecurity will be posted when it is further along. I have already contacted spender and some of his buddies and was immidiately attacked in his IRC channel. Him and his team strongly advised against me doing such a thing, I hope that my efforts though aren't the cause of the shutdown of Grsecurity as that was not my goal, but rather to make it's code base much easier to work with. I wasn't even aware of the shutdown until I saw this thread, I've been too busy working on my own things.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 11426

PostPosted: Tue May 02, 2017 1:54 am    Post subject: Reply with quote

Generally, it's true that it does not help as much against scripting language exploits, but some of the grsecurity features focus more on making it painful or impossible to do security-unwise things. For example, Trusted Path Execution and the chroot restrictions cause the grsecurity kernel to deny certain system calls that a vanilla kernel would allow. In theory, these actions should never be done on a secure system. They do err on the side of caution (or perhaps even paranoia) in that those calls are not automatically a sign of a security breach - but some security breaches are easier to conduct if those calls are allowed. For TPE, denying the ability to execute non-root non-self files is a defense against an insecure $PATH, which can affect any language.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 5751

PostPosted: Mon May 08, 2017 1:36 pm    Post subject: Reply with quote

Hu wrote:
denying the ability to execute non-root non-self files is a defense against an insecure $PATH

It is much more: It means that even if some intruder gets unlimited access as an untrusted user (and can modify that user's $PATH however he likes), he is not able to produce code which he can execute as a binary, thus making it much harder to obtain more privileges by some exploit.

Edit: Made the formulation clearer.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum