Gentoo Logo

Hardened Gentoo PaX Quickstart

Content:

1. What is Hardened Gentoo?

Hardened Gentoo is a project interested in the hardening of a Gentoo system. Several different solutions are supported by us and there is a fair bit of flexibility to create your own setup. At the heart of a common Hardened Gentoo setup is PaX.

2. What is PaX?

PaX is a patch to the Linux kernel that provides hardening in two ways.

The first, ASLR (Address Space Layout Randomization) provides a means to randomize the addressing scheme of all data loaded into memory. When an application is built as a PIE (Position Independent Executable), PaX is able to also randomize the addresses of the application base in addition.

The second protection provided by PaX is non-executable memory. This prevents a common form of attack where executable code is inserted into memory by an attacker. More information on PaX can be found throughout this guide, but the homepage can be found at http://pax.grsecurity.net.

3. An Introduction to PIE and SSP

As mentioned above, PaX is complemented by PIE. This method of building executables stores information needed to relocate parts of the executable in memory, hence the name Position Independent.

SSP (Stack Smashing Protector) is a second complementary technology we introduce at executable build time. SSP was originally introduced by IBM under the name ProPolice. It modifies the C compiler to insert initialization code into functions that create a buffer in memory.

Note: In newer versions of SSP, it is possible to apply SSP to all functions, adding protection to functions whose buffer would normally be below the size limit for SSP. This is enabled via the CFLAG -fstack-protector-all.

At run time, when a buffer is created, SSP adds a secret random value, the canary, to the end of the buffer. When the function returns, SSP makes sure that the canary is still intact. If an attacker were to perform a buffer overflow, he would overwrite this value and trigger that stack smashing handler. Currently this kills the target process.

Further reading on SSP.

4. Building a PaX-enabled Kernel

Several Gentoo kernel trees are already patched with PaX.

For 2.4/2.6 based machines, the recommended kernels are hardened-sources

Grab one of the recommended source trees, or apply the appropriate patch from http://pax.grsecurity.net to your own tree and configure it as you normally would for the target machine.

In Security Options -> PaX, apply the options as shown below.

Code Listing4.1: Kernel configuration

[*] Enable various PaX features

PaX Control ->

 [ ] Support soft mode
 [*] Use legacy ELF header marking
 [*] Use ELF program header marking
     MAC system integration (none)  --->

Non-executable page ->

 [*] Enforce non-executable pages
 [*]   Paging based non-executable pages
 [*]   Segmentation based non-executable pages
 [*] Emulate trampolines
 [*] Restrict mprotect()
 [ ]   Disallow ELF text relocations

Address Space Layout Randomization ->

 [*] Address Space Layout Randomization
 [*]   Randomize kernel stack base
 [*]   Randomize user stack base
 [*]   Randomize mmap() base
 [*]     Randomize ET_EXEC base

Build this kernel as you normally would and install it to /boot.

5. Building a PIE/SSP Enabled Userland

Hardened Gentoo has added support for transparent PIE/SSP building via GCC's specfile. This means that any users upgrading an older Hardened install should remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the hardened-gcc package is now deprecated and should be unmerged (version 5.0 is a dummy package). To get the current GCC, add USE="hardened pic" to /etc/make.conf if not using the hardened profile.

To maintain a consistant toolchain, first emerge binutils gcc virtual/libc. Next, rebuild the entire system with emerge -e world. All future packages will be built with PIE/SSP.

Warning: Both PIE and SSP are known to cause issues with some packages. If you come across a package that fails to compile, please file a detailed bug report including a log of the failed compile and the output of emerge info to http://bugs.gentoo.org/.

You will probably also want to merge pax-utils. Often if an ELF has executable relocations in the text segment these can cause problems for us. scanelf -BRylptq

6. When Things Misbehave (PaX Control)

Some legitimate applications will attempt to generate code at run time which is executed out of memory. Naturally, PaX does not allow this and it will promptly kill the offending application.

Note: The most notable of these applications are XFree/Xorg, mplayer and multimedia tools based on xine-lib. The easiest way around these problems are to disable PaX protections.

Luckily there is a utility to toggle protections on a per-executable basis, paxctl. As with any other package in Gentoo, install paxctl with the command emerge paxctl. Usage is show by paxctl -h.

Note: If you have an older version of binutils, you will need to use chpax, which edits the old-style PaX markings. Usage of chpax is largely the same as paxctl. This also requires legacy marking support built into your kernel. New versions of paxctl make chpax obsolete.

Code Listing6.1: paxctl -h

usage: paxctl <options> <files>

options:
        -p: disable PAGEEXEC            -P: enable PAGEEXEC
        -e: disable EMUTRMAP            -E: enable EMUTRMAP
        -m: disable MPROTECT            -M: enable MPROTECT
        -r: disable RANDMMAP            -R: enable RANDMMAP
        -x: disable RANDEXEC            -X: enable RANDEXEC
        -s: disable SEGMEXEC            -S: enable SEGMEXEC

        -v: view flags                  -z: restore default flags
        -q: suppress error messages     -Q: report flags in short format flags

The first option we will note is -v, which can display flags set on a particular binary.

Code Listing6.2: paxctl -v

shell user # paxctl -v /usr/bin/Xorg
PaX control v0.2
Copyright 2004 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is enabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is enabled

This shows an XFree binary with all protections disabled.

To set flags on a binary, the -z flag is useful as it restores the default flags.

To disable protections on Xorg, run paxctl -zpeMRxs /usr/bin/Xorg.

Play around with disabling/enabling protections to see what is the least needed to run. Often we find that we need the -m -sp combos.



Print

Page updated September 11, 2007

Summary: A quickstart covering PaX and Hardened Gentoo.

Brandon Hale
Author

Blackace
Editor

solar
Editor

Donate to support our development efforts.

Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? Contact us.