grsecurity news (hardened stuff)

[taaroa]

With the latest patches just uploaded, a change has been made to the operation of GRKERNSEC_HIDESYM to make it more agreeable. The most visible effect of this is that it won't be necessary anymore to disable GRKERNSEC_HIDESYM to see symbols in oops/panic reports. I've introduced some new code to mark "approved" symbol uses. I've verified that these locations are only using the symbol information to print to the kernel logs, not to be used in /proc entries or anywhere else that non-privileged users could view. Because of this change, even though it's been mentioned to enable both GRKERNSEC_HIDESYM and GRKERNSEC_DMESG together, be sure you have both enabled to see the full benefit of GRKERNSEC_HIDESYM.

So to summarize the current behavior of GRKERNSEC_HIDESYM:
prevents use of system calls to query symbols/modules by non-privileged users
removes infoleaks of kernel addresses from /proc and netlink interfaces
makes /proc/kallsyms only visible by root
permits white-listed use of symbol information for BUG/OOPs/panic messages
denies any other use of symbol information

-Brad

[taaroa]

Official grsecurity/PaX support on ARM.

With the stable patch of grsecurity released today, the PAGEEXEC, MPROTECT, and ASLR features of PaX have been implemented for the ARM architecture. Specifically, the PAGEEXEC functionality exists for v6 and v7 ARM CPUs. Our development machine for this work is the Gumstix Overo, utilizing the ARM Cortex-A8 3530 processor. The same processor type is found in the latest mobile/embedded devices, including the Apple iPhone 3GS, Palm Pre, and Motorola Droid. As time permits, additional architecture-specific protections will be added for this increasingly important platform.

N900 #0
N900 #1
see #344279
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"

[sspphheerraa]

Я чет не пойму, hardened на мобилы перебирается?

[DaemonTux]

Я чет не пойму, hardened на мобилы перебирается?

Разве арм только на мобилах пользуют?

[taaroa]

Я чет не пойму

значит ещё раз перечитайте новость.

Новая архитектура ARMv7 (не путать с ARM7, ARMv3=ARM7, ARMv7=Cortex) нацелена на использование в нетбуках и гибридных компьютерах. Лицензию на производство процессоров Cortex-A9 получили компании NEC, Nvidia, STmicroelectronics, Texas Instruments и Toshiba, а Cortex-A8 - Broadcom, Freescale, Matsushita, Samsung, STMicroelectronics, TI и PMC-Sierra. По производительности ARM Cortex-A8 эквивалентен Pentium III. ARM Cortex-A9 отличается усовершенствованной архитектурой на базе нескольких процессорных ядер (до 4).

click me
click me again

[taaroa]

JIT requires executable stack pages, and any process performing JavaScript on
hardened kernels will require to run with PAX_MPROTECT disabled. This may allow
easier code execution exploits to work (without the need in pure ret2libc-style
stack preparations, that is harder). Apart from that the JIT itself can be
vulnerable.

see mprotect
see #337736
see #338243
see #338245

IUSE+jit

[taaroa]

The GRSEC/PaX team is now distributing a patch against iptables which provides
gradm match extension.

see #339596.

examples

iptables -A INPUT -i eth0 -p tcp -s $TRUSTEDIP --dport 22 -m gradm --disabled -j ACCEPT iptables -A INPUT -i eth0 -m gradm --disabled -j DROP iptables -m gradm -h

[taaroa]

зашевелились.

[taaroa]

Restructuring of the Hardened Gentoo Profiles.

see #344861

[taaroa]

hardened-funtoo overlay
p.s. хозяину оверлея пожелание: разработать базовые наборы политик RBAC (desktop server).
as example see url.

[taaroa]

Tin Hat 20101219 released
скачать бесплатно без sms

[taaroa]

hello everyone!

we'll start the new year of 2011 early with opening a blog that will serve us, well, as our blog! topics posted here will include all things security that we come across during our everyday life and feel like we have something to say about. expect deep tech stuff, criticism, flames, etc, whatever you have come to expect from us over the past decade .

the ground rules (for you, dear readers, that is) are simple: no spam, no spilling over to the forums, and in general, no expectation of democracy (this is our soapbox after all ). when you post comments here, please try to increase the signal/noise ratio.

blog

[taaroa]

New blog, other updates
The PaX Team and I have decided to create a new blog where we will give our perspectives on security and other topics of interest. You can find it (and the first post) here: http://forums.grsecurity.net/viewforum.php?f=7.

In case you haven't been following recent grsec developments, I've set up separate RSS feeds for the stable and test patches. They're available at http://grsecurity.net/stable_rss.php and http://grsecurity.net/testing_rss.php.

Full changelogs for the stable and test trees are now available as well at http://grsecurity.net/changelog-stable.txt and http://grsecurity.net/changelog-test.txt.

SSL is also now supported on the main website and forums.

[sspphheerraa]

Это конечно похвально что вы регулярно пишете нам новости о grsecurity, но у нас русскоязычный форум. И вместо того чтобы копипастить оригиналы новостей написали бы по русски хотябы в двух словах о чем там. Те кому надо и так по ссылке пройдут, и прочитают оригинал.

А так, ваши новости читают пару человек от силы

[damex]

А так, ваши новости читают пару человек от силы.

значит остальным это не нужно

[taaroa]

В своём блоге товарищ Спендер (Spengler/Spender) очень популярно объясняет самую суть новой моды, capabilities, уход от SUID.

That's 18/35 capabilities equivalent to full root, a good start. In older kernels, this would have been 18/30, more than half of all capabilities.

Да, в теории оно хорошо, а вот на практике

100% of system services that require any capabilities at runtime operate at full-root equivalence, despite their current or any potential future use of privilege dropping via capabilities.

ха?

[taaroa]

тихо и незаметно #363171

2011-03-21 20:25 spender

* gradm_cap.c, gradm_defs.h: add CAP_SYSLOG

[taaroa]

blah

Apache Benchmark: This test profile measures how many requests per second a given system can sustain when carrying out 700,000 requests with 100 requests being carried out concurrently. Vanilla 2.6.39.1 x64 kernel: 10758 All grsecurity/PaX features enabled: 8751 +19% All but RBAC: 8436 +22% All but UDEREF: 9652 +10% All but KERNEXEC/UDEREF: 9633 +10% All but KERNEXEC/UDEREF/SANITIZE: 9860 +8% All but KERNEXEC/UDEREF/SANITIZE/STACKLEAK: 10798 +0% For Apache benchmark: STACKLEAK: 8% hit SANITIZE: 2% hit KERNEXEC: 0% hit UDEREF: 9% hit RBAC: -3% hit

[taaroa]

---------------------------------------------------------------
Changes in grsecurity-2.2.2-3.0.4-201108300001.patch:
Changes in grsecurity-2.2.2-2.6.32.46-201108300001.patch:
---------------------------------------------------------------
add new boot logo

drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++++++------------------
1 file changed, 1120 insertions(+), 1601 deletions(-)

[sspphheerraa]

Ого, отдельное лого для grsecurity. Где оно будет отображается, рядом с туксом?

[taaroa]

---------------------------------------------------------------
Changes in grsecurity-2.2.2-3.0.4-201109170101.patch:
---------------------------------------------------------------
update to latest PaX patch, introduces a new gcc plugin for KERNEXEC on x64
that removes the need of enabling UDEREF to get protection equivalent to
KERNEXEC on x86. Previously, code in userland could be executed by the kernel
without the (currently) expensive UDEREF feature being enabled. Also adds EFI
compatibility to KERNEXEC

вопрос знатокам (о^Hадептам): это типа конец проблем с nvidia и vmware?

[taaroa]

X11 -> Root? (Qubes square rooted)
http://permalink.gmane.org/gmane.comp.secu....dailydave/4287

BTW, a personal invitation to Joanna: if you believe in Qubes as much
as your 100% undetectable rootkit, the PaX Team and I give you the same
offer we would give to any SELinux zealot; put your most personal,
valuable information in an AppVM, and give the world separate access to
an AppVM with root ssh access enabled and outbound connections
disallowed (since root doesn't matter, after all). In other words, put
something other than hype where your mouth is.

[taaroa]

Enhanced Mitigation Experience Toolkit
неплохой ролик на тему новых технологий m$ a la subj. для просмотра требуется microsoft ® silverlight ®, есть возможность скачать (бесплатно без sms) видео или аудио данной презентации.
http://goo.gl/Pkf2V