Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>
Size: px
Start display at page:

Download "Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>"

Transcription

1 Unix Security Technologies: Host Security Tools Peter Markowsky <peterm[at]ccs.neu.edu>

2 Syllabus An Answer to last week s assignment Four tools SSP W^X PaX Systrace

3 Last time You were assigned to get a shell but not a root shell How d we do? Questions?

4 C-code walk through Simple Answer

5 SSP What is it? A modification to GCC It s main focus is prevent stack overflows

6 How does it work? It works by placing cannery values before the return address Before a function returns it checks the cannery values Reorders objects on the stack

7 How effective is it? Extremely effective against stack overflows Doesn t stop return to libc Does not stop any heap overflows

8 How can I use it? It comes by default on OpenBSD It s on by default too Patch gcc Prompt$ gcc -fstack-protector-all Patches available at

9 Why isn t every one using it? Not sure Performance often cited Systems only 1.3% slower It has a poor algorithm for skipping protection on functions

10 Where can I learn more? ibm.com/trl/projects/ security/ssp/ org/papers/bsdcan0 4/mgp00004.html

11 W^X What is it? Openbsd s system for enforcing memory permissions Makes sure that a page can only be Writeable xor Executable

12 What s a Page? A Page is a unit of memory storage Used by Virtual Memory to best utilize address space

13 How Does it Work? Rearranges pages On architectures which support an NX bit it use the bit On other archs (x86) Divides address space

14 Use OpenBSD :-) How can I use it?

15 Why isn t everyone using it? Breaks software compatibility No support for nonexecutable kernel pages No method for randomizing the executable base

16 PaX The best prevention system you re not using Part of grsecurity Roman word for friend / piece

17 PaX Components SEGMEXEC KERNEXEC ASLR

18 SEGMEXEC Responsible for nonexecutable user pages Mirrors the VM space Uses the segmentation logic of the IA-32(x86)

19 PaX VM Division With out PaX With PaX User Code & Data Segments 3GB User Code Segment 1.5GB User Data Segment 1.5GB

20 How does it work? If someone tries to access data from the data segment A page fault occurs PaX takes care of it and kills the process that made the access

21 PaX KERNEXEC Alters things in the kernel like Read only syscall table Read only interrupt descriptor table Data not executable Works similarly to SEGMEXEC

22 PaX ASLR Address Space Layout Randomization Allows this much randomness stack (24 bits) mmap(16 bits) Executable (16 bits) Heap (12 bits / 24 bits) Each section s randomness is independent of the others

23 How can I use it? Patch the Linux Kernel Patches available at

24 Systrace What is it? A system call monitor that enforces policy Written by Neils Provos

25 What is a System Call? A system call is a request to the operating system kernel Switches context to kernel mode Kernel mode is privileged

26 System Calls

27 How Does It Work? When a system call is made by a program checks a policy from user land If that system call is in the policy and has permission Allows you to get rid of setuid binaries

28 How Does It Work? shepherds a programs traversal of the system call table

29 How Can I Use It? Not just for OpenBSD Patch the Kernel Debian gentoo Write policy Use the policy profiler By hand

30 Why isn t everyone using it? System call hooking is slow You have to switch between user space and kernel space multiple times You have to write a policy This can be hard / time consuming

31 Why isn t everyone using it? No mechanism for single system call Not fine grained enough No xor capabilities Requires a modest level of understanding regarding system calls and their consequences

32 Writing policies with Systrace A policy is describes what system calls a program is allowed to make. Create an allow all policy with %systrace -A program

33 systrace(1) options -t will prompt you at the command line -a enforce policy -d directory for logs -I children inherit their parents policies -u do not use aliasing

34 systrace(1) Options Aliasing is used to group syscalls together -f add policies from file

35 Systrace Rules filter = expression then action errorcode logcode expression = symbol "not" expression "(" expression ")" expression "and" expression expression "or expression symbol = string typeoff "match" cmdstring string typeoff "eq" cmdstring string typeoff "neq" cmdstring string typeoff "sub" cmdstring string typeoff "nsub" cmdstring string typeoff "inpath" cmdstring string typeoff "re" cmdstring "true" typeoff = /* empty */ "[" number "] action = "permit" "deny" "ask errorcode = /* empty */ "[" string "] logcode = /* empty */ "log"

36 Simple Method Just run a program with systrace -A Then run program again with systrace Not a good solution Assumes the program is already okay Not full extent

37 Sometimes you have to do Start with -A but modify the policy by hand Global systrace policies live in /etc/systrace Local in ~/.systrace/ the job yourself

38 It s a project to develop systrace policies for popular software Aimed at openbsd Most policies can be adapted for other os Good Starting Point Hairy Eyeball

39 Assignment Take the broken example code from week 1 build a systrace policy to prevent it from spawning a shell Bonus: rewrite your exploit to get around this

40 Resources System Call picture SP02/syscall.gif PaX picture taken from Brad Spengler s Presentation on PaX Absolute OpenBSD by Michael Lucas Secure Architectures with OpenBSD by Brandon Palmer and Jose Nazario

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information