On 04/21/13 08:39, Joanna Rutkowska wrote:
> On 04/21/13 00:52, 7v5w7go9ub0o wrote:
>> But real-time protection and warnings both help safeguard, and advise you
>> that mischief or malfunction is afoot and it's time to shut that VM down
>> before a compromise can get your stuff (if GRSEC doesn't shut it down -
>> optional).
>>
>
> Let me get it straight -- I see *zero* security benefit of using things
> such as RBAC or MAC, or whatever other security policing inside Qubes
> AppVMs. The most important reason for this is that none of those provide
> you isolation on X-level (GUI level).
- Until called to action, the hardening and RBAC are each transparent
to the user. There is only the modified kernel, the standard kernel log
within the VM, a (protected) user-space file within the VM containing
rules for what is allowed, and any log monitoring software used within
the VM to document unusual activity (mine pops up an xmessage when a
grsecurity log entry occurs).
- All of that would be completely contained within the VM (popups would
not occur in dom0), and your current GUI would look at xmessages that may
popup within the VM
- Perhaps RBAC xmessages within the VM could be considered an Intrusion
Detection System - detecting intrusions from the WAN, and from the
software distribution chain.
- RBAC can also finely control WAN access - e.g. restricting a
browser-equipped mail client (e.g. Thunderbird) to https connections to
specific mail server addresses.
(fwiw, I've temporarily deactivated RBAC 'til recent improvements have
settled down.)
> Providing strong ASLR might be a good idea, but I'm not quite sure what
> advantage does it have over the standard ASLR that we already have in
> our kernel, e.g. (these show the first few lines of the memory maps for
> the same thunderbird process, started twice without VM reboot):
I don't know if it is superior to standard (see below).
<snip>
> Obviously we see that the main executable is not relocated, as it is not
> PIC -- can grsec randomize these sections too?
3.4 Address Space Layout Randomization
Configuration option: CONFIG_PAX_ASLR
By saying Y here you can choose to randomize the following areas:
- top of the task's kernel stack
- top if the task's userland stack
- base address for mmap() requests that do not specify one (this
includes all libraries)
- base address of the main executable
Configuration option: CONFIG_PAX_RANDKSTACK
By saying Y here the kernel will randomize every task's kernel stack on
every system call. This will not only force an attacker to guess it but
also prevent him from making use of possible leaked information about it.
Configuration option: CONFIG_PAX_RANDUSTACK
By saying Y here the kernel will randomize every task's userland stack.
The randomization is done in two steps where the second one may apply a
big amount of shift to the top of the stack and cause problems for
programs that want to use lots of memory (more than 2.5 GB if SEGMEXEC
is not active, or 1.25 GB when it is). (this can be disabled for those
programs)
Configuration option: CONFIG_PAX_RANDMMAP
By saying Y here the kernel will use a randomized base address for
mmap() requests that do not specify one themselves. As a result all
dynamically loaded libraries will appear at random addresses and
therefore be harder to exploit by a technique where an attacker attempts
to execute library code for his purposes (e.g. spawn a shell from an
exploited program that is running at an elevated privilege level).
Furthermore, if a program is relinked as a dynamic ELF file, its base
address will be randomized as well, completing the fill randomization of
the address space layout. Attacking such programs becomes a guess game.
> What other anti-exploitation benefits does it provide (besides ASLR and
> NX that, as I understand, is standard on x64 kernels anyway)?
There are too many to list in this post. This page rather concisely
summarizes the additional anti-exploitation benefits.
<
http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options>
> Can you quote specific CONFIG_*'s that are responsible for those mechanisms?
Yes (follows):
(sigh.....looking at the list from my kernel config, I realize that I
need to review my settings - much has changed in the last few years )
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
# CONFIG_PAX_NOEXEC is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
# CONFIG_PAX_REFCOUNT is not set
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set
#
# Memory Protections
#
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
# CONFIG_GRKERNSEC_MODHARDEN is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
# CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
# CONFIG_GRKERNSEC_PTRACE_READEXEC is not set
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set