Pulogalamu ya ProHoster > Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakuliraTL; DR. M'nkhaniyi, tikufufuza njira zowumitsa zomwe zimagwira ntchito m'bokosi pa magawo asanu otchuka a Linux. Pachilichonse, tidatenga kasinthidwe ka kernel, kunyamula mapaketi onse, ndikusanthula njira zachitetezo pamabina omwe aphatikizidwa. Zogawa zomwe zimaganiziridwa ndi OpenSUSE 12.4, Debian 9, CentOS, RHEL 6.10 ndi 7, komanso Ubuntu 14.04, 12.04 ndi 18.04 LTS.

Zotsatira zimatsimikizira kuti ngakhale njira zoyambira monga kusungitsa ma canaries ndi ma code odziyimira pawokha sanatengedwe ndi aliyense. Zinthu ndizovuta kwambiri kwa omwe akuphatikiza zikafika pakudziteteza ku zofooka monga mikangano ya stack, yomwe idawonekera mu Januware pambuyo posindikizidwa. zambiri zokhudzana ndi kuwonongeka kwa systemd. Koma sikuti zonse zilibe chiyembekezo. Chiwerengero chachikulu cha ma binaries chimagwiritsa ntchito njira zodzitetezera, ndipo chiwerengero chawo chimakula kuchoka ku mtundu kupita ku mtundu.

Ndemangayi inasonyeza kuti chiwerengero chachikulu cha njira zotetezera chikugwiritsidwa ntchito ku Ubuntu 18.04 pa OS ndi machitidwe ogwiritsira ntchito, kutsatiridwa ndi Debian 9. Kumbali inayi, OpenSUSE 12.4, CentOS 7 ndi RHEL 7 imagwiritsanso ntchito njira zodzitetezera, ndi chitetezo cha kugundana kwa stack. imagwiritsidwa ntchito kwambiri kwambiri ndi ma phukusi ocheperako kwambiri.

Mau oyamba

Ndizovuta kuonetsetsa mapulogalamu apamwamba. Ngakhale pali zida zambiri zapamwamba zowunikira ma code static ndi kusanthula kwanthawi yayitali, komanso kupita patsogolo kwakukulu pakupanga ma compilers ndi zilankhulo zamapulogalamu, mapulogalamu amakono amakumanabe ndi zovuta zomwe zimagwiritsidwa ntchito nthawi zonse ndi owukira. Zinthu zafika poipa kwambiri m'zachilengedwe zomwe zimaphatikizapo zolemba zakale. Zikatero, sitimangoyang'anizana ndi vuto lamuyaya lopeza zolakwika zomwe zingatheke, koma timachepetsedwa ndi ndondomeko zogwirizanitsa zobwerera m'mbuyo, zomwe nthawi zambiri zimafuna kuti tisunge malire, kapena oipitsitsa, osatetezeka kapena ma code buggy.

Apa ndipamene njira zotetezera kapena kuumitsa mapulogalamu zimayambira. Sitingathe kuletsa zolakwa zina, koma titha kupangitsa moyo wa woukirawo kukhala wovuta kwambiri ndikuthetsa vutolo pang'ono popewa kapena kupewa. kudyera masuku pamutu zolakwika izi. Chitetezo choterechi chimagwiritsidwa ntchito m'machitidwe onse amakono, koma njirazo zimasiyana kwambiri ndi zovuta, zogwira mtima komanso zogwira ntchito: kuchokera ku canaries ndi stack canaries. ASLR ku chitetezo chokwanira CFI ΠΈ ROP. M'nkhaniyi, tiwona njira zodzitetezera zomwe zimagwiritsidwa ntchito muzogawa zodziwika bwino za Linux pamasinthidwe osasinthika, ndikuwunikanso mawonekedwe a ma binaries omwe amagawidwa kudzera mu kasamalidwe ka phukusi la kugawa kulikonse.

CVE ndi chitetezo

Tonse tawonapo nkhani zomwe zili ndi mitu ngati "Mapulogalamu Ovuta Kwambiri Pachaka" kapena "Makina Ogwiritsa Ntchito Osatetezeka Kwambiri." Nthawi zambiri amapereka ziwerengero pa chiwerengero cha zolembedwa za kusatetezeka ngati CVE (Chiwopsezo Chofala ndi Zowonekera), zotengedwa kuchokera National Vulnerability Database (NVD) ΠΎΡ‚ NETE ndi magwero ena. Pambuyo pake, mapulogalamuwa kapena OS amawerengedwa ndi kuchuluka kwa ma CVE. Tsoka ilo, ngakhale ma CVE ndi othandiza kwambiri pakutsata nkhani ndikudziwitsa ogulitsa ndi ogwiritsa ntchito, sanena pang'ono zachitetezo chenicheni cha pulogalamuyi.

Mwachitsanzo, taganizirani kuchuluka kwa ma CVE pazaka zinayi zapitazi za Linux kernel ndi magawo asanu otchuka kwambiri a seva, omwe ndi Ubuntu, Debian, Red Hat Enterprise Linux ndi OpenSUSE.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 1

Kodi graph iyi ikutiuza chiyani? Kodi kuchuluka kwa ma CVE kumatanthauza kuti kugawa kumodzi ndikowopsa kuposa kwina? Palibe yankho. Mwachitsanzo, m'nkhaniyi muwona kuti Debian ali ndi njira zotetezera zolimba poyerekeza ndi, kunena, OpenSUSE kapena RedHat Linux, komabe Debian ali ndi ma CVE ambiri. Komabe, sizikutanthauza chitetezo chofooka: ngakhale kukhalapo kwa CVE sikuwonetsa ngati chiwopsezo chili pachiwopsezo. kudyera masuku pamutu. Zovuta kwambiri zimapereka chisonyezero cha momwe mwinamwake kugwiritsa ntchito chiwopsezo, koma pamapeto pake kugwiritsiridwa ntchito kumadalira kwambiri chitetezo chomwe chilipo m'makina okhudzidwa ndi zida ndi kuthekera kwa omwe akuukirawo. Kuphatikiza apo, kusowa kwa malipoti a CVE sikunena kanthu za ena osalembetsa kapena osadziwika zofooka. Kusiyana kwa CVE kungakhale chifukwa cha zinthu zina osati mtundu wa mapulogalamu, kuphatikiza zinthu zomwe zimaperekedwa poyesa kapena kukula kwa ogwiritsa ntchito. Muchitsanzo chathu, kuchuluka kwa ma CVE a Debian kumatha kungowonetsa kuti Debian imatumiza mapulogalamu ambiri.

Zachidziwikire, dongosolo la CVE limapereka chidziwitso chofunikira chomwe chimakupatsani mwayi wopanga chitetezo choyenera. Tikamvetsetsa bwino zifukwa zolepherera pulogalamuyo, zimakhala zosavuta kuzindikira njira zomwe tingagwiritsire ntchito masuku pamutu ndikupanga njira zoyenera. kuzindikira ndi kuyankha. Mku. 2 ikuwonetsa magulu akusatetezeka kwa magawo onse azaka zinayi zapitazi (gwero). Ndizodziwikiratu kuti ma CVE ambiri amagwera m'magulu otsatirawa: kukana ntchito (DoS), kuphedwa kwa ma code, kusefukira, kuwonongeka kwamakumbukiro, kutulutsa zidziwitso (kutulutsa) komanso kukwera kwamwayi. Ngakhale ma CVE ambiri amawerengedwa kangapo m'magulu osiyanasiyana, nthawi zambiri nkhani zomwezi zimapitilira chaka ndi chaka. M'chigawo chotsatira cha nkhaniyi, tidzayesa kugwiritsa ntchito njira zosiyanasiyana zotetezera kuti tipewe kugwiritsa ntchito zofookazi.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 2

ntchito

M'nkhaniyi tikufuna kuyankha mafunso otsatirawa:

  • Kodi chitetezo cha magawo osiyanasiyana a Linux ndi chiyani? Ndi njira ziti zodzitetezera zomwe zilipo mu kernel ndi ntchito za malo ogwiritsa ntchito?
  • Kodi kukhazikitsidwa kwa njira zachitetezo kwasintha bwanji pakapita nthawi pamagawidwe?
  • Kodi ma phukusi ndi malaibulale amadalira pati pagawo lililonse?
  • Ndi chitetezo chotani chomwe chimakhazikitsidwa pa binary iliyonse?

Kusankhidwa kwa magawo

Zimakhala zovuta kupeza ziwerengero zolondola pazigawo zogawa, chifukwa nthawi zambiri kuchuluka kwa zotsitsa sikuwonetsa kuchuluka kwa kukhazikitsa kwenikweni. Komabe, mitundu ya Unix imapanga makina ambiri a seva (pa ma seva 69,2%, ndi ziwerengero W3techs ndi magwero ena), ndipo gawo lawo likukula mosalekeza. Chifukwa chake, pakufufuza kwathu tidayang'ana kwambiri magawo omwe amapezeka m'bokosi papulatifomu Google Cloud. Makamaka, tinasankha OS zotsatirazi:

Kugawa/kumasulira
Pakatikati
Mangani

OpenSUSE 12.4
4.12.14-95.3-osasintha
#1 SMP Lamlungu Dec 5 06:00:48 UTC 2018 (63a8d29)

Debian 9 (kutambasula)
4.9.0-8-amd64
#1 SMP Debian 4.9.130-2 (2018-10-27)

CentOS 6.10
2.6.32-754.10.1.el6.x86_64
#1 SMP Lachiwiri Jan 15 17:07:28 UTC 2019

CentOS 7
3.10.0-957.5.1.el7.x86_64
#1 SMP Lachisanu Feb 1 14:54:57 UTC 2019

Red Hat Enterprise Linux Server 6.10 (Santiago)
2.6.32-754.9.1.el6.x86_64
#1 SMP Lachitatu Nov 21 15:08:21 EST 2018

Red Hat Enterprise Linux Server 7.6 (Maipo)
3.10.0-957.1.3.el7.x86_64
#1 SMP Lachinayi Nov 15 17:36:42 UTC 2018

Ubuntu 14.04 (Trusty Tahr)
4.4.0-140-generic

#166~14.04.1-Ubuntu SMP Sat Nov 17 01:52:43 UTC 20…

Ubuntu 16.04 (Xenial Xerus)
4.15.0–1026-gcp
#27~16.04.1-Ubuntu SMP Lachisanu Dec 7 09:59:47 UTC 2018

Ubuntu 18.04 (Bionic Beaver)
4.15.0–1026-gcp
#27-Ubuntu SMP Lachinayi Dec 6 18:27:01 UTC 2018

Gulu 1

Kufufuza

Tiyeni tiphunzire kasinthidwe ka kernel, komanso mawonekedwe a phukusi omwe akupezeka kudzera mwa woyang'anira phukusi la kugawa kulikonse m'bokosi. Chifukwa chake, timangoganizira za phukusi kuchokera pagalasi losasinthika la magawidwe aliwonse, kunyalanyaza ma phukusi kuchokera pazosungira zosakhazikika (monga magalasi a Debian 'testing') ndi phukusi lachitatu (monga ma phukusi a Nvidia kuchokera pagalasi lokhazikika). Kuphatikiza apo, sitiganizira zophatikiza kernel kapena masinthidwe olimba achitetezo.

Kernel Configuration Analysis

Tinagwiritsa ntchito script yosanthula potengera free kconfig checker. Tiyeni tiwone magawo otetezedwa kunja kwa bokosi a magawo omwe adatchulidwa ndikufanizira ndi mndandanda wochokera ku Core Self Defense Project (KSPP). Pachisankho chilichonse cha kasinthidwe, Gulu 2 limafotokoza makonda omwe mukufuna: bokosilo ndi la magawo omwe amagwirizana ndi malingaliro a KSSP (onani zotsatirazi kuti mufotokozere mawu). apa; M'nkhani zamtsogolo tidzafotokozera momwe njira zotetezerazi zinakhalira komanso momwe tingagwiritsire ntchito dongosolo pamene palibe).

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira

Nthawi zambiri, ma maso atsopano ali ndi makonda okhwima kunja kwa bokosilo. Mwachitsanzo, CentOS 6.10 ndi RHEL 6.10 pa 2.6.32 kernel alibe zinthu zofunika kwambiri zomwe zimayikidwa mu maso atsopano monga SMAP, zilolezo zokhwima za RWX, adilesi yosasinthika kapena chitetezo cha copy2usr. Tiyenera kuzindikira kuti zosankha zambiri zosinthika patebulo sizipezeka m'matembenuzidwe akale a kernel ndipo sizikugwiritsidwa ntchito kwenikweni - izi zikuwonetsedwabe patebulo ngati kusowa kwa chitetezo choyenera. Momwemonso, ngati njira yosinthira sikupezeka mu mtundu womwe waperekedwa, ndipo chitetezo chimafuna kuti chisankhocho chizimitsidwa, izi zimatengedwa ngati kasinthidwe koyenera.

Mfundo ina yofunika kuiganizira potanthauzira zotsatira zake: masanjidwe ena a kernel omwe amawonjezera malo owukira angagwiritsidwenso ntchito ngati chitetezo. Zitsanzo zoterezi zikuphatikiza ma uprobes ndi kprobes, ma module a kernel, ndi BPF/eBPF. Malingaliro athu ndikugwiritsa ntchito njira zomwe zili pamwambazi kuti zipereke chitetezo chenicheni, chifukwa ndizosawerengeka kuti zigwiritsidwe ntchito ndipo kugwiritsidwa ntchito kwawo kumaganiza kuti ochita zoipa akhazikitsa kale dongosolo. Koma ngati zosankhazi zathandizidwa, woyang'anira dongosolo ayenera kuyang'anira nkhanza.

Tikayang'ananso zomwe zalembedwa mu Gulu 2, tikuwona kuti maso amakono amapereka njira zingapo zodzitetezera kuti asagwiritse ntchito ziwopsezo monga kutayikira kwa chidziwitso ndi kusefukira kwa milu / milu. Komabe, tikuwona kuti ngakhale zogawa zaposachedwa kwambiri sizinakhazikitse chitetezo chovuta kwambiri (mwachitsanzo, ndi zigamba chitetezo) kapena chitetezo chamakono motsutsana ndi kugwiritsanso ntchito ma code (mwachitsanzo. kuphatikiza kwa randomisation ndi ziwembu monga R^X kwa code). Kuti zinthu ziipireipire, ngakhale zodzitchinjiriza zotsogolazi sizimateteza ku ziwonetsero zonse. Chifukwa chake, ndikofunikira kuti oyang'anira madongosolo agwirizane ndi masanjidwe anzeru ndi mayankho omwe amapereka kuzindikira ndi kupewa.

Kusanthula Ntchito

Nzosadabwitsa kuti magawidwe osiyanasiyana ali ndi mawonekedwe osiyanasiyana, zosankha zophatikiza, zodalira laibulale, ndi zina. zokhudzana magawidwe ndi mapaketi okhala ndi ziwerengero zochepa (mwachitsanzo, ma coreutils pa Ubuntu kapena Debian). Kuti tiwone kusiyanako, tidatsitsa maphukusi onse omwe alipo, kutulutsa zomwe zilimo, ndikusanthula ma binaries ndi kudalira. Pa phukusi lililonse, tidasunga maphukusi ena omwe amatengera, ndipo pa binary iliyonse, tidatsata zodalira zake. M'chigawo chino tikufotokoza mwachidule mfundozo.

Kugawa

Ponseponse, tidatsitsa phukusi la 361 pazogawidwa zonse, ndikuchotsa mapaketi okha pagalasi losasintha. Sitinanyalanyaze phukusi popanda ELF executables, monga magwero, mafonti, etc. Pambuyo kusefa, 556 phukusi anakhalabe, ndi okwana 129 binaries. Kugawidwa kwa phukusi ndi mafayilo pamagawidwe akuwonetsedwa mkuyu. 569.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 3

Mudzawona kuti kugawa kwamakono, kumakhala ndi mapepala ambiri ndi ma binaries, zomwe ziri zomveka. Komabe, ma phukusi a Ubuntu ndi Debian amaphatikizanso ma binaries ambiri (zonse zoyeserera ndi ma module ndi malaibulale) kuposa CentOS, SUSE ndi RHEL, zomwe zingakhudze kuwukira kwa Ubuntu ndi Debian (ziyenera kuzindikirika kuti manambalawa akuwonetsa zowerengera zonse zamitundu yonse. phukusi, ndiye kuti, mafayilo ena amawunikidwa kangapo). Izi ndizofunikira makamaka mukaganizira za kudalira pakati pa phukusi. Chifukwa chake, kusatetezeka mu phukusi limodzi la binary kumatha kukhudza mbali zambiri za chilengedwe, monga momwe laibulale yomwe ili pachiwopsezo ingakhudze mabatani onse omwe amalowetsamo. Monga poyambira, tiyeni tiwone kugawidwa kwa chiwerengero cha zodalira pakati pa phukusi mu machitidwe osiyanasiyana:

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 4

Pafupifupi magawidwe onse, 60% ya phukusi ili ndi zodalira 10 zosachepera. Kuphatikiza apo, mapaketi ena amakhala ndi chiwerengero chokulirapo chodalira (kuposa 100). Zomwezo zimagwiranso ntchito posinthira kudalira kwa phukusi: monga momwe zikuyembekezeredwa, maphukusi ochepa amagwiritsidwa ntchito ndi mapaketi ena ambiri pakugawa, kotero kuti zofooka mwa omwe amasankhidwa ochepa ndizowopsa. Mwachitsanzo, tebulo lotsatirali likulemba maphukusi 20 omwe ali ndi chiwerengero chochuluka cha kudalira kwa SLES, Centos 7, Debian 9 ndi Ubuntu 18.04 (selo iliyonse imasonyeza phukusi ndi chiwerengero cha kudalira kosiyana).

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Gulu 3

Chochititsa chidwi. Ngakhale ma OS onse omwe amawunikidwa amapangidwira kamangidwe ka x86_64, ndipo mapaketi ambiri ali ndi zomanga zomwe zimafotokozedwa ngati x86_64 ndi x86, mapaketi nthawi zambiri amakhala ndi zomanga zina, monga zikuwonetsedwa Chithunzi 5. XNUMX.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 5

M'chigawo chotsatira, tidzakambirana za makhalidwe omwe amafufuzidwa.

Ziwerengero zachitetezo cha Binary file

Pang'onopang'ono, muyenera kufufuza zoyambira zachitetezo cha ma binary anu omwe alipo. Zogawa zingapo za Linux zimabwera ndi zolemba zomwe zimafufuza ngati izi. Mwachitsanzo, Debian/Ubuntu ali ndi script yotere. Nachi chitsanzo cha ntchito yake:

$ hardening-check $(which docker)
/usr/bin/docker:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

Script imayang'ana zisanu ntchito zachitetezo:

  • Position Independent Executable (PIE): Imawonetsa ngati gawo la pulogalamu lingasunthidwe pamtima kuti likwaniritse mosasintha ngati ASLR ilumikizidwa mu kernel.
  • Kutetezedwa kwa Stack: Kaya ma canaries amayatsidwa kuti atetezedwe ku kugunda kwa ma stack.
  • Kulimbitsa Gwero: kaya ntchito zosatetezedwa (mwachitsanzo, strcpy) zimasinthidwa ndi anzawo otetezeka kwambiri, ndipo mafoni omwe amawonedwa panthawi yothamanga amasinthidwa ndi anzawo osasankhidwa (mwachitsanzo, memcpy m'malo mwa __memcpy_chk).
  • Kusamutsidwa kowerengeka (RELRO): Kaya zolembedwa patebulo losamutsidwa zimalembedwa kuti zowerengedwa zokha ngati zayambika kuphedwa kusanayambe.
  • Kumanga nthawi yomweyo: Kaya cholumikizira nthawi yothamanga chimalola kusuntha konse pulogalamu isanayambe (izi zikufanana ndi RELRO yonse).

Kodi njira zomwe zili pamwambazi ndi zokwanira? Tsoka ilo ayi. Pali njira zodziwika zolambalala zodzitchinjiriza zonse zomwe zili pamwambapa, koma chitetezo chikakhala cholimba, ndiye kuti wowukirayo amakhala wokwera kwambiri. Mwachitsanzo, Njira zolambalala za RELRO zovuta kugwiritsa ntchito ngati PIE ndi kumanga pompopompo zikugwira ntchito. Momwemonso, ASLR yathunthu imafunikira ntchito yowonjezera kuti ipange mwayi wogwira ntchito. Komabe, owukira anzeru ali okonzeka kale kuthana ndi chitetezo chotere: kusowa kwawo kumafulumizitsa kuthyolako. Chifukwa chake ndikofunikira kuti izi ziwoneke ngati zofunika osachepera.

Tinkafuna kuti tiphunzire kuti ndi mafayilo angati a binary omwe amagawidwa omwe amatetezedwa ndi izi ndi njira zina zitatu:

  • Chidutswa chosasinthika (NX) imaletsa kuphedwa m'chigawo chilichonse chomwe sichiyenera kuchitidwa, monga mulu wa stack, etc.
  • RPATH/RUNPATH ikuwonetsa njira yoyendetsera yomwe imagwiritsidwa ntchito ndi chojambulira champhamvu kuti mupeze malaibulale ofanana. Choyamba ndi mokakamizidwa pa dongosolo lililonse lamakono: kusakhalapo kwake kumalola oukirawo kuti alembe zolipira mosasamala ndikuzipanga momwe zilili. Chachiwiri, masinthidwe olakwika a njira zopangira amathandizira kuyambitsa ma code osadalirika omwe angayambitse mavuto angapo (mwachitsanzo. kuchuluka kwa mwayindipo mavuto ena).
  • Kutetezedwa kwa stack kumapereka chitetezo ku zowukira zomwe zimapangitsa kuti muluwu udutse malo ena okumbukira (monga mulu). Kutengera zomwe zachitika posachedwa kuwonongeka kwa systemd mulu, tinaona kuti kunali koyenera kuti tiphatikizepo kachipangizo kameneka mu dataset yathu.

Kotero, popanda kuchedwa, tiyeni titsike ku manambala. Matebulo 4 ndi 5 ali ndi chidule cha kusanthula kwa mafayilo omwe angagwiritsidwe ntchito ndi malaibulale a magawo osiyanasiyana, motsatana.

  • Monga mukuwonera, chitetezo cha NX chimakhazikitsidwa paliponse, kupatulapo kawirikawiri. Makamaka, munthu angazindikire kugwiritsa ntchito kwake kocheperako pamagawidwe a Ubuntu ndi Debian poyerekeza ndi CentOS, RHEL ndi OpenSUSE.
  • Ma canaries akusowa m'malo ambiri, makamaka pogawira maso akale. Kupita patsogolo kwina kukuwoneka m'magawo aposachedwa a Centos, RHEL, Debian ndi Ubuntu.
  • Kupatula Debian ndi Ubuntu 18.04, magawo ambiri ali ndi chithandizo chochepa cha PIE.
  • Chitetezo chakugundana ndi chofooka mu OpenSUSE, Centos 7 ndi RHEL 7, ndipo kulibe mwa ena.
  • Zogawa zonse zokhala ndi maso amakono zimakhala ndi chithandizo cha RELRO, Ubuntu 18.04 ikutsogolera ndipo Debian akubwera kachiwiri.

Monga tanenera kale, ma metric omwe ali mu tebulo ili ndi avareji yamitundu yonse yamafayilo a binary. Mukangoyang'ana mafayilo aposachedwa, manambalawo amakhala osiyana (mwachitsanzo, onani Kupita patsogolo kwa Debian ndikukhazikitsa PIE). Komanso, magawo ambiri amangoyesa chitetezo cha ntchito zingapo mu binary powerengera ziwerengero, koma kuwunika kwathu kukuwonetsa kuchuluka kwenikweni kwa magwiridwe antchito omwe ali owumitsidwa. Choncho, ngati ntchito 5 mwa 50 zimatetezedwa mu binary, tidzapereka chiwerengero cha 0,1, chomwe chikugwirizana ndi 10% ya ntchito zomwe zikulimbikitsidwa.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Table 4. Makhalidwe achitetezo a mafayilo omwe akuwonetsedwa mumkuyu. 3 (kukwaniritsa ntchito zoyenera monga kuchuluka kwa chiwerengero chonse cha mafayilo omwe angathe kuchitidwa)

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Gulu 5. Makhalidwe achitetezo a malaibulale omwe akuwonetsedwa mumkuyu. 3 (kukwaniritsa ntchito zoyenera monga gawo la kuchuluka kwa malaibulale)

Ndiye pali kupita patsogolo? Pali zowonadi: izi zitha kuwoneka kuchokera ku ziwerengero zagawidwe pawokha (mwachitsanzo, Debian), komanso kuchokera m'magome pamwambapa. Chitsanzo mu Mkuyu. Chithunzi 6 chikuwonetsa kukhazikitsidwa kwa njira zodzitetezera m'magawo atatu otsatizana a Ubuntu LTS 5 (tinasiya ziwerengero zachitetezo cha kugundana). Timazindikira kuti kuchokera ku mtundu kupita ku mtundu wa mafayilo ochulukirachulukira amathandizira ma canaries, komanso ma binaries ochulukirachulukira amatumizidwa ndi chitetezo chokwanira cha RELRO.

Mamiliyoni a binary pambuyo pake. Momwe Linux idakulirakulira
Mkuyu. 6

Tsoka ilo, mafayilo angapo omwe angathe kukwaniritsidwa m'magawo osiyanasiyana alibebe chitetezo chilichonse pamwambapa. Mwachitsanzo, mukuyang'ana Ubuntu 18.04, mudzawona bini ya ngetty (m'malo mwa getty), komanso zipolopolo za mksh ndi lksh, womasulira picolisp, phukusi la nvidia-cuda-toolkit (phukusi lodziwika la mapulogalamu ofulumizitsa a GPU. monga makina ophunzirira makina), ndi klibc -utils. Momwemonso, ma mandos-client binary (chida choyang'anira chomwe chimakulolani kuti muyambitsenso makina okhala ndi mafayilo osungidwa) komanso rsh-redone-client (kukonzanso kwa rsh ndi rlogin) chombo popanda chitetezo cha NX, ngakhale ali ndi ufulu wa SUID : (. Komanso, ma binana angapo a suid alibe chitetezo chofunikira monga ma canaries (mwachitsanzo, Xorg.wrap binary kuchokera pa phukusi la Xorg).

Chidule Chake ndi Mawu Omaliza

M'nkhaniyi, tawunikira mbali zingapo zachitetezo pamagawidwe amakono a Linux. Kuwunikaku kunawonetsa kuti kugawa kwaposachedwa kwa Ubuntu LTS (18.04) kumagwiritsa ntchito, pafupifupi, chitetezo champhamvu kwambiri cha OS ndi magwiridwe antchito pakati pa magawo omwe ali ndi maso atsopano, monga Ubuntu 14.04, 12.04 ndi Debian 9. Komabe, magawo omwe adayesedwa CentOS, RHEL ndi OpenSUSE m'makonzedwe athu mwachisawawa amapanga phukusi la deser, ndipo m'matembenuzidwe aposachedwa (CentOS ndi RHEL) ali ndi chitetezo chochulukirapo poyerekeza ndi opikisana nawo a Debian (Debian ndi Ubuntu). Poyerekeza mitundu ya CentOS ndi RedHat, tikuwona kusintha kwakukulu pakukhazikitsa ma canaries ndi RELRO kuchokera kumitundu 6 mpaka 7, koma pafupifupi CentOS ili ndi zambiri zomwe zakhazikitsidwa kuposa RHEL. Nthawi zambiri, magawo onse ayenera kuyang'ana kwambiri chitetezo cha PIE, chomwe, kupatula Debian 9 ndi Ubuntu 18.04, chimakhazikitsidwa m'malo ochepera 10% mwazinthu zomwe zili mu dataset yathu.

Pomaliza, ziyenera kudziwidwa kuti ngakhale tidachita kafukufuku pamanja, pali zida zambiri zachitetezo zomwe zilipo (mwachitsanzo. Lynis, Nkhumba, Hubble), omwe amasanthula ndikuthandizira kupewa masanjidwe osatetezeka. Tsoka ilo, ngakhale chitetezo champhamvu pamasinthidwe oyenera sikutanthauza kusakhalapo kwa zochitika. Ichi ndichifukwa chake timakhulupirira mwamphamvu kuti ndikofunikira kuwonetsetsa kuwunika kodalirika komanso kupewa kuukira munthawi yeniyeni, kuyang'ana pa machitidwe ogwiritsira ntchito ndi kuwaletsa.

Source: www.habr.com

Kuwonjezera ndemanga