At 23:38 +0100 29/12/10, Vinzenz Hersche wrote:
Glenn, i like to try this for a kernel.. it should need just be a patched
kernel (so need to recompile) and a loaded kernel or what do you think?
i don't know so much about cross-compile, but i like to learn it.. if also
someone else like to join the try or so, you're welcome :)
...
-----------------------------------------------
Timo schrieb am Mittwoch 29 Dezember 2010:
...
Found this:
http://grsecurity.net/papers.php
PaX: The Guaranteed End of Arbitrary Code Execution:
http://grsecurity.net/PaX-presentation_files/frame.htm
http://grsecurity.net/quickstart.pdf
Quote: "...
This guide will lead you through the process of downloading,
configuring, installing, and maintaining grsecurity.
...
* You should be able to protect any third-party software you have
installed, not only the software that is provided by your distribution
...
For a complete list of grsecurity's features, please visit
http://www.grsecurity.net/features.php . Grsecurity includes several
main features:
* Buffer overflow exploitation prevention from the PaX project
(http://pax.grsecurity.net)
* Role-Based Access Control (RBAC)
* Randomization of Process IDs and in the TCP/IP stack
* Restricted viewing of processes
* Change root (chroot) hardening
* /tmp race vulnerability protection
...
Address Space Protection
...
Logging options
This section allows you to specify flood rate and burst rate settings
for all logs produced by grsecurity Configure this section as follows:
* Seconds in between log messages (minimum) 10
* Number of messages in a burst (maximum) 4
...
RBAC Overview
Since the general strategy of grsecurity is "detection, prevention,
and containment," the RBAC system is key to the containment
component. Grsecurity's RBAC system allows you to grant only the
privileges necessary for a process or user to accomplish their tasks.
Unlike other systems, grsecurity's RBAC system provides a functional,
human-readable, centralized configuration file, and does not require
much manual configuration.
...
Full-System Learning
Full-system learning will generate a least privilege policy for your
entire system that anticipates normalized usage. In other words, it
is not necessary to run the learning mode for weeks and use every
single utility on your system several times in every possible
combination. The learning mode will anticipate this usage while still
enforcing a secure policy. Through graph and heuristic analysis, a
secure policy is generated.
...
Maintaining grsecurity
Though grsecurity's design goal is to require little maintenance
after installation, you should know a few things about maintaining
your grsecurity-enabled system.
Monitoring Log Files
It is important to monitor your log files to look for intrusion
attempts. A log from PaX about an execution attempt in a network
service you are running signifies that an attacker was attempting to
exploit an unpatched vulnerability in the network service.
...
Troubleshooting
If you execute an application and see "Killed" immediately after and
a log on your system similar to:
PAX: execution attempt in: /usr/lib/tls/libGL.so.1.0.5336,
22669000-22677000 0004b000
PAX: terminating task: /usr/bin/khelpcenter(khelpcenter):4143,
uid/euid: 1001/1001,
PC: 2266ef20, SP: 5b404d10 PAX: bytes at
PC: b8 c8 ff ff ff e9 2b 73 fe ff b8 cc ff ff ff e9 31 73 fe ff
PAX: bytes at SP: 2264437a 20dc8c20 225b64f8 20dc8e58 5b404d54
5b404d54 20dbe0de 00000001 5b404da4 5b404dac 5b404d98 20db2f3b
5b404da0 20db3270 20dc8c20 00000013 20dc8e58 5b404d94 20dbe1ca
225b64f8
The binary is using code that is not written properly, and thus PaX
must be disabled on it.
..."
_______________________________________________
Openmoko community mailing list
community@lists.openmoko.org
http://lists.openmoko.org/mailman/listinfo/community