path: root/xml/pax-utils.xml

<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-utils.xml,v 1.9 2010/08/30 03:01:13 nightmorph Exp $ -->

<guide>
<title>Gentoo PaX Utilities</title>

<author title="Author">
  <mail link="swift"/>
</author>
<author title="Editor">
  <mail link="solar"/>
</author>
<author title="Editor">
  <mail link="nightmorph"/>
</author>

<abstract>
This guide provides instruction on securing your system by using the pax-utils
package to find and identify problematic binaries.
</abstract>

<!-- The content of this document is licensed under the CC-BY-SA license -->
<!-- See http://creativecommons.org/licenses/by-sa/2.0 -->
<license/>

<version>2</version>
<date>2010-08-29</date>

<chapter>
<title>What is this guide about?</title>
<section>
<title>Introduction</title>
<body>

<p>
The security of a system goes beyond setting up a decent firewall and good 
service configurations. The binaries you run, the libraries you load, might 
also be vulnerable against attacks. Although the exact vulnerabilities are not 
known until they are discovered, there are ways to prevent them from happening.
</p>

<p>
One possible attack vector is to make advantage of writable <e>and</e>
executable segments in a program or library, allowing malicious users to run
their own code using the vulnerable application or library.
</p>

<p>
This guide will inform you how to use the <c>pax-utils</c> package to find
and identify problematic binaries. We will also cover the use of <c>pspax</c> (a
tool to view PaX-specific capabilities) and <c>dumpelf</c> (a tool that prints
out a C structure containing a workable copy of a given object).
</p>

<p>
But before we start with that, some information on <e>objects</e> is in place.
Users familiar with segments and dynamic linking will not learn anything from
this and can immediately continue with <uri link="#scanelf">Extracting ELF
Information from Binaries</uri>.
</p>

</body>
</section>
<section>
<title>ELF objects</title>
<body>

<p>
Every executable binary on your system is structured in a specific way,
allowing the Linux kernel to load and execute the file. Actually, this goes 
beyond plain executable binaries: this also holds for shared objects; more 
about those later.
</p>

<p>
The structure of such a binary is defined in the ELF standard. ELF stands for
<e>Executable and Linkable Format</e>. If you are really interested in the gory
details, check out the <uri
link="http://refspecs.linux-foundation.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/elf-generic.html">
Generic ELF spec</uri> or the <c>elf(5)</c> man page.
</p>

<p>
An executable ELF file has the following parts:
</p>

<ul>
  <li>
    The <e>ELF header</e> contains information on the <e>type</e> of file (is it
    an executable, a shared library, ...), the target architecture, the
    location of the Program Header, Section Header and String Header in the
    file and the location of the first executable instruction
  </li>
  <li>
    The <e>Program Header</e> informs the system how to create a process from
    the binary file. It is actually a table consisting of entries for each
    segment in the program. Each entry contains the type, addresses (physical 
    and virtual), size, access rights, ...
  </li>
  <li>
    The <e>Section Header</e> is a table consisting of entries for each section
    in the program. Each entry contains the name, type, size, ... and
    <e>what</e> information the section holds.
  </li>
  <li>
    Data, containing the sections and segments mentioned previously.
  </li>
</ul>

<p>
A <e>section</e> is a small unit consisting of specific data: instructions,
variable data, symbol table, relocation information, and so on. A <e>segment</e>
is a collection of sections; segments are the units that are actually
transferred to memory.
</p>

</body>
</section>
<section>
<title>Shared Objects</title>
<body>

<p>
Way back when, every application binary contained <e>everything</e> it needed to
operate correctly. Such binaries are called <e>statically linked</e> binaries.
They are, however, space consuming since different applications use the same 
functions over and over again.
</p>

<p>
A <e>shared object</e> contains the definition and instructions for such
functions. Every application that wants can <e>dynamically</e> link against such
a shared object so that it can benefit from the already existing functionality.
</p>

<p>
An application that is dynamically linked to a shared object contains
<e>symbols</e>, references for the real functionality. When such an application
is loaded in memory, it will first ask the runtime linker to resolve each and
every symbol it has. The runtime linker will load the appropriate shared objects
in memory and resolve the symbolic references between them.
</p>

</body>
</section>
<section>
<title>Segments and Sections</title>
<body>

<p>
How the ELF file is looked upon depends on the view we have: when we are dealing
with a binary file in Execution View, the ELF file contains segments. When 
the file is seen in Linking View, the ELF file contains sections. 
One segment spans just one or more (continuous) sections.
</p>

</body>
</section>
</chapter>

<chapter id="scanelf">
<title>Extracting ELF Information from Binaries</title>
<section>
<title>The scanelf Application</title>
<body>

<p>
The <c>scanelf</c> application is part of the <c>app-misc/pax-utils</c> package.
With this application you can print out information specific to the ELF
structure of a binary. The following table sums up the various options.
</p>

<table>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-p</ti>
  <ti>--path</ti>
  <ti>Scan all directories in PATH environment</ti>
</tr>
<tr>
  <ti>-l</ti>
  <ti>--ldpath</ti>
  <ti>Scan all directories in /etc/ld.so.conf</ti>
</tr>
<tr>
  <ti>-R</ti>
  <ti>--recursive</ti>
  <ti>Scan directories recursively</ti>
</tr>
<tr>
  <ti>-m</ti>
  <ti>--mount</ti>
  <ti>Don't recursively cross mount points</ti>
</tr>
<tr>
  <ti>-y</ti>
  <ti>--symlink</ti>
  <ti>Don't scan symlinks</ti>
</tr>
<tr>
  <ti>-A</ti>
  <ti>--archives</ti>
  <ti>Scan archives (.a files)</ti>
</tr>
<tr>
  <ti>-L</ti>
  <ti>--ldcache</ti>
  <ti>Utilize ld.so.cache information (use with -r/-n)</ti>
</tr>
<tr>
  <ti>-X</ti>
  <ti>--fix</ti>
  <ti>Try and 'fix' bad things (use with -r/-e)</ti>
</tr>
<tr>
  <ti>-z [arg]</ti>
  <ti>--setpax [arg]</ti>
  <ti>Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -Xx)</ti>
</tr>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-x</ti>
  <ti>--pax</ti>
  <ti>Print PaX markings</ti>
</tr>
<tr>
  <ti>-e</ti>
  <ti>--header</ti>
  <ti>Print GNU_STACK/PT_LOAD markings</ti>
</tr>
<tr>
  <ti>-t</ti>
  <ti>--textrel</ti>
  <ti>Print TEXTREL information</ti>
</tr>
<tr>
  <ti>-r</ti>
  <ti>--rpath</ti>
  <ti>Print RPATH information</ti>
</tr>
<tr>
  <ti>-n</ti>
  <ti>--needed</ti>
  <ti>Print NEEDED information</ti>
</tr>
<tr>
  <ti>-i</ti>
  <ti>--interp</ti>
  <ti>Print INTERP information</ti>
</tr>
<tr>
  <ti>-b</ti>
  <ti>--bind</ti>
  <ti>Print BIND information</ti>
</tr>
<tr>
  <ti>-S</ti>
  <ti>--soname</ti>
  <ti>Print SONAME information</ti>
</tr>
<tr>
  <ti>-s [arg]</ti>
  <ti>--symbol [arg]</ti>
  <ti>Find a specified symbol</ti>
</tr>
<tr>
  <ti>-k [arg]</ti>
  <ti>--section [arg]</ti>
  <ti>Find a specified section</ti>
</tr>
<tr>
  <ti>-N [arg]</ti>
  <ti>--lib [arg]</ti>
  <ti>Find a specified library</ti>
</tr>
<tr>
  <ti>-g</ti>
  <ti>--gmatch</ti>
  <ti>Use strncmp to match libraries. (use with -N)</ti>
</tr>
<tr>
  <ti>-T</ti>
  <ti>--textrels</ti>
  <ti>Locate cause of TEXTREL</ti>
</tr>
<tr>
  <ti>-E [arg]</ti>
  <ti>--etype [arg]</ti>
  <ti>Print only ELF files matching etype ET_DYN,ET_EXEC ...</ti>
</tr>
<tr>
  <ti>-M [arg]</ti>
  <ti>--bits [arg]</ti>
  <ti>Print only ELF files matching numeric bits</ti>
</tr>
<tr>
  <ti>-a</ti>
  <ti>--all</ti>
  <ti>Print all scanned info (-x -e -t -r -b)</ti>
</tr>
<tr>
  <th>Option</th>
  <th>Long Option</th>
  <th>Description</th>
</tr>
<tr>
  <ti>-q</ti>
  <ti>--quiet</ti>
  <ti>Only output 'bad' things</ti>
</tr>
<tr>
  <ti>-v</ti>
  <ti>--verbose</ti>
  <ti>Be verbose (can be specified more than once)</ti>
</tr>
<tr>
  <ti>-F [arg]</ti>
  <ti>--format [arg]</ti>
  <ti>Use specified format for output</ti>
</tr>
<tr>
  <ti>-f [arg]</ti>
  <ti>--from [arg]</ti>
  <ti>Read input stream from a filename</ti>
</tr>
<tr>
  <ti>-o [arg]</ti>
  <ti>--file [arg]</ti>
  <ti>Write output stream to a filename</ti>
</tr>
<tr>
  <ti>-B</ti>
  <ti>--nobanner</ti>
  <ti>Don't display the header</ti>
</tr>
<tr>
  <ti>-h</ti>
  <ti>--help</ti>
  <ti>Print this help and exit</ti>
</tr>
<tr>
  <ti>-V</ti>
  <ti>--version</ti>
  <ti>Print version and exit</ti>
</tr>
</table>

<p>
The format specifiers for the <c>-F</c> option are given in the following table.
Prefix each specifier with <c>%</c> (verbose) or <c>#</c> (silent) accordingly.
</p>

<table>
<tr>
  <th>Specifier</th>
  <th>Full Name</th>
  <th>Specifier</th>
  <th>Full Name</th>
</tr>
<tr>
  <ti>F</ti>
  <ti>Filename</ti>
  <ti>x</ti>
  <ti>PaX Flags</ti>
</tr>
<tr>
  <ti>e</ti>
  <ti>STACK/RELRO</ti>
  <ti>t</ti>
  <ti>TEXTREL</ti>
</tr>
<tr>
  <ti>r</ti>
  <ti>RPATH</ti>
  <ti>n</ti>
  <ti>NEEDED</ti>
</tr>
<tr>
  <ti>i</ti>
  <ti>INTERP</ti>
  <ti>b</ti>
  <ti>BIND</ti>
</tr>
<tr>
  <ti>s</ti>
  <ti>Symbol</ti>
  <ti>N</ti>
  <ti>Library</ti>
</tr>
<tr>
  <ti>o</ti>
  <ti>Type</ti>
  <ti>p</ti>
  <ti>File name</ti>
</tr>
<tr>
  <ti>f</ti>
  <ti>Base file name</ti>
  <ti>k</ti>
  <ti>Section</ti>
</tr>
<tr>
  <ti>a</ti>
  <ti>ARCH/e_machine</ti>
  <ti>&nbsp;</ti>
  <ti>&nbsp;</ti>
</tr>
</table>

</body>
</section>
<section>
<title>Using scanelf for Text Relocations</title>
<body>

<p>
As an example, we will use <c>scanelf</c> to find binaries containing text
relocations.
</p>

<p>
A relocation is an operation that rewrites an address in a loaded segment. Such
an address rewrite can happen when a segment has references to a shared object
and that shared object is loaded in memory. In this case, the references are
substituted with the real address values. Similar events can occur inside the 
shared object itself.
</p>

<p>
A text relocation is a relocation in the text segment. Since text segments
contain executable code, system administrators might prefer not to have these
segments writable. This is perfectly possible, but since text relocations
actually write in the text segment, it is not always feasible. 
</p>

<p>
If you want to eliminate text relocations, you will need to make sure
that the application and shared object is built with <e>Position Independent
Code</e> (PIC), making references obsolete. This not only increases security,
but also increases the performance in case of shared objects (allowing writes in
the text segment requires a swap space reservation and a private copy of the
shared object for each application that uses it).
</p>

<p>
The following example will search your library paths recursively, without
leaving the mounted file system and ignoring symbolic links, for any ELF binary
containing a text relocation:
</p>

<pre caption="Scanning the system for text relocation binaries">
# <i>scanelf -lqtmyR</i>
</pre>

<p>
If you want to scan your entire system for <e>any</e> file containing text
relocations:
</p>

<pre caption="Scanning the entire system for text relocation files">
# <i>scanelf -qtmyR /</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf for Specific Header</title>
<body>

<p>
The scanelf util can be used to quickly identify files that contain a 
given section header using the -k .section option.
</p>

<p>
In this example we are looking for all files in /usr/lib/debug 
recursively using a format modifier with quiet mode enabled that have been 
stripped. A stripped elf will lack a .symtab entry, so we use the '!' 
to invert the matching logic.
</p>

<pre caption="Scanning for stripped or non stripped executables">
# <i>scanelf -k '!.symtab' /usr/lib/debug -Rq -F%F#k</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf for Specific Segment Markings</title>
<body>

<p>
Each segment has specific flags assigned to it in the Program Header of the
binary. One of those flags is the type of the segment. Interesting values are
PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (the
segment contains dynamic linking information), PT_INTERP (the segment 
contains the name of the program interpreter), PT_GNU_STACK (a GNU extension
for the ELF format, used by some stack protection mechanisms), and PT_PAX_FLAGS
(a PaX extension for the ELF format, used by the security-minded 
<uri link="http://pax.grsecurity.net/">PaX Project</uri>.
</p>

<p>
If we want to scan all executables in the current working directory, PATH
environment and library paths and report those who have a writable and
executable PT_LOAD or PT_GNU_STACK marking, you could use the following command:
</p>

<pre caption="Scanning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK">
# <i>scanelf -lpqe .</i>
</pre>

</body>
</section>
<section>
<title>Using scanelf's Format Modifier Handler</title>
<body>

<p>
A useful feature of the <c>scanelf</c> utility is the format modifier handler.  
With this option you can control the output of <c>scanelf</c>, thereby 
simplifying parsing the output with scripts.
</p>

<p>
As an example, we will use <c>scanelf</c> to print the file names that contain
text relocations:
</p>

<pre caption="Example of the scanelf format modifier handler">
# <i>scanelf -l -p -R -q -F "%F #t"</i>
</pre>

</body>
</section>
</chapter>

<chapter id="pspax">
<title>Listing PaX Flags and Capabilities</title>
<section>
<title>About PaX</title>
<body>

<p>
<uri link="http://pax.grsecurity.net">PaX</uri> is a project hosted by the <uri
link="http://www.grsecurity.net">grsecurity</uri> project. Quoting the <uri
link="http://pax.grsecurity.net/docs/pax.txt">PaX documentation</uri>, its main 
goal is "to research various defense mechanisms against the exploitation of 
software bugs that give an attacker arbitrary read/write access to the 
attacked task's address space. This class of bugs contains among others 
various forms of buffer overflow bugs (be they stack or heap based), user
supplied format string bugs, etc."
</p>

<p>
To be able to benefit from these defense mechanisms, you need to run a Linux
kernel patched with the latest PaX code. The <uri
link="http://hardened.gentoo.org">Hardened Gentoo</uri> project supports PaX and
its parent project, grsecurity. The supported kernel package is
<c>sys-kernel/hardened-sources</c>.
</p>

<p>
The Gentoo/Hardened project has a <uri
link="/proj/en/hardened/pax-quickstart.xml">Gentoo PaX Quickstart Guide</uri>
for your reading pleasure.
</p>

</body>
</section>
<section>
<title>Flags and Capabilities</title>
<body>

<p>
If your toolchain supports it, your binaries can have additional PaX flags in
their Program Header. The following flags are supported:
</p>

<table>
<tr>
  <th>Flag</th>
  <th>Name</th>
  <th>Description</th>
</tr>
<tr>
  <ti>P</ti>
  <ti>PAGEEXEC</ti>
  <ti>
    Refuse code execution on writable pages based on the NX bit
    (or emulated NX bit)
  </ti>
</tr>
<tr>
  <ti>S</ti>
  <ti>SEGMEXEC</ti>
  <ti>
    Refuse code execution on writable pages based on the
    segmentation logic of IA-32
  </ti>
</tr>
<tr>
  <ti>E</ti>
  <ti>EMUTRAMP</ti>
  <ti>
    Allow known code execution sequences on writable pages that
    should not cause any harm
  </ti>
</tr>
<tr>
  <ti>M</ti>
  <ti>MPROTECT</ti>
  <ti>
    Prevent the creation of new executable code to the process
    address space
  </ti>
</tr>
<tr>
  <ti>R</ti>
  <ti>RANDMMAP</ti>
  <ti>
    Randomize the stack base to prevent certain stack overflow
    attacks from being successful
  </ti>
</tr>
<tr>
  <ti>X</ti>
  <ti>RANDEXEC</ti>
  <ti>
    Randomize the address where the application maps to prevent
    certain attacks from being exploitable
  </ti>
</tr>
</table>

<p>
The default Linux kernel also supports certain capabilities, grouped in the
so-called <e>POSIX.1e Capabilities</e>. You can find a listing of those
capabilities in our <uri
link="/proj/en/hardened/capabilities.xml">POSIX Capabilities</uri> document.
</p>

</body>
</section>
<section>
<title>Using pspax</title>
<body>

<p>
The <c>pspax</c> application, part of the <c>pax-utils</c> package, displays the
run-time capabilities of all programs you have permission for. On Linux kernels
with additional support for extended attributes (such as SELinux) those
attributes are shown as well.
</p>

<p>
When ran, <c>pspax</c> shows the following information:
</p>

<table>
<tr>
  <th>Column</th>
  <th>Description</th>
</tr>
<tr>
  <ti>USER</ti>
  <ti>Owner of the process</ti>
</tr>
<tr>
  <ti>PID</ti>
  <ti>Process id</ti>
</tr>
<tr>
  <ti>PAX</ti>
  <ti>Run-time PaX flags (if applicable)</ti>
</tr>
<tr>
  <ti>MAPS</ti>
  <ti>Write/eXecute markings for the process map</ti>
</tr>
<tr>
  <ti>ELF_TYPE</ti>
  <ti>Process executable type: ET_DYN or ET_EXEC</ti>
</tr>
<tr>
  <ti>NAME</ti>
  <ti>Name of the process</ti>
</tr>
<tr>
  <ti>CAPS</ti>
  <ti>POSIX.1e capabilities (see note)</ti>
</tr>
<tr>
  <ti>ATTR</ti>
  <ti>Extended attributes (if applicable)</ti>
</tr>
</table>

<note>
<c>pspax</c> only displays these capabilities when it is linked with
the external capabilities library. This requires you to build <c>pax-utils</c>
with -DWANT_SYSCAP.
</note>

<p>
By default, <c>pspax</c> does not show any kernel processes. If you want those
to be taken as well, use the <c>-a</c> switch.
</p>

</body>
</section>
</chapter>

<chapter id="dumpelf">
<title>Programming with ELF files</title>
<section>
<title>The dumpelf Utility</title>
<body>

<p>
With the <c>dumpelf</c> utility you can convert a ELF file into human readable C
code that defines a structure with the same image as the original ELF file.
</p>

<pre caption="dumpelf example">
$ <i>dumpelf /bin/hostname</i>
#include &lt;elf.h&gt;

<comment>/*
 * ELF dump of '/bin/hostname'
 *     10276 (0x2824) bytes
 */</comment>

struct {
        Elf32_Ehdr ehdr;
        Elf32_Phdr phdrs[8];
        Elf32_Shdr shdrs[26];
} dumpedelf_0 = {

.ehdr = {
<comment>(... Output stripped ...)</comment>
</pre>

</body>
</section>
</chapter>
</guide>