ProHoster > He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo LinuxAku; DR. Ma kēia ʻatikala, ʻimi mākou i nā papa hana paʻakikī e hana ana ma waho o ka pahu ma nā māhele Linux kaulana ʻelima. No kēlā me kēia, lawe mākou i ka hoʻonohonoho kernel paʻamau, hoʻouka i nā pūʻolo āpau, a nānā i nā ʻōnaehana palekana i nā binaries i hoʻopili ʻia. ʻO nā māhele i manaʻo ʻia ʻo OpenSUSE 12.4, Debian 9, CentOS, RHEL 6.10 a me 7, a me Ubuntu 14.04, 12.04 a me 18.04 LTS.

Ua hōʻoia ʻia nā hopena ʻaʻole i ʻae ʻia nā ʻōnaehana kumu e like me ka stacking canaries a me ke code kūʻokoʻa kūʻokoʻa e nā mea a pau. ʻOi aku ka maikaʻi o ke kūlana no nā mea hōʻuluʻulu i ka wā e pili ana i ka pale ʻana i nā nāwaliwali e like me ka stack clash, i hele mai i loko o ka māka ma Ianuali ma hope o ka paʻi ʻana. ʻike e pili ana i nā nāwaliwali systemd. Akā ʻaʻole pau ka manaʻolana o nā mea a pau. He helu nui o nā binaries e hoʻokō i nā ʻano palekana kumu, a ke ulu nei ko lākou helu mai ka mana a i ka mana.

Ua hōʻike ka loiloi e hoʻokō ʻia ka helu nui loa o nā ʻano palekana ma Ubuntu 18.04 ma ka OS a me nā pae noi, a ukali ʻia e Debian 9. Ma kekahi ʻaoʻao, OpenSUSE 12.4, CentOS 7 a me RHEL 7 hoʻokō pū i nā papa hana palekana kumu, a me ka pale ʻana i ka hoʻokūkū. ʻoi aku ka nui o ka hoʻohana ʻana me kahi pūʻulu paʻa paʻa.

Hōʻike

He paʻakikī ke hōʻoia i ka polokalamu kiʻekiʻe. ʻOiai ka nui o nā mea hana kiʻekiʻe no ka nānā ʻana i nā code static a me ka nānā ʻana i ka runtime, a me ka holomua nui i ka hoʻomohala ʻana o nā mea hoʻohui a me nā ʻōlelo hoʻonohonoho, ua pilikia mau ka polokalamu hou i nā nāwaliwali e hoʻohana mau ʻia e nā mea hoʻouka. ʻOi aku ka maikaʻi o ke kūlana i loko o nā kaiaola e komo pū ana me nā code hoʻoilina. Ma ia mau hihia, ʻaʻole wale mākou e kū nei i ka pilikia mau loa o ka ʻimi ʻana i nā hewa hiki ke hoʻohana ʻia, akā ua kaupalena ʻia mākou e nā ʻōnaehana hoʻohālikelike hope hope, e koi pinepine iā mākou e mālama i nā code liʻiliʻi a ʻoi aku ka maikaʻi.

ʻO kēia kahi e pāʻani ai nā ʻano o ka pale ʻana a i ʻole nā ​​​​papahana paʻakikī. ʻAʻole hiki iā mākou ke pale i kekahi mau ʻano hewa, akā hiki iā mākou ke hoʻoikaika i ke ola o ka mea hoʻouka a hoʻoponopono hapa i ka pilikia ma ka pale ʻana a pale ʻana paha. hoʻoluhi keia mau hewa. Hoʻohana ʻia ia pale i nā ʻōnaehana hana hou, akā ʻokoʻa nā ʻano i ka paʻakikī, ka pono a me ka hana: mai nā canaries stack a ASLR i ka pale piha CFI и ROPAHA. Ma kēia ʻatikala, e nānā mākou i nā ʻano hana palekana i hoʻohana ʻia i nā māhele Linux kaulana loa i ka hoʻonohonoho paʻamau, a e nānā pū i nā waiwai o nā binaries i puʻunaue ʻia ma o nā ʻōnaehana hoʻokele pōpō o kēlā me kēia mahele.

CVE a me ka palekana

Ua ʻike mākou i nā ʻatikala me nā poʻo inoa e like me "The Most Vulnerable Applications of the Year" a i ʻole "The Most Vulnerable Operating Systems." Hāʻawi maʻamau lākou i nā ʻikepili i ka huina o nā moʻolelo e pili ana i nā nāwaliwali e like me CVE (Maʻamau a me nā Hōʻike), loaa mai ʻIkepili Pilikino Pilikino (NVD) от NA NAHUI a me nā kumu ʻē aʻe. Ma hope, ua helu ʻia kēia mau noi a i ʻole OS e ka helu o nā CVE. ʻO ka mea pōʻino, ʻoiai he mea pono loa nā CVE no ka nānā ʻana i nā pilikia a me ka hoʻomaopopo ʻana i nā mea kūʻai aku a me nā mea hoʻohana, ʻōlelo liʻiliʻi lākou e pili ana i ka palekana maoli o ka polokalamu.

E like me ka laʻana, e noʻonoʻo i ka huina o nā CVE i nā makahiki ʻehā i hala iho nei no ka Linux kernel a me nā māhele kikowaena kaulana ʻelima, ʻo ia hoʻi ʻo Ubuntu, Debian, Red Hat Enterprise Linux a me OpenSUSE.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

He aha kā kēia pakuhi e haʻi mai iā mākou? ʻOi aku ka nui o nā CVE i ʻoi aku ka palupalu ma mua o kekahi? ʻAʻohe pane. No ka laʻana, ma kēia ʻatikala e ʻike ʻoe he ʻoi aku ka ikaika o nā mīkini palekana i hoʻohālikelike ʻia me, e ʻōlelo, OpenSUSE a i ʻole RedHat Linux, a ʻoi aku ka nui o nā CVE iā Debian. Eia nō naʻe, ʻaʻole lākou i manaʻo i ka palekana nāwaliwali: ʻo ka hiki ʻana mai o kahi CVE ʻaʻole ia e hōʻike inā he nāwaliwali. hoʻohana ʻia. Hōʻike nā helu koʻikoʻi i ka pehea paha paha ʻO ka hoʻohana ʻana i kahi nāwaliwali, akā ʻo ka hopena hope loa e hilinaʻi nui ʻia i nā pale i loaʻa i nā ʻōnaehana i hoʻopilikia ʻia a me nā kumuwaiwai a me nā hiki o nā mea hoʻouka. Eia kekahi, ʻaʻole ʻōlelo ka nele o nā hōʻike CVE no nā mea ʻē aʻe inoa ʻole a ʻike ʻole ʻia nawaliwali. ʻO ka ʻokoʻa o ka CVE ma muli o nā kumu ʻē aʻe ma mua o ka maikaʻi o ka polokalamu, me nā kumuwaiwai i hāʻawi ʻia no ka hoʻāʻo ʻana a i ʻole ka nui o ka waihona mea hoʻohana. Ma kā mākou hiʻohiʻona, ʻo ka helu kiʻekiʻe o Debian o nā CVE e hōʻike wale ana e hoʻouna aku ʻo Debian i nā pūʻulu polokalamu.

ʻOiaʻiʻo, hāʻawi ka ʻōnaehana CVE i ka ʻike kūpono e hiki ai iā ʻoe ke hana i nā pale kūpono. ʻOi aku ka maikaʻi o kā mākou hoʻomaopopo ʻana i nā kumu o ka pau ʻole o ka papahana, ʻoi aku ka maʻalahi o ka ʻike ʻana i nā ala hiki ke hoʻohana a hoʻomohala i nā mīkini kūpono. ʻike a pane. Ma Fig. Hōʻike ka 2 i nā ʻāpana o nā nāwaliwali no nā māhele āpau i nā makahiki ʻehā i hala (kumu). ʻIke koke ʻia ka hapa nui o nā CVE i loko o kēia mau ʻāpana: hōʻole i ka lawelawe (DoS), hoʻokō code, overflow, palaho hoʻomanaʻo, leakage ʻike (exfiltration) a me ka piʻi ʻana o ka pono. ʻOiai ua helu pinepine ʻia nā CVE he nui i nā ʻāpana like ʻole, ma ke ʻano laulā, hoʻomau nā pilikia like i kēlā me kēia makahiki. Ma ka ʻaoʻao aʻe o ka ʻatikala, e loiloi mākou i ka hoʻohana ʻana i nā ʻano pale like ʻole e pale ai i ka hoʻohana ʻana i kēia mau nāwaliwali.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

hana

Ma kēia ʻatikala mākou e manaʻo nei e pane i kēia mau nīnau:

  • He aha ka palekana o nā māhele Linux like ʻole? He aha nā ʻōnaehana pale i loaʻa i loko o ka kernel a me nā noi kikowaena mea hoʻohana?
  • Pehea ka hoʻololi ʻana o ka hoʻohana ʻana i nā ʻōnaehana palekana i ka manawa ma waena o nā māhele?
  • He aha nā hilinaʻi maʻamau o nā pūʻolo a me nā waihona no kēlā me kēia māhele?
  • He aha nā pale i hoʻokō ʻia no kēlā me kēia binary?

Ke koho ʻana i nā puʻunaue

He mea paʻakikī ka loaʻa ʻana o nā helu kikoʻī e pili ana i nā hoʻonohonoho hoʻoili ʻana, no ka mea ma ka hapa nui o nā mea hoʻoiho ʻaʻole hōʻike i ka helu o nā hoʻonohonoho maoli. Eia naʻe, ʻo nā ʻano like ʻole Unix ka hapa nui o nā ʻōnaehana kikowaena (ma nā kikowaena pūnaewele 69,2%, e heluʻikepili W3techs a me nā kumu ʻē aʻe), a ke ulu mau nei kā lākou ʻāpana. No laila, no kā mākou noiʻi ʻana ua kālele mākou i nā māhele i loaʻa ma waho o ka pahu ma ka paepae Google Kapua. ʻO ka mea kūikawā, ua koho mākou i kēia OS:

Hoʻolaha/mana
Core
Kukulu

OpenSUSE 12.4
4.12.14-95.3-paʻamau
#1 SMP Poʻa 5 Kekemapa 06:00:48 UTC 2018 (63a8d29)

Debian 9
4.9.0-8-amd64
#1 SMP Debian 4.9.130-2 (2018-10-27)

CentOS 6.10
2.6.32-754.10.1.el6.x86_64
#1 SMP Poalua Jan 15 17:07:28 UTC 2019

CentOS 7
3.10.0-957.5.1.el7.x86_64
#1 SMP Pōʻalima Feb 1 14:54:57 UTC 2019

ʻO Red Hat Enterprise Linux Server 6.10 (Santiago)
2.6.32-754.9.1.el6.x86_64
#1 SMP Poʻa 21 Nov 15:08:21 EST 2018

ʻO Red Hat Enterprise Linux Server 7.6 (Maipo)
3.10.0-957.1.3.el7.x86_64
#1 SMP Pōʻalima Nov 15 17:36:42 UTC 2018

ʻO Ubuntu 14.04 (Trusty Tahr)
4.4.0–140-generic

#166~14.04.1-Ubuntu SMP Sat Nov 17 01:52:43 UTC 20…

ʻO Ubuntu 16.04 (Xenial Xerus)
4.15.0–1026-gcp
#27~16.04.1-Ubuntu SMP Pōʻalima Dec 7 09:59:47 UTC 2018

ʻO Ubuntu 18.04 (Bionic Beaver)
4.15.0–1026-gcp
#27-Ubuntu SMP Poʻa 6 Dec 18:27:01 UTC 2018

1 Pūnaewele

ʻIkepili

E aʻo kākou i ka hoʻonohonoho kernel paʻamau, a me nā waiwai o nā pūʻolo i loaʻa ma o ka luna pūʻolo o kēlā me kēia māhele ʻana i waho o ka pahu. No laila, ke noʻonoʻo wale nei mākou i nā pūʻolo mai nā aniani paʻamau o kēlā me kēia mahele, me ka nānā ʻole ʻana i nā pūʻolo mai nā waihona paʻa ʻole (e like me nā aniani Debian 'testing') a me nā pūʻulu ʻaoʻao ʻekolu (e like me nā pūʻolo Nvidia mai nā aniani maʻamau). Eia kekahi, ʻaʻole mākou e noʻonoʻo i ka hoʻopili ʻana i nā kernel maʻamau a i ʻole ka hoʻonohonoho paʻa paʻa palekana.

ʻIkepili hoʻonohonoho Kernel

Ua hoʻohana mākou i kahi palapala hōʻuluʻulu e pili ana i manuahi kconfig checker. E nānā kākou i nā ʻāpana pale o waho o ka pahu o nā māhele i kapa ʻia a hoʻohālikelike iā lākou me ka papa inoa mai Papahana Paʻa Pono Pono (KSPP). No kēlā me kēia koho hoʻonohonoho, wehewehe ʻo Papa 2 i ka hoʻonohonoho i makemake ʻia: ʻo ka pahu pahu no nā puʻunaue e pili ana i nā ʻōlelo aʻoaʻo KSSP (e nānā i kēia no ka wehewehe ʻana i nā huaʻōlelo). maanei; Ma nā ʻatikala e hiki mai ana e wehewehe mākou i ka nui o kēia mau ʻano palekana i hoʻokumu ʻia a pehea e hack ai i kahi ʻōnaehana i ka wā ʻole).

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux

Ma keʻano laulā, ʻoi aku ka paʻakikī o nā kernels hou i waho o ka pahu. No ka laʻana, ʻo CentOS 6.10 a me RHEL 6.10 ma ka 2.6.32 kernel nele i ka hapa nui o nā hiʻohiʻona koʻikoʻi i hoʻokō ʻia i nā kernels hou e like me SMAP, nā ʻae RWX koʻikoʻi, ka helu helu randomization a i ʻole ka pale kope2usr. Pono e hoʻomaopopo ʻia ʻaʻole i loaʻa ka nui o nā koho hoʻonohonoho i ka papaʻaina i nā mana kahiko o ka kernel a ʻaʻole pili i ka ʻoiaʻiʻo - ke hōʻike ʻia nei kēia ma ka papa ʻaina me ka nele o ka pale pono. Pēlā nō, inā ʻaʻole i loaʻa kahi koho hoʻonohonoho i kahi mana i hāʻawi ʻia, a koi ʻia ka palekana e hoʻopau ʻia ke koho, manaʻo ʻia kēia he hoʻonohonoho kūpono.

ʻO kekahi kumu e noʻonoʻo ai i ka unuhi ʻana i nā hopena: hiki ke hoʻohana ʻia kekahi mau hoʻonohonoho kernel e hoʻonui ai i ka ʻili hoʻouka no ka palekana. ʻO ia mau hiʻohiʻona he uprobes a me kprobes, kernel modules, a me BPF/eBPF. ʻO kā mākou manaʻo e hoʻohana i nā hana i luna e hāʻawi i ka palekana maoli, no ka mea he mea ʻole lākou e hoʻohana a manaʻo kā lākou hoʻohana ʻana ua hoʻokumu mua nā mea hana ʻino i kahi pae i ka ʻōnaehana. Akā inā hiki ke hoʻohana ʻia kēia mau koho, pono e nānā pono ka luna ʻōnaehana no ka hana ʻino.

Ke nānā hou aku nei mākou i nā mea i hoʻokomo ʻia ma ka Papa 2, ʻike mākou ua hāʻawi nā kernels hou i nā koho he nui no ka pale ʻana i ka hoʻohana ʻana i nā mea nāwaliwali e like me ka leaka ʻike a me ka hoʻopaʻa ʻana / puʻu. Eia nō naʻe, ʻike mākou ʻaʻole i hoʻokō ʻia nā puʻupuʻu kaulana loa i ka pale paʻakikī (no ka laʻana, me nā patch palekana) a i ʻole ka pale o kēia wā e kūʻē i ka hoʻohana hou ʻana i nā code (e.g. ka hui pū ʻana o ka randomization me nā papahana e like me R^X no ke code). ʻO ka mea e ʻoi aku ka maikaʻi, ʻo kēia mau pale ʻoi aku ka maikaʻi ʻaʻole ia e pale aku i ka nui o nā hoʻouka kaua. No laila, he mea koʻikoʻi no nā luna ʻōnaehana e hoʻokō i nā hoʻonohonoho akamai me nā hoʻonā e hāʻawi ana i ka ʻike a me ka pale ʻana i ka runtime exploit.

Noi Anai

ʻAʻole ia he mea kupanaha, loaʻa i nā māhele like ʻole nā ​​hiʻohiʻona pūʻolo like ʻole, nā koho hōʻuluʻulu, nā hilinaʻi waihona, a me nā mea ʻē aʻe. pili nā māhele a me nā pūʻolo me kahi helu liʻiliʻi o nā hilinaʻi (no ka laʻana, coreutils ma Ubuntu a i ʻole Debian). No ka loiloi i nā ʻokoʻa, ua hoʻoiho mākou i nā pūʻolo āpau i loaʻa, unuhi i kā lākou ʻike, a nānā i nā binaries a me nā hilinaʻi. No kēlā me kēia pūʻolo, mālama mākou i nā pūʻolo ʻē aʻe i hilinaʻi ʻia, a no kēlā me kēia binary, nānā mākou i kāna mau hilinaʻi. Ma kēia ʻāpana mākou e hōʻuluʻulu pōkole i nā hopena.

Māhele

Ma ka huina, ua hoʻoiho mākou i nā pūʻolo 361 no nā māhele āpau, e unuhi wale ana i nā pūʻolo mai nā aniani paʻamau. Ua mālama ʻole mākou i nā pūʻolo me ka ʻole o nā mea hoʻokō ELF, e like me nā kumu, nā font, a me nā mea ʻē aʻe. Ma hope o ke kānana ʻana, 556 pūʻolo i koe, aia ka huina o 129 binaries. Hōʻike ʻia ka hoʻohele ʻana o nā pūʻolo a me nā faila ma waena o nā māhele. 569.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

Hiki iā ʻoe ke ʻike i ka ʻoi aku o ka hoʻolaha ʻana i kēia manawa, ʻoi aku ka nui o nā pūʻolo a me nā binaries i loko, ʻo ia ke kūpono. Eia nō naʻe, ʻo nā pūʻulu ʻo Ubuntu a me Debian ka nui o nā binaries (nā mea hoʻokō a me nā modula ikaika a me nā hale waihona puke) ma mua o CentOS, SUSE a me RHEL, ka mea e hoʻopilikia ai i ka ʻili hoʻouka o Ubuntu a me Debian (pono e hoʻomaopopo ʻia e hōʻike ana nā helu i nā binaries āpau o nā mana āpau. package, ʻo ia hoʻi, ʻike ʻia kekahi mau faila i nā manawa he nui). He mea koʻikoʻi kēia ke noʻonoʻo ʻoe i nā hilinaʻi ma waena o nā pūʻolo. No laila, hiki ke hoʻopilikia i nā ʻāpana he nui o ke kaiaola, e like me ka hiki ʻana i kahi waihona pilikino ke hoʻopilikia i nā binary āpau e lawe mai ana. Ma ke ʻano he hoʻomaka, e nānā kākou i ka hāʻawi ʻana i ka helu o nā hilinaʻi ma waena o nā pūʻolo i nā ʻōnaehana hana like ʻole:

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

Ma kahi kokoke i nā māhele āpau, 60% o nā pūʻolo he 10 mau mea hilinaʻi. Eia kekahi, ʻoi aku ka nui o nā mea hilinaʻi (ʻoi aku ma mua o 100). Hoʻohana like ia i ka hoʻohuli ʻana i nā hilinaʻi pūʻolo: e like me ka mea i manaʻo ʻia, hoʻohana ʻia kekahi mau pūʻolo e nā pūʻolo ʻē aʻe he nui i ka hāʻawi ʻana, no laila ʻoi aku ka pilikia o nā nāwaliwali o kēlā mau mea liʻiliʻi. E like me ka laʻana, ʻo ka papa ma lalo nei ka papa inoa o nā pūʻolo 20 me ka helu kiʻekiʻe o nā hilinaʻi hope ma SLES, Centos 7, Debian 9 a me Ubuntu 18.04 (hōʻike kēlā me kēia cell i ka pūʻolo a me ka helu o nā hilinaʻi hoʻohuli).

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
3 Pūnaewele

ʻOiaʻiʻo hoihoi. ʻOiai ua kūkulu ʻia nā OS a pau i kālai ʻia no ka hoʻolālā x86_64, a ʻo ka hapa nui o nā pūʻolo i wehewehe ʻia e like me x86_64 a me x86, loaʻa pinepine nā pūʻolo i nā binaries no nā hale kiʻi ʻē aʻe, e like me ka hōʻike ʻana ma ke Kiʻi 5. XNUMX.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

Ma ka ʻāpana aʻe, e ʻimi mākou i nā hiʻohiʻona o nā binaries i kālai ʻia.

Helu helu pale waihona binary

Ma ka liʻiliʻi loa, pono ʻoe e ʻimi i kahi hoʻonohonoho kumu o nā koho palekana no kāu mau binaries. Hele mai kekahi mau māhele Linux me nā palapala e hana ana i nā loiloi. No ka laʻana, loaʻa iā Debian/Ubuntu kahi palapala. Eia kekahi laʻana o kāna hana.

$ hardening-check $(which docker)
/usr/bin/docker:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

Nānā ka palapala i ʻelima nā hana pale:

  • Hoʻokō Kūʻokoʻa Kūʻokoʻa (PIE): Hōʻike inā hiki ke hoʻoneʻe ʻia ka ʻāpana kikokikona o kahi papahana i ka hoʻomanaʻo e hoʻokō i ka randomization inā hoʻohana ʻia ka ASLR i ka kernel.
  • Hoʻopaʻa ʻia ʻo Stack: Inā hiki i ka stack canaries ke pale aku i ka hoʻouka kaua ʻana.
  • Ke Kumu Paʻa: inā paha e hoʻololi ʻia nā hana palekana (e laʻa, strcpy) me ko lākou mau hoa paʻa, a ua hoʻololi ʻia nā kelepona i nānā ʻia i ka wā holo me kā lākou mau mea i nānā ʻole ʻia (e laʻana, memcpy ma kahi o __memcpy_chk).
  • Heluhelu-wale Relocations (RELRO): Ua kaha 'ia ka helu helu ho'oku'u 'ana i ka heluhelu-wale ke ho'omaka 'ia ma mua o ka ho'omaka 'ana.
  • Hoʻopaʻa koke: Inā ʻae ka mea hoʻopili runtime i nā neʻe āpau ma mua o ka hoʻomaka ʻana o ka papahana (ua like kēia me kahi RELRO piha).

Ua lawa anei na hana maluna? ʻAʻole naʻe. Aia nā ala i ʻike ʻia e kāʻalo ai i nā pale āpau ma luna, akā ʻoi aku ka paʻakikī o ka pale, ʻoi aku ka kiʻekiʻe o ka pā no ka mea hoʻouka. ʻo kahi laʻana, ʻO nā ʻano hana kaʻawale RELRO ʻoi aku ka paʻakikī o ka noi inā paʻa ka PIE a me ka hoʻopaʻa koke ʻana. Pēlā nō, koi ka ASLR piha i ka hana hou e hana i kahi hana hana. Eia nō naʻe, ua mākaukau nā mea hoʻouka kaua e hoʻokō i kēlā mau pale: ʻo ko lākou hele ʻana e wikiwiki i ka hack. No laila, he mea pono e manaʻo ʻia kēia mau hana he pono palena iki.

Ua makemake mākou e aʻo i ka nui o nā faila binary i nā māhele i nīnau ʻia e kēia a me ʻekolu mau ala ʻē aʻe:

  • ʻAʻole hiki ke hoʻokō ʻia (NX) pale i ka hoʻokō ʻana ma kekahi ʻāina ʻaʻole hiki ke hoʻokō ʻia, e like me ka puʻu ahu, etc.
  • RPATH/RUNPATH hōʻike i ke ala hoʻokō i hoʻohana ʻia e ka mea hoʻoili ikaika e ʻimi i nā hale waihona puke. ʻO ka mea mua nele no kēlā me kēia ʻōnaehana hou: ʻo kona nele ʻana e hiki ai i nā mea hoʻouka ke kākau i ka uku i loko o ka hoʻomanaʻo a hoʻokō e like me ia. No ka lua, kōkua nā hoʻonohonoho ala hoʻokō hewa i ka hoʻokomo ʻana i nā code hiki ʻole ke alakaʻi i nā pilikia he nui (e laʻa. ka piʻi ʻana o ka pono, a me nā pilikia ʻē aʻe).
  • Hāʻawi ka pale ʻana i ka hui pū ʻana i ka pale mai nā hoʻouka ʻana e hoʻopiʻi ai ka waihona i nā wahi ʻē aʻe o ka hoʻomanaʻo (e like me ka puʻu). Hāʻawi ʻia i nā hana hōʻino hou systemd heap collision vulnerabilities, ua manaʻo mākou he mea kūpono ke hoʻokomo ʻana i kēia mīkini i kā mākou waihona.

No laila, me ka ʻole o ka liʻiliʻi, e iho kākou i ka helu. Aia ka papa 4 a me 5 i ka hōʻuluʻulu manaʻo o nā faila hiki ke hoʻokō ʻia a me nā hale waihona puke o nā māhele like ʻole.

  • E like me kāu e ʻike ai, hoʻokō ʻia ka pale NX ma nā wahi āpau, me nā mea ʻokoʻa. Ma keʻano kūikawā, hiki i kekahi ke hoʻomaopopo i kona hoʻohana haʻahaʻa haʻahaʻa ma nā māhele Ubuntu a me Debian i hoʻohālikelike ʻia me CentOS, RHEL a me OpenSUSE.
  • Nalo nā canaries stack ma nā wahi he nui, ʻoi aku hoʻi i ka hāʻawi ʻana me nā kernels kahiko. Ke ʻike ʻia nei kekahi holomua ma nā māhele hou loa o Centos, RHEL, Debian a me Ubuntu.
  • Me ka ʻokoʻa ʻo Debian a me Ubuntu 18.04, ʻo ka hapa nui o ka hāʻawi ʻana i ke kākoʻo PIE maikaʻi ʻole.
  • He nāwaliwali ka pale o ka hui ʻana ma OpenSUSE, Centos 7 a me RHEL 7, a aneane ʻaʻole i loaʻa i nā poʻe ʻē aʻe.
  • Loaʻa i nā māhele āpau me nā kernels hou ke kākoʻo no RELRO, me Ubuntu 18.04 alakaʻi i ke ala a hele mai ʻo Debian i ka lua.

E like me ka mea i haʻi mua ʻia, ʻo nā ana ma kēia pākaukau ka awelika no nā mana āpau o ka faila binary. Inā ʻoe e nānā wale i nā mana hou o nā faila, ʻokoʻa nā helu (no ka laʻana, ʻike Ke holomua nei ʻo Debian me ka hoʻokō PIE). Eia kekahi, ʻo ka hapa nui o nā puʻupuʻu e hoʻāʻo wale i ka palekana o kekahi mau hana i loko o ka binary ke helu ʻana i nā helu, akā hōʻike kā mākou loiloi i ka pākēneka maoli o nā hana i paʻakikī. No laila, inā mālama ʻia ka 5 o 50 mau hana i kahi binary, e hāʻawi mākou iā ia i ka helu o 0,1, e pili ana i ka 10% o nā hana i hoʻoikaika ʻia.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Papa 4. Nā hiʻohiʻona palekana no nā faila hoʻokō i hōʻike ʻia ma Fig. 3 (ka hoʻokō ʻana i nā hana kūpono e like me ka pākēneka o ka nui o nā faila hiki ke hoʻokō)

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Papa 5. Nā hiʻohiʻona palekana no nā hale waihona puke i hōʻike ʻia ma Fig. 3 (ka hoʻokō ʻana i nā hana kūpono e like me ka pākēneka o ka huina o nā hale waihona puke)

No laila aia ka holomua? Aia nō: hiki ke ʻike ʻia kēia mai nā ʻikepili no ka puʻunaue pākahi (no ka laʻana, Debian), a me nā papa ma luna. E like me ka laʻana ma Fig. Hōʻike ka Figure 6 i ka hoʻokō ʻana i nā mīkini pale i ʻekolu mahele o ka Ubuntu LTS 5 (ua haʻalele mākou i nā helu hoʻomalu hoʻokūkū hoʻokūkū). Ke ʻike nei mākou mai ka mana a i kēia ʻano e kākoʻo ana nā faila i nā canaries stack, a ʻoi aku ka nui o nā binaries i hoʻouna ʻia me ka pale RELRO piha.

He mau miliona binaries ma hope. Pehea i ulu ikaika ai ʻo Linux
Kuhi. Xnumx

ʻO ka mea pōʻino, ʻaʻole loaʻa kekahi o nā faila i hiki ke hoʻokō ʻia ma nā māhele like ʻole. No ka laʻana, e nānā ana iā Ubuntu 18.04, e ʻike ʻoe i ka ngetty binary (kahi getty replacement), a me ka mksh a me ka lksh shells, ka picolisp interpreter, nā nvidia-cuda-toolkit packages (kahi pūʻolo kaulana no nā noi wikiwiki GPU. e like me nā papa hana aʻo mīkini), a me klibc -utils. Pēlā nō, ʻo ka mandos-client binary (kahi mea hana hoʻomalu e hiki ai iā ʻoe ke hoʻihoʻi hou i nā mīkini me nā ʻōnaehana faila i hoʻopili ʻia) a me ka rsh-redone-client (kahi reimplementation o rsh a me rlogin) moku me ka ʻole o ka pale NX, ʻoiai he kuleana ko lākou SUID: (. Eia kekahi, ʻaʻole i loaʻa i kekahi mau suid binaries ka palekana kumu e like me ka stack canaries (no ka laʻana, ka Xorg.wrap binary mai ka pūʻolo Xorg).

Hōʻuluʻulu a me ka Manaʻo Hoʻopau

Ma kēia ʻatikala, ua hōʻike mākou i kekahi mau hiʻohiʻona palekana o nā hoʻolaha Linux hou. Ua hōʻike ʻia ka hōʻike ʻana i ka hoʻolaha ʻana o ka Ubuntu LTS hou (18.04), ma ka awelika, ka OS ikaika loa a me ka pale o ka pae noi ma waena o nā puʻupuʻu me nā kernels hou, e like me Ubuntu 14.04, 12.04 a me Debian 9. ʻO OpenSUSE i kā mākou hoʻonohonoho ma ka maʻamau, hana lākou i kahi pūʻulu ʻoi aku ka nui o nā pūʻulu, a i nā mana hou loa (CentOS a me RHEL) loaʻa iā lākou ka pākēneka kiʻekiʻe o ka pale hoʻokūkū hoʻokūkū i hoʻohālikelike ʻia i nā mea hoʻokūkū e pili ana iā Debian (Debian a me Ubuntu). Ke hoʻohālikelike nei i nā mana CentOS a me RedHat, ʻike mākou i nā hoʻomaikaʻi nui i ka hoʻokō ʻana i nā canaries stack a me RELRO mai nā mana 6 a i 7, akā ma ka awelika he nui nā hiʻohiʻona o CentOS i hoʻokō ʻia ma mua o RHEL. Ma keʻano laulā, pono e nānā pono nā māhele a pau i ka pale PIE, ka mea, koe naʻe ʻo Debian 9 a me Ubuntu 18.04, i hoʻokō ʻia ma lalo o 10% o nā binaries i kā mākou dataset.

ʻO ka mea hope loa, pono e hoʻomaopopo ʻia ʻoiai ua alakaʻi mākou i ka noiʻi me ka lima, aia nā mea hana palekana he nui (e.g. Lynis, tiga, ʻO Hubble), e hana ana i ka nānā ʻana a kōkua i ka pale ʻana i nā hoʻonohonoho palekana. ʻO ka mea pōʻino, ʻo ka pale ikaika i nā hoʻonohonoho kūpono ʻaʻole ia e hōʻoiaʻiʻo i ka nele o nā hana. No laila ke manaʻoʻiʻo nei mākou he mea nui ia e hōʻoia ka nānā pono ʻana a me ka pale ʻana i nā hoʻouka ʻana i ka manawa maoli, e nānā ana i nā ʻano o ka hoʻohana ʻana a me ka pale ʻana iā lākou.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka