I've read a article "Net of insecurityThe kernel of the argument" from The Washington Post today. It's fuc*ing good one. I've been torturing by the security status of *stable* linux kernel for a fuc*ing long time. I never see one article can talk about the truth like this one. Many commercial customers( especially from financial data centres) has been painful to use commercial GNU/Linux products for years. Remember those 0ld good null-deref exploits and Enlightment framework back in 2000s? What did Linus and these commercial GNU/Linux vendors response back then? They said "A bug is bug" is one thing, while SELinux can protect your asset is another. Unfortunately, they are lies to you, as always.......
I'm not going to talk about those shitty history right here. You can google if you really want to know the truth. A little advice, you could start from here.
Well, speaking of the history of mitigation. I'm highly recommend you should go through thinkist's presentation at BH'10. Who the hell can explain the history so detailed like he did;-)
Black Hat USA 2010: Memory Corruption Attacks: The Almost Complete History
http://thinkst.com/resources/slides/bh-2010-haroon-meer-keynote.pdf
1/5: https://www.youtube.com/watch?v=stVz9rhTdQ8
2/5: https://www.youtube.com/watch?v=HJwg5vdoWCY
3/5: https://www.youtube.com/watch?v=5vDRCi6OQuw
4/5: https://www.youtube.com/watch?v=9edv8FwmJzk
5/5: https://www.youtube.com/watch?v=4XEe5I4Wsrc
"As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine."( Quoted from Phrack Issue 63). As long as there are vulnerabilities, there will be exploits. As long as there are exploits, there will be mitigation.........
Basically, the possible evolution of a exploitable bug should be look like this:
---------------------------------------
Bug –> exploitable bug(vulnerability) –> poc –> exploit –> reliable/weaponized exploit
---------------------------------------
That's where the problem comes. There are two types of philosophical ideas about how to deal with exploitable bug.
1, Linus Torvalds represent the philosophy of "A bug is bug", which believes any exploitable bug should be taken care of like the normal bug. When one is being found, just get to fix it. Any security mitigation is fully waste of CPU usage. Developers should've only focus on the features and performance. He( and his followers) even believes bug info's obscurity is the way to prevent attacker and "security through obscurity" is an effective approach for Linux kernel upstream.
2, PaX Team and spender are the most fascinating guys on the side of security mitigation. They( I) believes numerous exploitable bugs can not be solved once for all by fixing them. But we can design some specific security mitigation to against the specific types of vulnerabilities. That's the only way to solve this issue.
Well, those two philosophical ideas are totally different. Why the hell happens? IMOHO, one of main reasons is the threat model is totally different. In my own adversary, the attackers may have the weaponized exploits, which developed by digital armory( Vupen, HT?) or underground. While only the skiddies in Linus's threat model( it seems to be at least;-)).
Some commercial GNU/Linux vendors basically believes public exploit is the most important reason to influence their risk assessment. Don't believe that? They admitted by themselves;-)
A lot of my customers always says one of reasons they choose GNU/Linux as their alternatives of UNIX, because GNU/Linux is secure. I've been wondering all the time and response like "ARE U fuc*ing serious?". Now GNU/Linux is dive into the next age of Internet, which some people would like to call IoT( internet of the things). But the question is: Is Linux kernel ready to face the tons of cybercriminals? You fuc*ing tell me........
btw: Kernel/Compiler/Firmware are very important core infrastructures of modern cyber world. A lot of good people are busy to defend our world by their effort. PaX/Grsecurity guys are my heros. Reproducible builds( based on the theory of DDC, by David A. Wheeler) is definitely gonna piss NSA off. CHIPSEC( for firmware) may be the starting point. I do believe only the fined FOSS solution can make this world a little more secure......
Showing posts with label hardening. Show all posts
Showing posts with label hardening. Show all posts
Friday, November 06, 2015
Wednesday, November 27, 2013
How to set up apache2 with SSL/TLS support and client auth on Debian 7.2
I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.
Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5a
Validity
Not Before: Nov 19 02:08:14 2013 GMT
Not After : Nov 18 02:08:14 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-shit.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------
Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------
Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------
Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------
You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt
Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------
Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5c
Validity
Not Before: Nov 19 02:28:13 2013 GMT
Not After : Nov 19 02:28:13 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-info.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------
Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit
root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled
edit /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/hardened-shit/server.crt
SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key
SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt
SSLCACertificatePath /etc/ssl/hardened-shit/
SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------
Done....it should works.
btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache
I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1
Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5a
Validity
Not Before: Nov 19 02:08:14 2013 GMT
Not After : Nov 18 02:08:14 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-shit.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------
Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------
Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------
Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------
You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt
Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------
Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5c
Validity
Not Before: Nov 19 02:28:13 2013 GMT
Not After : Nov 19 02:28:13 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-info.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------
Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit
root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled
edit /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/hardened-shit/server.crt
SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key
SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt
SSLCACertificatePath /etc/ssl/hardened-shit/
SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------
Done....it should works.
btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache
I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1
Wednesday, May 22, 2013
How to Hardening your own program in GNU/Linux
Platform: OpenSUSE 12.3
Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.
Firstly, please download the example files here. Then compile the program:
shawn@linux-sk8j:~> gcc apparmor_test.c
Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
.........................................
.........................................
.........................................
Finished generating profile for /home/shawn/a.out.
-----------------------------------------------------------
Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:
#include
/home/shawn/a.out {
#include
/home/shawn/a.out mr,
/home/shawn/hello r,
/home/shawn/world w,
network stream,
}
Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.
When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.
GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program
Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.
Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.
Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:
Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.
GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO
Bypass method, please check The Art Of ELF: Analysis and Exploitations
String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln
Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.
Non-executable stack:
-z nostack
Well, there are a lot of ways to bypass it.
I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)
btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!
May L0rd's hacking spirit guide us!!!
Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.
Firstly, please download the example files here. Then compile the program:
shawn@linux-sk8j:~> gcc apparmor_test.c
Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
.........................................
.........................................
.........................................
Finished generating profile for /home/shawn/a.out.
-----------------------------------------------------------
Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:
#include
/home/shawn/a.out {
#include
/home/shawn/a.out mr,
/home/shawn/hello r,
/home/shawn/world w,
network stream,
}
Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.
When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.
GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program
Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.
Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.
Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:
Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.
GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO
Bypass method, please check The Art Of ELF: Analysis and Exploitations
String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln
Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.
Non-executable stack:
-z nostack
Well, there are a lot of ways to bypass it.
I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)
btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!
May L0rd's hacking spirit guide us!!!
Subscribe to:
Posts (Atom)