Differences between revisions 1 and 2
Revision 1 as of 2007-07-07 21:49:19
Size: 94
Editor: ?MoritzMuehlenhoff
Comment: Initial entry
Revision 2 as of 2007-10-11 00:16:31
Size: 4478
Editor: ?KeesCook
Comment: initial discussion dump
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Links:
[http://people.redhat.com/drepper/nonselsec.pdf]
= Mitigation Methods =

== User Space ==

=== Stack Protector ===

gcc's -fstack-protector attempts to detect when a stack has been overwritten and aborts the program. Ubuntu has had this enabled by default since Edgy. [https://wiki.ubuntu.com/GccSsp Some programs] do not play nice with it, and can be worked around with -fno-stack-protector. It would be nice to enable this by default, and for gcc to only attempt to use it when libc is being linked against.

Already done in sendmail.

=== heap protection ===

In glibc2.5, no additional work needed.

=== libc pointer encryption ===

Making its way into mainline glibc, unsure of current state.

=== gcc -D_FORTIFY_SOURCE=2 -O2 ===

Compile-time protection against static sized buffer overflows. No known regressions or performance loss. This should be enabled system-wide

=== gcc -Wformat=security ===

While not all programs correctly implement the printf hints (like [http://developer.gnome.org/doc/API/2.0/glib/glib-Miscellaneous-Macros.html glib's G_GNUC_PRINTF macro]), adding this will at least call out simple printf format string vulnerabilities. Any programs whose builds become "noisy" as a result, should be fixed anyway.

=== gcc -pie ===

This is especially difficult to plumb into packaging in a safe way, since it requires the executable be built with -fPIC for any .o files that are linked at the end with -pie. There is some amount of performance loss, but only due to the -fPIC, which is already true for all the linked libraries.

Already done with openssh, sendmail.

=== gcc -z relro ===

Already done with sendmail.

== Kernel Space ==

=== non-exec memory segmentation (ExecShield) ===

Stops execution of code in heap/stack. i386 specific (nx already does this for amd64), and introduces some small level of performance loss (5% for CPU-bound). Some people have worked on getting it pushed into the mainline kernel. Current state unknown -- would be very handy to have due to the popularity of i386. Marcus Better may be willing to continue to maintain the patchset for Debian.

Some applications appear to break when run in the protected memory layout. Most of these issues should be fixed due to RH (and SUSE?) already running with these protections.

Additional work for user-space is identifying programs that build assembly but fail to explicitly mark their stack as non-exec (gnupg, for example).

=== -fstack-protector ===

Is available for amd64 builds:

 config CC_STACKPROTECTOR

=== runtime memory allocation validation ===

Detect double-frees in kernel space. No idea where it stands.

=== Address Space Layout Randomization ===

 * mmap: in mainline
 * stack: in mainline
 * vdso: in since 2.6.18 (COMPAT_VDSO disables it)
 * heap/exec: in -mm, scheduled for 2.6.24

Having heap/exec ASLR is a prerequisite for -pie being useful. Presently, openssh is compiled with -pie.

=== /proc/$pid/maps protection ===

Present in 2.6.22, requires sysctl toggle (kernel.maps_protect = 1).

=== /dev/mem protection ===

Not sure where it stands for mainline inclusion.

=== link protections ===

From the GRSecurity patchset, protections against hardlink/symlink creation/following in world-writable areas. (Solves tmp races.) May potentially break things like postfix that manipulation hardlinks? Breaks POSIX. Getting taken in mainline may be possible with a build-time or proc toggle.

[http://lkml.org/lkml/2005/3/10/101]
[http://lkml.org/lkml/2005/4/18/167]

=== chroot, dmesg, fifo protections ===

Also from GRSecurity patchset.

=== Build Changes ===

== Integrated build variables ==

Need to be able to enable/disable compile-time protections via debian/rules elements:
 * -fstack-protector
 * -relro
 * -pie
 * -D_FORTIFY_SOURCE=2 -O2

== Documentation ==
 * [http://people.redhat.com/drepper/nonselsec.pdf]
 * [http://www.suse.de/~krahmer/no-nx.pdf]
 * http://www.neworder.box.sk/newsread.php?newsid=13007
 * [http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=15604&mode=thread&order=0&thold=0]
 * [http://www.phrack.org/archives/58/p58-0x04]
 * [http://insecure.org/sploits/non-executable.stack.problems.html]
 * [http://www.phrack.org/archives/59/p59-0x09.txt]
 * [http://www.coresecurity.com/files/attachments/Richarte_Stackguard_2002.pdf]

There will be more content soon.

Mitigation Methods

User Space

Stack Protector

gcc's -fstack-protector attempts to detect when a stack has been overwritten and aborts the program. Ubuntu has had this enabled by default since Edgy. [https://wiki.ubuntu.com/GccSsp Some programs] do not play nice with it, and can be worked around with -fno-stack-protector. It would be nice to enable this by default, and for gcc to only attempt to use it when libc is being linked against.

Already done in sendmail.

heap protection

In glibc2.5, no additional work needed.

libc pointer encryption

Making its way into mainline glibc, unsure of current state.

gcc -D_FORTIFY_SOURCE=2 -O2

Compile-time protection against static sized buffer overflows. No known regressions or performance loss. This should be enabled system-wide

gcc -Wformat=security

While not all programs correctly implement the printf hints (like [http://developer.gnome.org/doc/API/2.0/glib/glib-Miscellaneous-Macros.html glib's G_GNUC_PRINTF macro]), adding this will at least call out simple printf format string vulnerabilities. Any programs whose builds become "noisy" as a result, should be fixed anyway.

gcc -pie

This is especially difficult to plumb into packaging in a safe way, since it requires the executable be built with -fPIC for any .o files that are linked at the end with -pie. There is some amount of performance loss, but only due to the -fPIC, which is already true for all the linked libraries.

Already done with openssh, sendmail.

gcc -z relro

Already done with sendmail.

Kernel Space

non-exec memory segmentation (ExecShield)

Stops execution of code in heap/stack. i386 specific (nx already does this for amd64), and introduces some small level of performance loss (5% for CPU-bound). Some people have worked on getting it pushed into the mainline kernel. Current state unknown -- would be very handy to have due to the popularity of i386. Marcus Better may be willing to continue to maintain the patchset for Debian.

Some applications appear to break when run in the protected memory layout. Most of these issues should be fixed due to RH (and SUSE?) already running with these protections.

Additional work for user-space is identifying programs that build assembly but fail to explicitly mark their stack as non-exec (gnupg, for example).

-fstack-protector

Is available for amd64 builds:

  • config CC_STACKPROTECTOR

runtime memory allocation validation

Detect double-frees in kernel space. No idea where it stands.

Address Space Layout Randomization

  • mmap: in mainline
  • stack: in mainline
  • vdso: in since 2.6.18 (COMPAT_VDSO disables it)
  • heap/exec: in -mm, scheduled for 2.6.24

Having heap/exec ASLR is a prerequisite for -pie being useful. Presently, openssh is compiled with -pie.

/proc/$pid/maps protection

Present in 2.6.22, requires sysctl toggle (kernel.maps_protect = 1).

/dev/mem protection

Not sure where it stands for mainline inclusion.

From the GRSecurity patchset, protections against hardlink/symlink creation/following in world-writable areas. (Solves tmp races.) May potentially break things like postfix that manipulation hardlinks? Breaks POSIX. Getting taken in mainline may be possible with a build-time or proc toggle.

[http://lkml.org/lkml/2005/3/10/101] [http://lkml.org/lkml/2005/4/18/167]

chroot, dmesg, fifo protections

Also from GRSecurity patchset.

Build Changes

Integrated build variables

Need to be able to enable/disable compile-time protections via debian/rules elements:

  • -fstack-protector
  • -relro
  • -pie
  • -D_FORTIFY_SOURCE=2 -O2

Documentation