[ubuntu-hardened] Re: Collecting NX information
John Richard Moser
nigelenki at comcast.net
Tue Mar 29 01:53:15 CST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Arjan van de Ven wrote:
>>You need to consider that in the end I'd need PT_GNU_STACK to do
>>everything PaX wants
> Why not have independent flags for independent things?
> That way you have both cleanness of design and you don't break anything.
In the end I want to fine-tune for what the best behaviors are, and then
define exactly what the flags should do.
Right now, my rough sketch is:
ON: ET_EXEC enforced. Stack NX. Heap NX. Code PROT_EXEC.
OFF: Stack and heap default to +X
The PAGEEXEC flag will basically mandate the automated non-executable
setting for the stack and heap. When off, these areas are executable
(like when PT_GNU_STACK is on)
ON: Trampolines (in NX stack) and PLT will be detected and emulated
OFF: Stack needs to be +X for trampolines to work
The EMUTRAMP flag will basically allow certain known exceptional
conditions to be trapped and allowed somehow automatically. This
includes mainly nested functions on a non-executable stack, and parisc
procedural linkage tables (binutils patch can fix these apparently).
This is off by default in hardmode, but on by default in soft or
compatibility mode if PAGEEXEC is manually on.
ON: stack, heap, mmap() base randomized
OFF: Nothing is randomized in memory
RANDMMAP should probably be called "RANDADDR" instead. When set, the
kernel randomizes anything that can be randomized in the address
space (support determining).
ON: Fixed-position things are also randomized
OFF: Fixed-position things are at fixed positions
RANDEXEC allows things that normally can't be placed randomly to be
placed randomly if hacks exist to do it. Any hacks 100% safe that
don't cause excess overhead are for RANDMMAP; any that may cause
instability or excessive overhead go under RANDEXEC. OFF BY DEFAULT
in any mode.
ON: Enforce certain mprotect() restrictions
OFF: Normal mprotect() restrictions
A certain defined set of transitions and creation states are banned
when this is on. PaX has these now, nobody else has them and
apparently nobody else wants them.
Absolutely no effect, reserved for PaX or anything else that
implements PaX' specific SEGMEXEC emulation method.
Obviously mainline and ES won't do anything with RANDEXEC, MPROTECT, or
RANDMMAP will be useful to control ES and mainline ASLR (on-off switch).
PAGEEXEC being OFF will act exactly like PT_GNU_STACK being ON for
mainline and ES.
EMUTRAMP. . . I think I've got a patch for trampoline emulation, which
should let red hat use Exec Shield with fewer PT_GNU_STACK markings.
Mainline should benefit from this too. It feels like porting this was
way too easy, so I'll ask pipacs to give it a quick look.
I also don't have a soft/hard mode for mainline. I expect that mainline
will be more into making softmode (compatibility mode) into a
personality, which makes sense for softmode shells (which I've needed
before, i.e. to compile mono without softmoding my whole system).
Soft/Hard mode controls what flags are set by default. Each flag has
ON/OFF/NEUTRAL settings (thus each is 2 bits).
MF_PAX_PAGEEXEC, MF_PAX_RANDMMAP, MF_PAX_MPROTECT
(MF_PAX_EMUTRAMP if MF_PAX_PAGEEXEC is ON)
>>The point is
>>to not break anything, yet to still make things easier for those
>>projects and distributions like Hardened Ubuntu.
> to achieve that you need to get the toolchain to omit this stuff
> automatically somehow.
And there's a patch for binutils that Gentoo uses. Ubuntu can use it too.
Remember that the way I'm doing it, PT_GNU_STACK is used if there is no
PT_PAX_FLAGS header. Distributions not using PT_PAX_FLAGS will not care
about the kernel's ability to read PT_PAX_FLAGS, because it will still
behave the same with PT_GNU_STACK. In other words, if Red Hat updated
the kernel with this stuff today (assuming it's non-buggy), it won't do
shit, and Fedora will still work exactly as expected.
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-hardened