Do you know the about Grsecurity/PaX project? Today NBS System would like to put into light this essential component of the infrastructure of CerberHost, its very high security Cloud.
It is one of the projects which, multiple times, litterally revolitionized the industry of cybersecurity, for more than 15 years ;and keeps doing it, thanks to the genius of its two lead developpers, Pipacs (Hungarian anonymous developper of PaX) and Brad “spender” Sprengler (Grsecurity).
They are behind a lot of defence solutions that many thought impossible, and – thankfully for us – they put them freely at anyone’s disposal in an opensource project! Whereas a lot of developpers only correct bugs when they appear, the successful duo completely exterminate entire kinds of vulnerabilities!
The Grsecurity/PaX project is a third-party patch that harden the Linux kernel, which blocks all exploits publicly displayed to this day. It is not directly integrated inside the Linux kernel (for technical but also political reasons) and must be applied at every update, which adds maintenance time, but it is worth it.
Amongst the numerous features of Grsecurity/PaX, here are the main ones:
- ASLR: this feature first appeared in PaX in 2001, before being massively used by all the modern operating systems (Linux, OSX, Windows, BSD…). It is a protection against many families of vulnerabilities of the type “memory corruption”: by randomly placing the different parts of the programs (code zone, memory zone…), it prevents the pirates to get their bearings, forcing them to launch attacks blindly by hoping to guess correctly; it is a little bit like trying to score a basket in complete darkness.
- UDEREF and KERNEXEC : In most modern operating systems, there are two distinct spaces: the one of the kernel, and the one of the user. If a pirate were able to ask the kernel to execute code in the user space (on which he has the rights), it would lead to a total compromission of the system. Grsecurity/PaX prevent this case, by limiting the rights of the kernel: to access the user space from the kernel, they force the pirate to use particularly strict functions, limiting his room of maneuvre and limiting and throwing even more sand into his wheels to execute malevolent code.
- Actions on the compiler: the Linux kernel can officially be compiled on only one compiler: the one of the GNU project, called “gcc”. The PaX developper, between two major advances in IT defence, has fun by making it possible for the kernel to compile through another compiler, “clang”. Until the latter becomes officially supported, the project uses the plugins system of gcc to instrumentalize and automatize more and more things, to prevent attackers to achieve their ends. It adds, for instance, even more randomization in the position of critical data structures (becoming harder and harder to find), or by restraining the writing rights in sensitive memory zones.
- Automatic response to attacks: generally, when a process is under attack attempts, the operating system relaunches it at every crash, allowing the attacker to see his own attack and to modify it until it works. However, the Grsecurity/PaX patch detects this kind of behaviour, and takes appropriate measures to fail the attack. For instance, if a user generates too much crashes, its processes will be killed, he will be ejected from his session and it will be impossible for him to relog, while his previous actions will be recorded and the administrator notified. When it is not an average user but a privileged process/user, it is possible to configurate the patch to deliberately crash the system after having recorded as much information as possible: it is death over submission.
- TPE (Trust Path Execution) : it is a whitelist of files that can be executed. Thus, users (and attackers) won’t be able to execute anything but the files authorized by the computer.
- RBAC (Role Based Access Control) : it is a security system developped by spender during his thesis, acting as a protection overlayer. With its auto-learning capacity, it studies the behaviour of the programmes, and once acquainted, strictly forbids any behaviour outside the observed norm. For instance, a webserver does not have access to the files of the machine’s other users; even if the operating system allows it (which it should not), RBAC is watching, and will forbid it.
This extremely efficient patch is, as mentioned before, free and opensource. NBS System is thus particularly proud to support this project, by being part of its 12 public sponsors. Indeed, unable to contribute to its source code, we tell them about bugs when we find some, and financially support the project. The fact that this patch is freely available does not mean that there are no (material or human) costs behind it, and we thus deem important, and only fair, for the users of this kind of technology to support them within their means, for the project not to collapse.