osdir.com
mailing list archive F.A.Q. -since 2001!



Subject: Re: Questions about No Execute and security -
msg#00050

List: linux.gentoo.amd64

Mail Archive Navigation:
by Date: Prev Next Date Index by Thread: Prev Next Thread Index

On 6/10/2005 15:06:44, Marco Matthies (marco-ml@xxxxxxx) wrote:
> Apparently, you can use repeated jumps to libc to slowly fill the
> registers with values you need for your finall call to libc, which would
> then run a "/bin/bash", "rm -rf /" or whatever via system() -- at least
> that's what i understood.

This is called a 'return to libc' attack; there are plenty of good explanations
available on the net, googling for "return to libc" should pick some up.
Phrack have some easy-to-read examples (phrack.org).

Protecting the stack against execution prevents trivial exploitation of buffer
overflows that simply inject shellcode onto the stack. PaX kernels make a good
job of this, and also keep the stack NX even when gcc has generated trampolines
(little bits of code that it puts on the stack, calculated at runtime).
RedHat's ExecShield isn't quite so strict, and allows any application that uses
trampolines to have executable stack; instead RedHat remove trampolines where
they can to reduce the need for executable stack.

However the stack is where return addresses from function calls are stored;
overwriting these changes the program execution flow and can be exploited
without tripping no-execution protections on the stack. A return-to-libc
attack could be considered "harder" than a traditional trivial overflow
exploit, but the fact remains they work so whether it's more work or not to
exploit is irrelevant. They're also very useful for exploiting heap overflows,
by redirecting program flow to heap data overwritten with shellcode from a
previous heap buffer overflow. A PaX kernel makes these attacks a lot harder
by randomising the addresses at which applications, libraries and stacks are
located, and by default making heap space non-executable. Randomisation means
the attacker has to find out where libc is, without crashing the victim
process, and the NX heap means heap overflows become much less usef
ul to the attacker.

Also helping protect against return-to-libc attacks is the stack smashing
protector. This attempts to detect corruption of the stack by adding canaries
such that any stack overflow would overwrite the canary as well as the return
address; functions automatically check the canary before using the return
address on the stack and abort the process if the canary is dead. You'll see
more stuff in the linux press about it now, as RedHat have worked up a new
implementation that has been incorporated into GCC main trunk.

> I'm no security expert -- i know the basics about how these exploits
> work, but have never cared to get into all the hairy details, so here
> are my questions:
>
> Do we currently have address space layout randomization on amd64 (or
> other archs), and will it actually help in these sort of attacks?
> I saw a mention of adding it to the kernel in [3], has that gone through?

For ASLR (Address Space Layout Randomisation) you need a PaX-enabled kernel;
emerge hardened-sources and try it out. You need to switch on a bunch of
grsecurity stuff for it to be effective (in particular the
/proc/<pid>/[maps|stat] restrictions), and to take advantage of ASLR on
applications you need them to be built as PIEs (Position Independent
Executables). You will also need to avoid prelinking, as prelink causes all
the load addresses of shared libraries to be fixed into predictable locations
by its very nature.

> Do we have stack-smashing protection, and can this actually help against
> return to libc attacks? Judging from the gcc USE flags, it seems to be
> there at least -- is it also activated automatically?

It is switched on automatically if you use the hardened compiler, as is
building PIEs, and support is built-in to glibc. You should be able to switch
to the hardened compiler using gcc-config (you probably don't need to rebuild
gcc - the only thing 'USE=hardened' does when building gcc is to change which
compiler is selected by default after installation, and the names of the
compilers).

> I'm currently reading up on all this stuff, as well as looking at the
> hardened profile and all the other gentoo security stuff, but if anyone
> has a quick answer to my questions i'd be very grateful!

There are some docs on www.grsecurity.net and pax.grsecurity.net you may want
to read as well.

Kev.



--
gentoo-amd64@xxxxxxxxxx mailing list

Thread at a glance:

Previous Message by Date:

Re: Questions about No Execute and security

Hi, the following is imho, afair and probably wrong. to do this fancy jump-around stuff, you need to know exactly where which snippet resides in ram - one error and all your work is lost. So, and because on gentoo everything is compiled by yourself with a little bit different setting like the next gentoo user, it is a lot harder to guess the correct adresses. Not like the binary distributions, where one is laid out like the other. -- gentoo-amd64@xxxxxxxxxx mailing list

Next Message by Date:

Re: Questions about No Execute and security

On 6/10/2005 10:16:49, Richard Freeman (rich@xxxxxxxxxxxxxxxxxx) wrote: > Too bad the latest firefox upgrade filters out -fstack-protector... This is because the stack-protector isn't perfect, and can cause the compiler to generate incorrect code or fail to compile completely. In the case of firefox the stack protector either causes gcc to generate broken code or to fail compilation. However now that stack protection is going more mainstream with heavyweight distros like RedHat actively pursuing it (they've rewritten it from scratch for 4.x), we can expect its reliability to improve in the long term. > I don't run hardened per-se, but I do use stack-smashing protection. If by using stack-smashing protection you mean you've stuck '-fstack-protector' in your make.conf CFLAGS, it's recommended that you remove that and switch to using the hardened compiler (gcc-config is your friend). The hardened compiler goes through some hoops to avoid the stack protector in the most obvious places it shouldn't be enabled (for example executables that don't link to glibc), but putting it in CFLAGS is indiscriminate and will definitely cause breakage. > I'm not sure why it isn't a default-supported config on gentoo. A fair > number of ebuilds don't work with it. You've answered your own observation there - the reason non-hardened (i.e. default) Gentoo doesn't use the stack protector is that it causes too much breakage. There are also people who would rather not pay the (small) speed penalty the stack protector incurs, and even some people who believe that the stack protector should not be used instead the buffer overflows should be fixed (how they expect to find all such bugs I have never ascertained). As far as "supported" goes - well, ssp and ASLR are supported by the hardened project http://www.gentoo.org/proj/en/hardened/ on architectures for which we are confident it works reasonably well. > We also used to have the > grsecurity patches in gentoo-sources, but I don't think this is the case > anymore. You'll find the grsecurity patches in the hardened-sources kernel. The grsecurity patches lag somewhat behind the kernel mainline, so they're not suitable for gentoo-sources. > It seems odd that these aren't standard gentoo features. That would > probably give them more widespread support rather than devs just looking > at you funny when you mention having something other than -O2 in your > CFLAGS. Well, the situation is always improving but generally speaking the hardening causes too much breakage to be made a default. With regards -O2, we've seen a fair amount breakage when combining -fstack-protector and -O3, which is why we (hardened) generally recommend -O2 rather than -O3. Maybe the 4.0 series ssp will be more consistent, but we'll have to wait and see. > Other than for debugging is there any reason not to have > stack-smashing protection and address-space randomization? SSP doesn't cause any particular problem for debugging. Address-space randomisation does a little, but you just need to link -pie and switch off the PaX memory protection for the executable you want to debug. Kev. -- gentoo-amd64@xxxxxxxxxx mailing list

Previous Message by Thread:

Re: Questions about No Execute and security

On Thursday 06 October 2005 23:17, Tres Melton wrote: > On Thu, 2005-10-06 at 22:40 +0200, Marco Matthies wrote: > > Hemmann, Volker Armin wrote: > > > I got 0x2aaaaabc1000 on my machine, i would be interested to know what > > > > > > 0x2aaaaabc3000 > > > <snip> > > > > Thanks for the reply. > > And now that I know what addresses to use in my script... > > JK > -- > Tres Melton > IRC & Gentoo: RiverRat I wish you good luck to get any code onto my machine - with no service running that is listening to any ports, most ports filtered in the control room, and me only using ebuilds ;) -- gentoo-amd64@xxxxxxxxxx mailing list

Next Message by Thread:

Re: Questions about No Execute and security

Hi Kevin, thanks for all the info, i'll give gentoo-hardened a go in the next few days. Cheers, Marco -- gentoo-amd64@xxxxxxxxxx mailing list
blog comments powered by Disqus

Home | News | Sitemap | FAQ | advertise | OSDir is an Inevitable website. GBiz is too!