path: root/xml/revdep-pax.xml

<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header: $ -->

<guide>
<title>Gentoo revdep-pax introduction</title>

<author title="Author">
  <mail link="klondike"/>
</author>

<abstract>
This guide provides an introduction to revdep-pax and how to use it to propagate
the PaC markings caused by libraries requiring them, for example, libraries
requiring RWX memory in order to process JIT code.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
<license/>

<version>1</version>
<date>2012-02-19</date>

<chapter>
<title>What's <c>revdep-pax</c> about?</title>

<p by="Geroge Orwell">
Since the early days of PaX it was known that all programs were equal although
some were more equal than others and needed an environment with less
restrictions in order to be able to run. Thus, in order to have a secure way of
allowing system administrators and users telling the system which binaries
needed this lessened environment the PaX marks were created.
</p>

<section>
<title>A quick introduction to PaX markings.</title>
<body>

<p>
There are some programs which won't be able to run in an environment with all
the PaX features enabled, for example you may have a program which has so called
<e>text relocations</e> or you may have a language interpreter doing JIT code
compilation and requiring <e>RWX</e> mappings you may also have a program that
saves data including internal pointers into an mmaped file and which needs to be
restored in the same place no matter what. You could also be holding a security
competition and need to disable the execution restrictions and force it to
use fixed addresses on a particular program so it can be exploited doing a
simple nop sled based stack overflow to get to the next level. For taking into
account these issues binaries can be marked to force on or off some of the PaX
features.
</p>

<p>
Currently, the PaX features that can be lessened or enforced to allow programs
to run are:
</p>

<dl>
  <dt><b>PAGEEXEC</b></dt>
  <dd>Paging based execution restrictions. This is what other OSes know as
  <e>NX</e>.</dd>
  <dt><b>EMUTRAMP</b></dt>
  <dd>Trampoline emulation. Required by for amongst other things code with
  nested functions.</dd>
  <dt><b>MPROTECT</b></dt>
  <dd>Prevents the introduction of new executable code in the task. This is the
  one you are more likely to need disabling with libraries generating JIT code.
  </dd>
  <dt><b>RANDMMAP</b></dt>
  <dd>Randomizes the addresses where mappings are made unless the program
  explicitly requests one (using the MAP_FIXED flag).</dd>
  <dt><b>RANDEXEC</b></dt>
  <dd>This flag is currently deprecated and was used to enforce random placement
  of the executable part of the binary.</dd>
  <dt><b>SEGMEXEC</b></dt>
  <dd>This flag enables segmentation based execution protection. This feature is
  not available on the amd64 architecture so in that architecture is disables by
  default.</dd>
</dl>

<p>
There are various ways in which this advice to lessen the environment can be
provided to the system, amongst others Mandatory Access Control rules, extended
attributes and two kinds of markings on the binaries themselves, the legacy ones
which abuse an unused field in the ELF headers and the new ones which add a new
specific section to the ELF file with the markings.
</p>

<p>
All this markings though are only read in the executable and not in the
libraries linked by it to prevent some possible attacks (like libraries being
injected via LD_PRELOAD) and because it eases a lot the implementation since the
kernel shouldn't be aware of linking details.
</p>

<p>
This system has a problem: if we have a binary linking to a library which
requires, for example, trampoline emulation because it uses nested functions how
can we make sure the binary gets the propper markings? Yeah we could add PaX
marks to the library to state it needs trampoline emulation but still we haven't
fixed the issue since the kernel will only read the marks on the binary being
called. In order to solve this issue we have created <c>revdep-pax</c>.
</p>

</body>
</section>
<section>
<title>What's <c>revdep-pax</c>?</title>
<body>

<p>
<c>revdep-pax</c> is a tool that allows to check for differences in PaX markings
between elf objects linking to libraries (for example <path>/bin/bash</path>)
and the libraries themselves (for example <path>/lib64/libc.so.6</path>).
</p>

<p>
<c>revdep-pax</c> is able to do this in various ways, it can check for
differences <e>forward</e> from one binary to all the libraries it links and it
can also check for PaX marking differences <e>backwards</e> from one library to
all the binaries linking to it (which may include other libraries too). In a
similar way it is possible to have all the forward and reverse mappings in the
system checked to try finding issues.
</p>

<p>
<c>revdep-pax</c> is also able to propagate these markings both forward to the
libraries linked by an object and backwards to the objects linked by a library.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Using <c>revdep-pax</c></title>

<p by="The Emperor">
In order to witness the firepower of this fully ARMED and OPERATIONAL tool
you'll first need to learn how to use it, once you are done, you'll be
able to fire at will.
</p>

<section>
<title>Propagating PaX marks backwards from a library to objects that link at it
</title>
<body>

<p>
This is going to be probably the main way in which you are going to use this
utility. What it does is check all the libraries linked statically 
The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
With this application you can print out information specific to the ELF
structure of a binary. The following table sums up the various options.
</p>

<table>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-p</ti>
  <ti>--path</ti>
  <ti>Scan all directories in PATH environment</ti>
</tr>
<tr>
  <ti>-l</ti>
  <ti>--ldpath</ti>
  <ti>Scan all directories in /etc/ld.so.conf</ti>
</tr>
<tr>
  <ti>-R</ti>
  <ti>--recursive</ti>
  <ti>Scan directories recursively</ti>
</tr>
<tr>
  <ti>-m</ti>
  <ti>--mount</ti>
  <ti>Don't recursively cross mount points</ti>
</tr>
<tr>
  <ti>-y</ti>
  <ti>--symlink</ti>
  <ti>Don't scan symlinks</ti>
</tr>
<tr>
  <ti>-A</ti>
  <ti>--archives</ti>
  <ti>Scan archives (.a files)</ti>
</tr>
<tr>
  <ti>-L</ti>
  <ti>--ldcache</ti>
  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
</tr>
<tr>
  <ti>-X</ti>
  <ti>--fix</ti>
  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
</tr>
<tr>
  <ti>-z [arg]</ti>
  <ti>--setpax [arg]</ti>
  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
</tr>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-x</ti>
  <ti>--pax</ti>
  <ti>Print PaX markings</ti>
</tr>
<tr>
  <ti>-e</ti>
  <ti>--header</ti>
  <ti>Print GNU_STACK/PT_LOAD markings</ti>
</tr>
<tr>
  <ti>-t</ti>
  <ti>--textrel</ti>
  <ti>Print TEXTREL information</ti>
</tr>
<tr>
  <ti>-r</ti>
  <ti>--rpath</ti>
  <ti>Print RPATH information</ti>
</tr>
<tr>
  <ti>-n</ti>
  <ti>--needed</ti>
  <ti>Print NEEDED information</ti>
</tr>
<tr>
  <ti>-i</ti>
  <ti>--interp</ti>
  <ti>Print INTERP information</ti>
</tr>
<tr>
  <ti>-b</ti>
  <ti>--bind</ti>
  <ti>Print BIND information</ti>
</tr>
<tr>
  <ti>-S</ti>
  <ti>--soname</ti>
  <ti>Print SONAME information</ti>
</tr>
<tr>
  <ti>-s [arg]</ti>
  <ti>--symbol [arg]</ti>
  <ti>Find a specified symbol</ti>
</tr>
<tr>
  <ti>-k [arg]</ti>
  <ti>--section [arg]</ti>
  <ti>Find a specified section</ti>
</tr>
<tr>
  <ti>-N [arg]</ti>
  <ti>--lib [arg]</ti>
  <ti>Find a specified library</ti>
</tr>
<tr>
  <ti>-g</ti>
  <ti>--gmatch</ti>
  <ti>Use strncmp to match libraries. (use with -N)</ti>
</tr>
<tr>
  <ti>-T</ti>
  <ti>--textrels</ti>
  <ti>Locate cause of TEXTREL</ti>
</tr>
<tr>
  <ti>-E [arg]</ti>
  <ti>--etype [arg]</ti>
  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
</tr>
<tr>
  <ti>-M [arg]</ti>
  <ti>--bits [arg]</ti>
  <ti>Print only ELF files matching numeric bits</ti>
</tr>
<tr>
  <ti>-a</ti>
  <ti>--all</ti>
  <ti>Print all scanned info (-x -e -t -r -b)</ti>
</tr>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-q</ti>
  <ti>--quiet</ti>
  <ti>Only output 'bad' things</ti>
</tr>
<tr>
  <ti>-v</ti>
  <ti>--verbose</ti>
  <ti>Be verbose (can be specified more than once)</ti>
</tr>
<tr>
  <ti>-F [arg]</ti>
  <ti>--format [arg]</ti>
  <ti>Use specified format for output</ti>
</tr>
<tr>
  <ti>-f [arg]</ti>
  <ti>--from [arg]</ti>
  <ti>Read input stream from a filename</ti>
</tr>
<tr>
  <ti>-o [arg]</ti>
  <ti>--file [arg]</ti>
  <ti>Write output stream to a filename</ti>
</tr>
<tr>
  <ti>-B</ti>
  <ti>--nobanner</ti>
  <ti>Don't display the header</ti>
</tr>
<tr>
  <ti>-h</ti>
  <ti>--help</ti>
  <ti>Print this help and exit</ti>
</tr>
<tr>
  <ti>-V</ti>
  <ti>--version</ti>
  <ti>Print version and exit</ti>
</tr>
</table>

<p>
The format specifiers for the <c>-F</c> option are given in the following table.
Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
</p>

<table>
<tr>
  <th>Specifier</th>
  <th>Full Name</th>
  <th>Specifier</th>
  <th>Full Name</th>
</tr>
<tr>
  <ti>F</ti>
  <ti>Filename</ti>
  <ti>x</ti>
  <ti>PaX Flags</ti>
</tr>
<tr>
  <ti>e</ti>
  <ti>STACK/RELRO</ti>
  <ti>t</ti>
  <ti>TEXTREL</ti>
</tr>
<tr>
  <ti>r</ti>
  <ti>RPATH</ti>
  <ti>n</ti>
  <ti>NEEDED</ti>
</tr>
<tr>
  <ti>i</ti>
  <ti>INTERP</ti>
  <ti>b</ti>
  <ti>BIND</ti>
</tr>
<tr>
  <ti>s</ti>
  <ti>Symbol</ti>
  <ti>N</ti>
  <ti>Library</ti>
</tr>
<tr>
  <ti>o</ti>
  <ti>Type</ti>
  <ti>p</ti>
  <ti>File name</ti>
</tr>
<tr>
  <ti>f</ti>
  <ti>Base file name</ti>
  <ti>k</ti>
  <ti>Section</ti>
</tr>
<tr>
  <ti>a</ti>
  <ti>ARCH/e_machine</ti>
  <ti>&nbsp;</ti>
  <ti>&nbsp;</ti>
</tr>
</table>

</body>
</section>
<section>
<title>Using scanelf for Text Relocations</title>
<body>

<p>
As an example, we will use <c>scanelf</c> to find binaries containing text
relocations.
</p>

<p>
A relocation is an operation that rewrites an address in a loaded segment. Such
an address rewrite can happen when a segment has references to a shared object
and that shared object is loaded in memory. In this case, the references are
substituted with the real address values. Similar events can occur inside the 
shared object itself.
</p>

<p>
A text relocation is a relocation in the text segment. Since text segments
contain executable code, system administrators might prefer not to have these
segments writable. This is perfectly possible, but since text relocations
actually write in the text segment, it is not always feasible. 
</p>

<p>
If you want to eliminate text relocations, you will need to make sure
that the application and shared object is built with <e>Position Independent
Code</e> (PIC), making references obsolete. This not only increases security,
but also increases the performance in case of shared objects (allowing writes in
the text segment requires a swap space reservation and a private copy of the
shared object for each application that uses it).
</p>

<p>
The following example will search your library paths recursively, without
leaving the mounted file system and ignoring symbolic links, for any ELF binary
containing a text relocation:
</p>

<pre caption="Scanning the system for text relocation binaries">
# <i>scanelf -lqtmyR</i>
</pre>

<p>
If you want to scan your entire system for <e>any</e> file containing text
relocations:
</p>

<pre caption="Scanning the entire system for text relocation files">
# <i>scanelf -qtmyR /</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf for Specific Header</title>
<body>

<p>
The scanelf util can be used to quickly identify files that contain a 
given section header using the -k .section option.
</p>

<p>
In this example we are looking for all files in /usr/lib/debug 
recursively using a format modifier with quiet mode enabled that have been 
stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
to invert the matching logic.
</p>

<pre caption="Scanning for stripped or non stripped executables">
# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf for Specific Segment Markings</title>
<body>

<p>
Each segment has specific flags assigned to it in the Program Header of the
binary. One of those flags is the type of the segment. Interesting values are
PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
segment contains dynamic linking information), PT_INTERP (the segment 
contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
(a PaX extension for the ELF format, used by the security-minded 
<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
</p>

<p>
If we want to scan all executables in the current working directory, PATH
environment and library paths and report those who have a writable and
executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
</p>

<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
# <i>scanelf -lpqe .</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf's Format Modifier Handler</title>
<body>

<p>
A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
With this option you can control the output of <c>scanelf</c>, thereby 
simplifying parsing the output with scripts.
</p>

<p>
As an example, we will use <c>scanelf</c> to print the file names that contain
text relocations:
</p>

<pre caption="Example of the scanelf format modifier handler">
# <i>scanelf -l -p -R -q -F "%F #t"</i>
</pre>

</body>
</section>
</chapter>

<chapter id="pspax">
<title>Listing PaX Flags and Capabilities</title>
<section>
<title>About PaX</title>
<body>

<p>
<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
goal is "to research various defense mechanisms against the exploitation of 
software bugs that give an attacker arbitrary read/write access to the 
attacked task's address space. This class of bugs contains among others 
various forms of buffer overflow bugs (be they stack or heap based), user
supplied format string bugs, etc."
</p>

<p>
To be able to benefit from these defense mechanisms, you need to run a Linux
kernel patched with the latest PaX code. The <uri
link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
its parent project, grsecurity. The supported kernel package is
<c>sys-kernel/hardened-sources</c>.
</p>

<p>
The Gentoo/Hardened project has a <uri
link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
for your reading pleasure.
</p>

</body>
</section>
<section>
<title>Flags and Capabilities</title>
<body>

<p>
If your toolchain supports it, your binaries can have additional PaX flags in
their Program Header. The following flags are supported:
</p>

<table>
<tr>
  <th>Flag</th>
  <th>Name</th>
  <th>Description</th>
</tr>
<tr>
  <ti>P</ti>
  <ti>PAGEEXEC</ti>
  <ti>
    Refuse code execution on writable pages based on the NX bit
    (or emulated NX bit)
  </ti>
</tr>
<tr>
  <ti>S</ti>
  <ti>SEGMEXEC</ti>
  <ti>
    Refuse code execution on writable pages based on the
    segmentation logic of IA-32
  </ti>
</tr>
<tr>
  <ti>E</ti>
  <ti>EMUTRAMP</ti>
  <ti>
    Allow known code execution sequences on writable pages that
    should not cause any harm
  </ti>
</tr>
<tr>
  <ti>M</ti>
  <ti>MPROTECT</ti>
  <ti>
    Prevent the creation of new executable code to the process
    address space
  </ti>
</tr>
<tr>
  <ti>R</ti>
  <ti>RANDMMAP</ti>
  <ti>
    Randomize the stack base to prevent certain stack overflow
    attacks from being successful
  </ti>
</tr>
<tr>
  <ti>X</ti>
  <ti>RANDEXEC</ti>
  <ti>
    Randomize the address where the application maps to prevent
    certain attacks from being exploitable
  </ti>
</tr>
</table>

<p>
The default Linux kernel also supports certain capabilities, grouped in the
so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
capabilities in our <uri
link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
</p>

</body>
</section>
<section>
<title>Using pspax</title>
<body>

<p>
The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
run-time capabilities of all programs you have permission for. On Linux kernels
with additional support for extended attributes (such as SELinux) those
attributes are shown as well.
</p>

<p>
When ran, <c>pspax</c> shows the following information:
</p>

<table>
<tr>
  <th>Column</th>
  <th>Description</th>
</tr>
<tr>
  <ti>USER</ti>
  <ti>Owner of the process</ti>
</tr>
<tr>
  <ti>PID</ti>
  <ti>Process id</ti>
</tr>
<tr>
  <ti>PAX</ti>
  <ti>Run-time PaX flags (if applicable)</ti>
</tr>
<tr>
  <ti>MAPS</ti>
  <ti>Write/eXecute markings for the process map</ti>
</tr>
<tr>
  <ti>ELF_TYPE</ti>
  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
</tr>
<tr>
  <ti>NAME</ti>
  <ti>Name of the process</ti>
</tr>
<tr>
  <ti>CAPS</ti>
  <ti>POSIX.1e capabilities (see note)</ti>
</tr>
<tr>
  <ti>ATTR</ti>
  <ti>Extended attributes (if applicable)</ti>
</tr>
</table>

<note>
<c>pspax</c> only displays these capabilities when it is linked with
the external capabilities library. This requires you to build <c>pax-utils</c>
with -DWANT_SYSCAP.
</note>

<p>
By default, <c>pspax</c> does not show any kernel processes. If you want those
to be taken as well, use the <c>-a</c> switch.
</p>

</body>
</section>
</chapter>

<chapter id="dumpelf">
<title>Programming with ELF files</title>
<section>
<title>The dumpelf Utility</title>
<body>

<p>
With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
code that defines a structure with the same image as the original ELF file.
</p>

<pre caption="dumpelf example">
$ <i>dumpelf /bin/hostname</i>
#include &lt;elf.h&gt;

<comment>/*
 * ELF dump of '/bin/hostname'
 *     10276 (0x2824) bytes
 */</comment>

struct {
        Elf32_Ehdr ehdr;
        Elf32_Phdr phdrs[8];
        Elf32_Shdr shdrs[26];
} dumpedelf_0 = {

.ehdr = {
<comment>(... Output stripped ...)</comment>
</pre>

</body>
</section>
</chapter>
</guide>