Wednesday, May 22, 2013

How to Hardening your own program in GNU/Linux

Platform: OpenSUSE 12.3

Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.

Firstly, please download the example files here. Then compile the program:

shawn@linux-sk8j:~> gcc apparmor_test.c

Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.


Finished generating profile for /home/shawn/a.out.

Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:


/home/shawn/a.out {

   /home/shawn/a.out mr,
   /home/shawn/hello r,
   /home/shawn/world w,
   network stream,

Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.

When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.

GCC options:
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program

Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.

Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.

-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:

Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.

GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO

Bypass method, please check The Art Of ELF: Analysis and Exploitations

String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln

Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.

Non-executable stack:
-z nostack

Well, there are a lot of ways to bypass it.

I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)

btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!

May L0rd's hacking spirit guide us!!!