note: this grimoire is not maintained anymore!

draft by Thomas Houssin

Creation of this grimoire was decided in bug #8670. The Hardened Grimoire is currently work in progress. It's usable, but there are probably some bugs left.

Quickstart

Adding the hardened grimoire

The hardened grimoire is not a full grimoire. It redefines several spells, to add new patches, features, etc. That's why you still need a full grimoire (test, stable-rc or stable) behind the hardened grimoire.

To begin to use the hardened grimoire, just do scribe add hardened. scribe index should then give you something like :

 [0] : hardened : /var/lib/sorcery/codex/hardened
 [1] : test : /var/lib/sorcery/codex/test
 [2] : z-rejected : /var/lib/sorcery/codex/z-rejected
 [3] : games : /var/lib/sorcery/codex/games

Choosing the features

Then cast the hardened-profile spell. It'll let you choose various features.

This will then trigger a run_script, to recast needed spells based on your choices. Do not try to avoid this step, or it may lead to a broken box. If you choose to use SSP and/or PaX, it's a good idea to rebuild everything to benefit of the protection, and and ensure everything will work as expected. sorcery rebuild is a good way... You can then rebuild your kernel.

Rebuilding the kernel

To rebuild the kernel, recast linux : cast -r linux. Latest supported kernel is version 2.6.11.12 (only 2.6 kernel is supported).

The following patches are available :

• frandom: it's a very good idea to apply this one. This will create to additional devices : /dev/erandom and /dev/frandom, used to generate random numbers. They're used in several places, including SSP. Not using this patch will not break anything, but will probably slow down the box. Do not forget to make /dev/erandom and /dev/frandom world-readable. If you're using udev, create a file 00-local.rules in /etc/udev/rules.d with :

    # permissions
    KERNEL="erandom", OWNER="root", GROUP="root", MODE="0644"
    KERNEL="frandom", OWNER="root", GROUP="root", MODE="0644"

• grsecurity: apply this one if you want to use the additional features provided by grsecurity or PaX.

Available features

PIE

By default, gcc and g++ use special specs. gcc -fPIC, ld -pie, and cpp -D_PIC -DPIC are used by default to build dynamical programs. -z relro and -r now are also user by default. Moreother, if you choose to use SSP, -fstack-protector-all can also be used by default. Unsupported flags are disabled in the spells. If you find a spell where it should, please report a bug.

Other available features are:

Stack Smashing Protector

Stack Smashing Protector It was developed for protecting applications from stack smashing attacks (mainly linear buffer overflows). This is done by adding some code at compilation time. This will typically gives a performance loss around 2% at run time.

This feature needs gcc and glibc to be recompiled. Patches mainly come from HLFS. The patch for glibc adds _guard_setup and _stack_smash_handler to libc.so. _guard_setup is a function used to create a unique and random value for _guard each run time. In the event of a stack overflow, the _stack_smash_handler function will use the glibc syslog facility to record the overflow, and will then abort the program. More information, see http://www.research.ibm.com/trl/projects/security/ssp/

Be aware that using -O3 optimisations and SSP can be problematical. You should disable speedy in the optimisations menu ; if you want to optimize your apps, add -O2 to the custom CFLAGS and CXXFLGAS.

GRSecurity

grsecurity This kernel patch offer various new features, such as chroot restrictions, /tmp race prevention, extra logging, ...

PaX

PaX With this, you'll benefit from non-executable stack and address space layout randomisation. Used with PIE programs, ASLR randomize their return addresses. This can prevent security bugs from being taken advantage of by attackers. Non-executable stack can prevent injected code from being executed. Most of PaX features can be disabled on a per file basis. This is done by adding PT_PAX_FLAGS to the program headers (binutils is patched to do this in the hardened grimoire), and can be tweaked thanks to the paxctl program. (binary only executables can use the EI_PAX old header marking scheme, and chpax utility). For few programs, some features need to be disabled. These are taken care in the spells.

• paxctl -m ${INSTALL_ROOT}/usr/X11R6/bin/Xorg

• paxctl -spm ${INSTALL_ROOT}/sbin/grub

• chpax -rm /usr/lib/jdk$VER/bin/java

  • chpax -m /usr/lib/jdk$VER/bin/javac chpax -m /usr/lib/jdk$VER/bin/javadoc

If you find other spells that need suchs precautions, please report a bug. The further informations, http://pax.grsecurity.net/docs/index.html is a good place.

Using these settings in the kernel is a good beginning :

 [ ] Support soft mode`
 [*] Use legacy ELF header marking
 [*] Use ELF program header marking
     MAC system integration (none)  --->

 [*] Enforce non-executable pages
 [*]   Paging based non-executable pages
 [*]   Segmentation based non-executable pages
         Default non-executable page method (SEGMEXEC)  --->
 [ ] Emulate trampolines
 [*] Restrict mprotect()
 [ ]   Disallow ELF text relocations

 [*] Address Space Layout Randomization
 [*]   Randomize kernel stack base
 [*]   Randomize user stack base
 [*]   Randomize mmap() base
 ---   Disable the vsyscall page

Work in progress

This grimoire plans to add support for :

• SELinux : see http://wiki.sourcemage.org/index.php?page=SMGL+SELINUX for the status of the work.

• RSBAC : http://www.rsbac.org/

How to test

You can use the following code (from HLFS) for a quick test:

cat > test.c << "EOF"
#include <stdio.h>
#include <unistd.h>
extern long __guard[];
int overflow(char *test) {
  char buffer[7];
  sprintf(buffer, "12345678901234567890123456789012345678901234567890");
  return(1234);
}
int main(int argc, char **argv) {
  printf("__guard\\t=\\t0x%08x;\
", __guard[0]);
  overflow("test");
  printf("This line should never get printed.\
");
}
EOF

Compile it with gcc and run it :

# gcc -o test test.c
# ./test

You'll have something like :

__guard =       0x6c8f1eec;
test: stack smashing attack in function overflow()
Abandon

You'll also have a line in your log file:

[test] test: stack smashing attack in function overflow()

you can check that this application is dynamically linked with readelf -l test:

Elf file type is DYN (Shared object file)
Entry point 0x684
There are 9 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x00000034 0x00000034 0x00120 0x00120 R E 0x4
  INTERP         0x000154 0x00000154 0x00000154 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x00000000 0x00000000 0x00ab0 0x00ab0 R E 0x1000
  LOAD           0x000edc 0x00001edc 0x00001edc 0x00130 0x00134 RW  0x1000
  DYNAMIC        0x000ef0 0x00001ef0 0x00001ef0 0x000d8 0x000d8 RW  0x4
  NOTE           0x000168 0x00000168 0x00000168 0x00020 0x00020 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  GNU_RELRO      0x000edc 0x00001edc 0x00001edc 0x00124 0x00124 R   0x1
  PAX_FLAGS      0x000000 0x00000000 0x00000000 0x00000 0x00000     0x4

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
   03     .ctors .dtors .jcr .dynamic .got .data .bss
   04     .dynamic
   05     .note.ABI-tag
   06
   07     .ctors .dtors .jcr .dynamic .got
   08

First line shows that file type is Shared object file. Also note the additional GNU_RELRO and PAX_FLAGS (if you choose to use PaX) headers.

You can check for -z now with readelf -d test | grep BIND_NOW:

0x00000018 (BIND_NOW)

Hopefully a PaX test suite will be available soon.