Xen Paravirtualization + grsecurity working!

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

Postby john_anderson_ii » Thu Oct 19, 2006 5:26 pm

squadra wrote:Hello everyone,

anybody here who can send me johns xen patchset, i´ll put them on a permanent stable location. his links are dead since a few days :(

And. anyone tried to modify johns x64 patches for newer kernel versions, yet? (2.6.17/2.6.18)?

Thanks

Juergen


Sorry I've been out of the loop for a while.

Here are links to the patches.

Kernel source tree patch.
Xen -sparse tree


I'd pretty much dropped the subject of integrating grsec/PAX with Xen for the time being. I've got several production 2.6.16.13 Xen/grsec/PAX boxes up and running with great success, and I'm hoping that they will suffice until Xen goes mainstream and it becomes a grsec/PAX 'supported' architecture ;-).

If I find the time I'll try to tinker with some of terran's work and see what we can come up with.

However, a more permanent place for these patches and any revisions/fixes would be greatly appreciated. :-)
John Anderson
CCBill, LLC
Sr. Systems Administrator
http://www.ccbill.com
john_anderson_ii
 
Posts: 19
Joined: Sat Jun 17, 2006 4:36 am
Location: Tempe, AZ

A more permanent place for johns xen patchset

Postby shivajee_rs » Thu Nov 30, 2006 9:15 am

A more permanent place for johns xen patchset

Kernel source tree patch
Xen -sparse tree

Thanks for the great work....
Shivajee.R.Sharma
shivajee_rs
 
Posts: 1
Joined: Thu Nov 30, 2006 8:10 am

Postby john_anderson_ii » Fri Sep 07, 2007 3:28 pm

Deleted double post...
Last edited by john_anderson_ii on Fri Sep 07, 2007 3:32 pm, edited 1 time in total.
John Anderson
CCBill, LLC
Sr. Systems Administrator
http://www.ccbill.com
john_anderson_ii
 
Posts: 19
Joined: Sat Jun 17, 2006 4:36 am
Location: Tempe, AZ

Re: xen-3.1.0-testing (2.6.18 based)

Postby john_anderson_ii » Fri Sep 07, 2007 3:30 pm

Xen-3.1.0-testing (linux-2.6.18) is booting and running with grsecurity-2.1.9-2.6.18-200610021833.

I got the latest testing branch from xen booting and running with GRSecurity/PAX applied. Again, only in x86-64.

I am noticing something strange with PAX through:

In the Xen Dom0 paxtest results are:

Mode: blackhat
Linux xen-ecs1.ecsuite.com 2.6.18-xen-grsec #1 SMP Fri Sep 7 11:40:06 MST 2007 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed


And in the DomU the results are:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux base-dev.ccbill.com 2.6.18-xen-grsec #2 SMP Fri Sep 7 12:43:47 MST 2007 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte.
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed



I'm running the same exact kernel image in both the Dom0 and the DomU so I don't understand the discrepancy. I will be compiling a DomU specific kernel for testing this.

Which part of PAX is responsible for ET_EXEC? Is it code placed throughout the kernel, or is it primarily in one area?

I just got this up, so I don't have distributable patches yet, but once I get this reproduced, I'll put together a patch set for it.
John Anderson
CCBill, LLC
Sr. Systems Administrator
http://www.ccbill.com
john_anderson_ii
 
Posts: 19
Joined: Sat Jun 17, 2006 4:36 am
Location: Tempe, AZ

Postby bplant » Sat Sep 08, 2007 8:03 pm

Hi John,

I've got xen 3.1 running on 2.6.18.8 with grsec also. I've been running this since about the week after xen 3.1 was released so it's been tested a while now. I'll look at uploading the patches somewhere this week.

I've also got a 2.6.20 kernel running, but I haven't tested this version as much. Not sure if I will keep using this one or just jump to 2.6.21. These other releases are based on fedora kernels: http://koji.fedoraproject.org/koji/packageinfo?packageID=1170

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Postby john_anderson_ii » Mon Sep 10, 2007 2:02 pm

Good god man! Why didn't you share? :D

Can you show me your paxtest output so I can compare?

Thanks!
John Anderson
CCBill, LLC
Sr. Systems Administrator
http://www.ccbill.com
john_anderson_ii
 
Posts: 19
Joined: Sat Jun 17, 2006 4:36 am
Location: Tempe, AZ

Postby bplant » Mon Sep 10, 2007 6:31 pm

Hi John,

Here is the paxtest output. First dom0:

Code: Select all
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 40 bits (guessed)
Heap randomisation test (ET_DYN)         : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : 33 bits (guessed)
Main executable randomisation (ET_DYN)   : 33 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
Stack randomisation test (SEGMEXEC)      : No randomisation
Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Return to function (strcpy)              : Killed
Return to function (memcpy)              : Killed
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed


And domU:

Code: Select all
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 40 bits (guessed)
Heap randomisation test (ET_DYN)         : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : 33 bits (guessed)
Main executable randomisation (ET_DYN)   : 33 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
Stack randomisation test (SEGMEXEC)      : No randomisation
Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Return to function (strcpy)              : Killed
Return to function (memcpy)              : Killed
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed


Paxtest version is: 0.9.7_pre4

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Postby bplant » Sat Sep 15, 2007 1:44 am

Ok, finally got around to getting it up. You can find them at http://ayuda.com.au/pub

It applies against a Gentoo Linux Xen patch, but it should still work against anything else too. Just a note, the patch is x86_64 only!

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Re: xen-3.1.0-testing (2.6.18 based)

Postby Kp » Sat Sep 15, 2007 1:24 pm

john_anderson_ii wrote:In the Xen Dom0 paxtest results are:
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation


And in the DomU the results are:
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation


I'm running the same exact kernel image in both the Dom0 and the DomU so I don't understand the discrepancy. I will be compiling a DomU specific kernel for testing this.


You highlighted different results in the two quote blocks. Was that intentional? Ignoring the difference in which lines are bold, the results match between Dom0 and DomU.
Kp
 
Posts: 46
Joined: Tue Sep 20, 2005 12:56 am

Re: xen-3.1.0-testing (2.6.18 based)

Postby john_anderson_ii » Mon Sep 17, 2007 5:37 pm

Yes, it was an error. I was trying to highlight the parts where No Randomization was the result. I'm pretty sure these areas should be randomized, so there is obviously something wrong the changes I made.
John Anderson
CCBill, LLC
Sr. Systems Administrator
http://www.ccbill.com
john_anderson_ii
 
Posts: 19
Joined: Sat Jun 17, 2006 4:36 am
Location: Tempe, AZ

Re: Xen Paravirtualization + grsecurity working!

Postby bplant » Fri Jan 11, 2008 7:59 pm

Hi,

I have rolled grsecurity-2.1.10-200704241759 which was originally based on 2.6.20.7 for 2.6.20.20 with xen. Note that this is based gentoo's xen-sources-2.6.20-r6.ebuild. My ebuild and patch can be found at http://ayuda.com.au/pub/. As before, this only works on x86_64.

The only change that I have noticed from the 2.1.9 version is that any subject that binds to a port, e.g. sshd, requires the CAP_NET_ADMIN option. However this capability allows many things (http://www.lids.org/lids-howto/node48.html) that sshd should not be able to do like modify the firewall. Currently I am denying CAP_NET_ADMIN to all services (as per my policy with 2.1.9) and they all seem to work correctly so I'm betting on a bug somewhere.

Cheers,

Brad
bplant
 
Posts: 73
Joined: Sat May 28, 2005 10:36 pm

Re: Xen Paravirtualization + grsecurity working!

Postby jfreund » Sat Jan 26, 2008 8:17 am

Hi John and Brad,

thank you very much for you great efforts. I set up a Gentoo server using Brad's ebuild for the 2.6.20 and it worked immediately!
Should you need any further space for mirroring, please let me know (since this is something I could contribute).

Regards,
Jesco
jfreund
 
Posts: 1
Joined: Sat Jan 26, 2008 5:12 am

Re: Xen Paravirtualization + grsecurity working!

Postby cormander » Thu Jun 19, 2008 11:03 pm

Hey Guys,

I forward ported the grsecurity 2.1.9 patch linked from this thread to xen 3.2.0 on the linux-2.6.18.8 kernel from xen.org's mercurial repo that is kept very up to date:

http://download.ravencore.com/packages/ ... xen-grsec/

Pre-built RPMs for it:

http://download.ravencore.com/xen/kernel/x86_64/RPMS/

As stated before, still only works on 64bit. When I get it to work on 32bit or the latest 2.6.25 xen kernel to work with grsecurity/pax I'll post some more links.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm
Location: Utah

Re: Xen Paravirtualization + grsecurity working!

Postby egosh » Sun Dec 27, 2009 3:54 pm

hi
I would like to use grsecurity in xen's dom0 on gentoo (2.6.18-r12-kernel). Are there any actual patches of grsecurity for this kernel?

[quote="cormander"]
I forward ported the grsecurity 2.1.9 patch linked from this thread to xen 3.2.0 on the linux-2.6.18.8 kernel from xen.org's mercurial repo that is kept very up to date:
http://download.ravencore.com/packages/ ... xen-grsec/
[/quote]
i'd like to try it out, but the link does not work
egosh
 
Posts: 1
Joined: Sun Dec 27, 2009 3:12 pm

Previous

Return to grsecurity development