Monday, 27 July 2009

64-bit hardened Gentoo with gcc-4.4 and glibc-2.10

UPDATED 5.10 - Update installation HowTo (+LUKS) is available here.

UPDATED 17.08 - It is no longer needed to use the testing branch from overlay, so skip this part. Also the repo name in repos.conf should then read 'secure' rather than 'secure-testing'.

One of my previous posts shown how to create a x86 hardened Gentoo system. Of course there's also a 64-bit version available! There're only few small differences during the installation process needed - so here's what you need to do to get a new shiny 64-bit hardened gentoo. Follow this with the following remarks:
- acquire a 64-bit machine - a 64-bit VM will do!;]
- download a weekly 64-bit gentoo minimal installation CD from here.
- use this 64-bit stage
- before emerging gcc, glibc and binutils change profile:

(chroot) livecd / # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/2008.0
[2] default/linux/amd64/2008.0/desktop
[3] default/linux/amd64/2008.0/developer
[4] default/linux/amd64/2008.0/no-multilib
[5] default/linux/amd64/2008.0/server
[6] hardened/amd64
[7] hardened/amd64/multilib
[8] selinux/2007.0/amd64
[9] selinux/2007.0/amd64/hardened
[10] hardened/linux/amd64
(chroot) livecd / # eselect profile show
Current make.profile symlink:
/usr/portage/profiles/hardened/linux/amd64/2008.0

Now run:
eselect profile set 6

Note: even if you want multilib, it seems that profile no. 7 is recommended over 10 as per this information.

Continue with the installation guide. During the kernel configuration step, choose your 64-bit cpu in "Processor type and feature" menu. For non-multilib profile (oh yeah! ;)) in "Executable file formats/Emulations" disable the "IA32 Emulation". Continue...

As a final step, run paxtest - sit back admire/show off/grab a beer:

~ # paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux 2.6.29-hardened #7 SMP Thu Jul 23 12:18:52 UTC 2009 x86_64 QEMU Virtual CPU version 0.10.50 GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 34 bits (guessed)
Heap randomisation test (ET_EXEC) : 40 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : 32 bits (guessed)
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : *** buffer overflow detected ***: rettofunc1 - terminated
rettofunc1: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy) : *** buffer overflow detected ***: rettofunc2 - terminated
rettofunc2: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (strcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc1x - terminated
rettofunc1x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc2x - terminated
rettofunc2x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Executable shared library bss : Killed
Executable shared library data : Killed

Result? Pretty much same as for x86, but: greater randomisation due to 64-bit architecture and a fully 64-bit OS of course! ;] (if non-multilib). Note that PAX on x86_64 uses PAGEEXEC and not SEGMEXEC hence no randomisation there.

NOTE: if using a KVM virtual machine rather than a dedicated system, in order to take advantage of NX-bit in guest, your host OS needs kernel that is >= 2.6.30. I've tested with gentoo-sources-2.6.30-r4 which worked fine. Unfortunately, at the time of this writing there was no hardened kernel available greater than 2.6.29... ;( Not sure, but this might also apply to other VMs like VirtualBox and VMWare too...

No comments:

Post a Comment

Have your say: