lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200308141624.11289.steve@stevesworld.hopto.org>
From: steve at stevesworld.hopto.org (Stephen Clowater)
Subject: Re: Buffer overflow prevention

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On August 14, 2003 03:36 pm, you wrote:
> > De : Stephen Clowater [mailto:steve@...vesworld.hopto.org]
> > Envoy? : 14 ao?t, 2003 13:12
> > Objet : Re: Buffer overflow prevention
>
> [SNIP]
>
> > GRsecurity is a kernel patch wich allows such things as  random
> > memallc bases
> > and random tcp stacks, as well as a non-executeable stack if you
> > can manage
> > this (not to mention a utility to change the PAX flags for
> > indidual binarys
> > that may need executable stack). This would work much better
> > because it dosnt
> > need to be compiled into anything but the kernel.
> >
> > If you turn on GRsecurty's randomizations for memory addresses
> > and tcp stacks
> > (wich I have tested, you can do this safely without breaking any
> > software).
> > If you do this, then a attacker trying to overflow a return
> > address has a 1
> > in 2^32 chance of the exploit actually overflowing the address. You can
> > do this and not have any impact on speed, and all of your software
> > is protected
> > with this level without having to recompile with a gcc flag.
>
> If I remember correctly, the GRsec patch is a single option in the kernel
> config. I heard about some problems induced by GRsec so I didn't compile it
> with the kernel. Is it possible to select different parts of the patch
> (like the random tcp stacks), independantly of the rest of GRsec? Or, even

There are some problems with some applications with parts of the patch. For 
example, turning on the non-executeable stack will break anything that uses 
an executeable stack. ie: X, java, or wine, now you can use chpax and give 
each of these a non executable stack. There are also some problems with the 
way grsecurity gets a little to restrictive with things like restericting 
filesystems ect. All of these can be overcome, however, you need to do some 
magic to get some of these things to work, and frankly, some of it really 
isnt worth it. 

There are several options inside the grsecurity patch that you can choose.

What you can safely turn on in GRsecurity without breaking anything is:
- -Address Space Protection
  -Address Space Layout Randomization
    -Randomize kernel stack base
    -Randomize user stack base
    -Randomize mmap() base

- -Filesystem Protections
  Everything under this option is safe to include

- -Kernel Auditing
  Everything under this option is safe to include

- -Executable Protections
  Everything under this option is safe to incude except:
   -Partially restrict non-root users

- -Network Protections
  Everything under this option is safe to include

- -Sysctl support
 This is usefull to enable, but not necesary


Compile everything staticly and you shold be fine. 

I have tested this on production servers, and desktop boxes in mass and its 
come out fine for x86 and sparc. I havent tried it on ppc but for the most 
part it is safe, and it is also safe for production envoirnments.

> it shouldn't cause a problem on a production server?

in Gentoo, gentoo-sources is a very nice package, it already has Grsecurity 
patched properly for you, and you may want to inculde POSIX ACL's, and the 
crypto-loop stuff.

Mount your filesystems with -o acl,user_xattr and merge acl and you can use 
setfacl and getfacl to set/view control lists on each individual file in your 
filesystems. (after you include POSIX acl lists)

- -- 
- -

******************************************************************************
Stephen Clowater

... though his invention worked superbly -- his theory was a crock of sewage
from beginning to end.
		-- Vernor Vinge, "The Peace War"

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? 
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/O+HXcyHa6bMWAzYRAofxAKCNd+fu8yV6hFVZqjoOxoJEZmpbwgCffied
egTteYNbcKO2pso+ZJemhoc=
=V6z4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ