Monday, August 16, 2010

No eXecute and Atom, the current MeeGo state

The security of your box goes over the firewall, or the fact that you are running a platform where all binaries are trusted. Even on that case, is still possible that vulnerabilities of some software or library could be exploited by a malicious party.

The idea behind the NX bit, No eXecute, is to segregate the areas of the memory in two (lets keep it simple :P) big sets, the code execution area and the storage area. According to Wikipedia (http://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors), the Atom family has the capability to handle such bit.

Adding this feature and a Linux kernel, is possible to avoid the execution of code in the data area, protecting the system against buffer overflows attack. However some marks should be placed on ELFs to archive such protection, these marks are made in the ELF construction and they can mark the ELF to have or not an executable stack. In the second case the executable flag has no effect, is useless.

The marking can also be made on a library (it is also an ELF, duh!) and when this happens, the software which loads that library will be also allowed to run code inside the data segment, disabling again the protection against buffer overflow.

To check the executable marks of your ELFs, you can use the pax-utils (http://www.gentoo.org/proj/en/hardened/pax-utils.xml). Running the tests on a daily MeeGo image (2010-22-07) the following results were archived:


[root@localhost ~]# scanelf -lpqeR
RWX --- --- /usr/lib/libmono.so.0.0.0
RWX --- --- /usr/lib/paxtest/getmain2
RWX --- --- /usr/lib/paxtest/getheap2
RWX --- --- /usr/bin/mono


This means that libmono and mono, for some reason, are expected to run code on the data segment of the memory. In Fedora the mono is marked as RW, I dunno why it is marked as RWX in MeeGo, further investigation should be done.

Mono’s GNU_STACK on Fedora:

(zimmerle@burbs)-(~/core/meego)$ readelf -l /usr/bin/mono | grep GNU_STACK
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000


Is acceptable to have some process without such kind of protecting, for example Java. Java depends on the executable stack to work. It is also acceptable to have some other binaries like: getmain2 and getheap2. These are used to test if the Machine is handling well the NX bit.

To check if your platform has handled well the support of the NX bit, you can use the pax-test, really nice utility that allows us to check the protection against various kinds of exploration. Tests were also made on the same release used above.

kidde mode:

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>Released under the GNU Public Licence version 2 or later


Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux localhost.localdomain 2.6.35~rc6-131.2-netbook #1 SMP PREEMPT Tue Jul 27 14:34:50 UTC 2010 i686 i686 i386 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 12 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 16 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 10 bits (guessed)
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : 19 bits (guessed)
Stack randomisation test (PAGEEXEC) : 19 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Vulnerable


blackhat mode:

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>Released under the GNU Public Licence version 2 or later


Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux localhost.localdomain 2.6.35~rc6-131.2-netbook #1 SMP PREEMPT Tue Jul 27 14:34:50 UTC 2010 i686 i686 i386 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 12 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 16 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 10 bits (guessed)
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : 19 bits (guessed)
Stack randomisation test (PAGEEXEC) : 19 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Vulnerable


As you can see, we are protected against code execution in any other area than that intended for this purpose. We don’t have randomization on libs due the fact that we are making use of the prelink, subject for another post .

The pax-utils and pax-test pacakges can be found on my security MeeGo repostiory, at:

http://meego.zimmerle.org/repo/security/

If you are interested in testing it by yourself, you can download my ks file here.

That kind of protection is very important almost mandatory, modern system still been hacked by such kind of attack class, when they opt to not provide such protection, the case of Xbox, for example which is exposed to a vulnerability in the 007: Agent Under Fire (http://en.wikipedia.org/wiki/Agent_Under_Fire_(video_game)).

No comments:

Post a Comment