Public bug reported:
Currently there's the blueprint for 64 bit pie by default. I think this is a
good goal because there's almost no performance penalties but it will be a lot
of work.
https://blueprints.launchpad.net/ubuntu/+spec/64bit-pie-by-default/
Also a bug relating to PIE binaries: #139435.
My proposal is in the mean time the more risky binaries should be PIE at
least on 64bit. Using the ssh package as a guide it's a pretty easy
combination of -fpie in the cflags and -pie in the ldflags. Then with
all modern versions of the linux kernel the executable's address will be
randomized.
Example of PIE 1:
r...@siti-desktop:~# cat /proc/$(pidof sshd)/maps | grep /usr/sbin/sshd
7f1f290a1000-7f1f2910b000 r-xp 00000000 08:15 5450407
/usr/sbin/sshd
7f1f2930a000-7f1f2930c000 r--p 00069000 08:15 5450407
/usr/sbin/sshd
7f1f2930c000-7f1f2930e000 rw-p 0006b000 08:15 5450407
/usr/sbin/sshd
Example 2:
r...@siti-desktop:~# cat /proc/$(pidof sshd)/maps | grep /usr/sbin/sshd
7f5437c9c000-7f5437d06000 r-xp 00000000 08:15 5450407
/usr/sbin/sshd
7f5437f05000-7f5437f07000 r--p 00069000 08:15 5450407
/usr/sbin/sshd
7f5437f07000-7f5437f09000 rw-p 0006b000 08:15 5450407
/usr/sbin/sshd
The combination of NX, randomized DLLs, stack, heap, and other maps,
SSP, -D_FORTIFY_SOURCE makes exploitation of memory corruption
vulnerabilities extremely difficult.
The only attack vectors left as far as I am aware are:
* Information leakage (Reasonably well fixed via protecting maps in /proc)
* JITs (Java, mono etc, firefox 3.1, Not much we can do here)
* Using code in the executable out of order (Solvable by compiling with PIE).
The last is the easiest to fix and something Ubuntu should do on the
riskier binaries.
A suggested list of packages that should have pie support added:
* Firefox (A very large piece of software that has had a large number of
vulnerabilities in the past and will probably continue to have more).
* Openoffice (Possibly the largest single piece of software in Ubuntu)
* Evince (Has had POC exploits in the past)
* Totem (Supports a large number of media formats using various libraries that
have had vulnerabilities)
* Mysql (A number of exploits in the past, from reading the changelogs PIE
caused regressions)
* Postgresql (I presume it's got similar issues to Mysql)
* Xorg-server (Running as root, this might be a challenge I don't know...)
* Snort
* Apache (Already done)
* Samba (Already done)
* openssh (Already done)
Many of these suggestions are client side but this is where a lot of the
attacks have been occuring on Windows. Ubuntu should be premeptive :-).
Over the next few days I hope to attach patches for at least the less
complex pieces of software to enable PIE. Hopefully they can be enabled
in Karmic Koala :-).
** Affects: ubuntu
Importance: Undecided
Status: New
--
PIE Randomization on more risky binaries
https://bugs.launchpad.net/bugs/356291
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
