TL; DR. Kweli nqaku, siphonononga izikimu ezilukhuni ezisebenza ngaphandle kwebhokisi kwizinikezelo ezintlanu ezidumileyo zeLinux. Kunye, sithathe uqwalaselo lwe kernel olungagqibekanga, silayishe zonke iipakethe, kwaye sihlalutye amacebo okhuseleko kwi-binaries eqhotyoshelweyo. Unikezelo oluqwalaselwayo yi-OpenSUSE 12.4, Debian 9, CentOS, RHEL 6.10 kunye ne-7, kunye no-Ubuntu 14.04, 12.04 kunye ne-18.04 LTS.
Iziphumo ziqinisekisa ukuba neenkqubo ezisisiseko ezifana neecanaries ezipakishwayo kunye nekhowudi ezimeleyo yendawo azikasetyenziswa ngokubanzi. Imeko imbi ngakumbi kubaqulunqi xa kuziwa ekukhuseleni ubuthathaka obufana nokungqubana kwestack, okuthe kwabonakala ngoJanuwari emva kokupapashwa. . Kodwa asiyiyo yonke into engenathemba kangako. Inani elibalulekileyo leebhinari liphumeza iindlela zokukhusela ezisisiseko, kwaye inani labo likhula ukusuka kwinguqulo ukuya kwinguqulo.
Uphicotho lubonise ukuba i-Ubuntu 18.04 inokhuseleko oluninzi oluphunyeziweyo kwi-OS kunye nenqanaba lesicelo, lilandelwa yi-Debian 9. Ngakolunye uhlangothi, i-OpenSUSE 12.4, i-CentOS 7 kunye ne-RHEL 7 nayo iphumeze izikimu zokukhusela ezisisiseko, kwaye ukhuseleko lokungqubana kwe-stack lusetyenziswa ngakumbi. ngokubanzi kunye neseti eshinyeneyo kakhulu yeepakethe ezingagqibekanga.
Intshayelelo
Kunzima ukubonelela ngesoftware ekumgangatho ophezulu. Ngaphandle kwenani elikhulu lezixhobo eziphambili zokuhlalutya ikhowudi ye-static kunye nohlalutyo oluguqukayo ngexesha lokuqhuba, kunye nenkqubela phambili ebalulekileyo ekuphuhliseni abaqulunqi kunye neelwimi zeprogram, isofthiwe yanamhlanje isenobuthathaka obuhlala buxhatshazwa ngabahlaseli. Imeko imbi ngakumbi kwi-ikhosistim equka ikhowudi yelifa. Kwiimeko ezinjalo, asijonganga kuphela nengxaki engapheliyo yokufumana iibhugi ezinokuthi zixhaphake, kodwa sinyanzelwa zizikhokelo ezihambelanayo ezibuyela umva ezihlala zifuna ukuba sigcine umda, kwaye okubi nakakhulu, ubuthathaka okanye ikhowudi ye-buggy.
Kulapho ubuchule bokuqina busebenza khona. Asinakuthintela ezinye iintlobo zeempazamo, kodwa sinokwenza ubomi bomhlaseli bube nzima ngakumbi kwaye sisombulule ingxaki ngokuyithintela okanye ukuyithintela. ukuxhaphaza ezi mpazamo. Ukhuseleko olunjalo lusetyenziswa kuzo zonke iinkqubo zokusebenza zanamhlanje, kodwa iindlela zihluke kakhulu kubunzima, ukusebenza kakuhle kunye nokusebenza: ukusuka kwii-canaries kunye ne-stack canaries. kukhuseleko olupheleleyo ΠΈ . Kweli nqaku, siza kujonga ukuba zeziphi iindlela zokhuseleko ezisetyenziswa kwezona zisasazo zeLinux ezidumileyo kuqwalaselo olungagqibekanga, kunye nokuphonononga iipropathi zeebhinari ezisasazwa kwiinkqubo zolawulo lwephakheji yonikezelo ngalunye.
I-CVE kunye nokhuseleko
Sonke siwabonile amanqaku anezihloko ezinje ngo "Ezona Nkqubo ziSesichengeni zoNyaka" okanye "Ezona nkqubo zisesichengeni sokuSebenza." Ngokwesiqhelo kukho izibalo kwitotali yenani leerekhodi malunga nobuthathaka obunje efunyenwe kwi ukusuka kunye neminye imithombo. Emva koko, ezi zicelo okanye i-OS zibekwe ngenani leeCVEs. Ngelishwa, ngelixa ii-CVEs ziluncedo kakhulu ekulandeleni imiba kunye nokwazisa abathengisi kunye nabasebenzisi, bathetha kancinci malunga nokhuseleko lwesoftware.
Njengomzekelo, qwalasela inani elipheleleyo lee-CVEs kule minyaka mine idlulileyo kwi-Linux kernel kunye nezona zisasazo ezintlanu zeseva ezaziwa kakhulu, ezizezi, Ubuntu, Debian, Red Hat Enterprise Linux, kunye ne-OpenSUSE.
Ikhiwane. 1
Isixelela ntoni le grafu? Ngaba inani eliphezulu lee-CVEs lithetha ukuba ukuhanjiswa okunye kusengozini ngakumbi kunomnye? Akukho mpendulo. Umzekelo, kweli nqaku uya kubona ukuba iDebian ineendlela zokhuseleko ezomeleleyo xa kuthelekiswa, yithi, OpenSUSE okanye iRedHat Linux, ukanti iDebian ineeCVE ezininzi. Nangona kunjalo, azithethi ukuba ukhuseleko olubuthathaka: nokuba ubukho be-CVE abubonisi ukuba sesichengeni. xhatshazwa. Amanqaku obunzima anika isalathiso sokuba njani mhlawumbi ukusetyenziswa kobuthathaka, kodwa ekugqibeleni ukuxhaphazwa kuxhomekeke kakhulu kukhuseleko olukhoyo kwiinkqubo ezichaphazelekayo, kunye nezibonelelo kunye nobuchule babahlaseli. Ngaphezu koko, ukungabikho kweengxelo ze-CVE akuthethi nto ngezinye engabhaliswanga okanye ayaziwa ubuthathaka. Umahluko kwi-CVE unokuba ngenxa yezinto ezingaphandle komgangatho wesoftware, kubandakanywa izixhobo ezabelwe uvavanyo okanye ubungakanani besiseko somsebenzisi. Kumzekelo wethu, inani eliphezulu le-Debian lee-CVEs linokubonisa nje ukuba i-Debian ithumela iipakethe ezininzi zesoftware.
Ewe kunjalo, inkqubo yeCVE ibonelela ngolwazi oluluncedo olukuvumela ukuba wenze ukhuseleko olufanelekileyo. Okukhona siqonda ngcono ukuba kutheni inkqubo isilela, kokukhona kuya kuba lula ukuchonga izinto ezinokwenzeka kunye nokuphuhlisa iindlela ezifanelekileyo. ukufunyanwa kunye nempendulo. Kwikhiwane. 2 ibonisa iindidi zobuthathaka kulo lonke unikezelo kule minyaka mine idlulileyo (). Unokubona ngoko nangoko ukuba uninzi lwee-CVEs ziwela kwezi ndidi zilandelayo: ukwaliwa kwenkonzo (DoS), ukwenziwa kwekhowudi, ukuphuphuma, ukonakala kwememori, ukuvuza kolwazi (ukukhutshwa), kunye nokunyuka kwamalungelo. Nangona ii-CVE ezininzi zibalwa izihlandlo ezininzi kwiindidi ezahlukeneyo, ngokubanzi imiba efanayo iyaqhubeka unyaka nonyaka. Kwinxalenye elandelayo yenqaku, siya kuvavanya ukusetyenziswa kweendlela ezahlukeneyo zokukhusela ukukhusela ukuxhaphazwa kobu bubuthathaka.
Ikhiwane. 2
Iinjongo
Kweli nqaku, sijonge ukuphendula le mibuzo ilandelayo:
- Yintoni ukhuseleko losasazo lweLinux olwahlukileyo? Zeziphi iindlela zokhuseleko ezikhoyo kwi-kernel nakwi-user-space application?
- Ukwamkelwa kweendlela zokukhusela ukuhanjiswa okwahlukeneyo kutshintshe njani ekuhambeni kwexesha?
- Ngowuphi umndilili wokuxhomekeka kwiipakethe kunye namathala eencwadi kunikezelo ngalunye?
- Loluphi ukhuseleko oluphunyeziweyo kubini ngamnye?
Ukukhetha ukuhanjiswa
Kufumaniseka ukuba kunzima ukufumana izibalo ezichanekileyo zofakelo losasazo, kuba kumaxesha amaninzi inani lokukhutshelwa alibonisi inani loqobo lofakelo. Nangona kunjalo, ukwahluka kwe-Unix zenza uninzi lweenkqubo zeseva (69,2% kwiiseva zewebhu, ngokutsho W3techs kunye neminye imithombo), kwaye isabelo sabo sikhula rhoqo. Ngaloo ndlela, kufundisiso lwethu sagxininisa kulwabiwo olufumanekayo ngaphandle kwebhokisi eqongeni . Ngokukodwa, sikhethe le OS ilandelayo:
Ukusasazwa/uguqulelo
Eyona nto iphambili
Yakha
Vula iSUSE 12.4
4.12.14-95.3-ehlala ikho
#1 SMP Wed Dec 5 06:00:48 UTC 2018 (63a8d29)
I-Debian 9 (yolula)
4.9.0-8-amd64
#1 SMP Debian 4.9.130-2 (2018-10-27)
CentOS 6.10
2.6.32-754.10.1.el6.x86_64
#1 SMP Tue Jan 15 17:07:28 UTC 2019
CentOS 7
3.10.0-957.5.1.el7.x86_64
#1 SMP NgoLwesihlanu ngoFebhruwari 1 14:54:57 UTC 2019
I-Red Hat Enterprise Linux Server 6.10 (Santiago)
2.6.32-754.9.1.el6.x86_64
#1 SMP Wed Nov 21 15:08:21 EST 2018
I-Red Hat Enterprise Linux Server 7.6 (Maipo)
3.10.0-957.1.3.el7.x86_64
#1 SMP Lwesine Nov 15 17:36:42 UTC 2018
Ubuntu 14.04 (Trusty Tahr)
4.4.0β140-generic
#166~14.04.1-Ubuntu SMP Sat Nov 17 01:52:43 UTC 20β¦
Ubuntu 16.04 (Xenial Xerus)
4.15.0-1026-gcp
#27~16.04.1-Ubuntu SMP Fri 7 Dec 09:59:47 UTC 2018
Ubuntu 18.04 (Bionic Beaver)
4.15.0-1026-gcp
#27-Ubuntu SMP Lwesine Dec 6 18:27:01 UTC 2018
Ithebula 1
Uhlalutyo
Masifunde uqwalaselo lwe-kernel olungagqibekanga, kunye neempawu zeepakethe ezifumanekayo ngomphathi wephakheji yonikezelo ngalunye ngaphandle kwebhokisi. Ke, sijonga kuphela iipakethe ezivela kwizibuko ezingagqibekanga zonikezelo ngalunye, ukungahoyi iipakethe ezivela kwiindawo zokugcina ezingazinzanga (ezifana nezibuko zeDebian 'zokuvavanya') kunye neepakethe zomntu wesithathu (ezifana neepakethe zeNvidia ezivela kwizipili eziqhelekileyo). Ukongeza, asikuthatheli ngqalelo ukudityaniswa kwekernel yesiko okanye ulungelelwaniso oluqinisiweyo lokhuseleko.
Uhlalutyo lwe-Kernel Configuration
Sisebenzise iskripthi sokuhlalutya ngokusekelwe . Makhe sijonge kwiiparamitha zokukhusela ezingaphandle kwebhokisi zonikezelo olubiziweyo kwaye sizithelekise noluhlu oluvela (KSPP). Kukhetho ngalunye loqwalaselo, iTheyibhile 2 ichaza isicwangciso esinqwenelekayo: ibhokisi yokukhangela yeyonikezelo oluthobela izikhokelo ze-KSSP (bona ngezantsi ingcaciso yamagama). ; Kumanqaku azayo siza kuchaza ukuba zingaphi ezi ndlela zokhuseleko eziye zabakho kunye nendlela yokukhwabanisa inkqubo xa zingekho).
Ngokubanzi, iinkozo ezintsha zinemimiselo engqongqo ngaphandle kwebhokisi. Umzekelo, i-CentOS 6.10 kunye ne-RHEL 6.10 kwi-kernel 2.6.32 ayinazo uninzi lwezinto ezibaluleke kakhulu eziphunyezwe kwiinkozo ezintsha, ezifana , iimvume ezingqongqo ze-RWX, idilesi ye-randomization, okanye ukhuseleko lwe-copy2usr. Kufuneka kuqatshelwe ukuba ezininzi iinketho zokumisela ukusuka kwitheyibhile azifumaneki kwiinguqulelo ezindala ze-kernel kwaye azisebenzi ngokwenyani - kwitheyibhile oku kusaboniswa njengokungabikho kokhuseleko olufanelekileyo. Ngokufanayo, ukuba isicwangciso soqwalaselo asikho kuguqulelo olunikiweyo, kwaye ngenxa yezizathu zokhuseleko ucwangciso kufuneka lungasebenzi, oku kuthathwa njengobumbeko olufanelekileyo.
Enye ingongoma ekufuneka iqwalaselwe xa utolika iziphumo: ezinye izilungiso zekernel ezandisa indawo yokuhlaselwa nazo zingasetyenziselwa ukhuseleko. Imizekelo enjalo ibandakanya ii-uprobes kunye ne-kprobes, iimodyuli zekernel, kunye ne-BPF/eBPF. Isindululo sethu kukusebenzisa iindlela ezingentla ukubonelela ngokhuseleko lwangempela, njengoko kungenamsebenzi omncinci wokusetyenziswa kwaye ukuxhaphazwa kwabo kuthatha ukuba abadlali abakhohlakeleyo sele befumene isiseko kwinkqubo. Kodwa ukuba ezi zikhetho zenziwe zasebenza, umlawuli wenkqubo kufuneka ebeke iliso ngokusebenzayo kuxhatshazo.
Xa sijonge phambili kumangeno akwiTheyibhile 2, siyabona ukuba iinkozo zangoku zibonelela ngeendlela ezininzi zokukhusela ngokuchasene nokuxhatshazwa okubuthathaka okufana nokuvuza kolwazi kunye nokuphuphuma kwemfumba/imfumba. Nangona kunjalo, siqaphela ukuba nokusasazwa okudumileyo akukaphumezi ukhuseleko oluntsonkothileyo (umzekelo, ngeepetshi ) okanye ukhuseleko lwangoku kuhlaselo lokuphinda usebenzise ikhowudi (umzekelo, ). Ukwenza izinto zibe mbi ngakumbi, kwanolu khuseleko luhambele phambili ngakumbi alukhuseli kuluhlu olupheleleyo lohlaselo. Ke ngoko, kubalulekile ukuba abalawuli benkqubo bancedise ulungelelwaniso olukrelekrele kunye nezisombululo ezibonelela ngexesha lokukhangela ukuxhaphazwa kunye nokuthintela.
Uhlalutyo lwesicelo
Akumangalisi ukuba, unikezelo olwahlukeneyo luneempawu zephakheji ezahlukeneyo, ukhetho lokuqokelela, ukuxhomekeka kwithala leencwadi, njalo njalo. unikezelo kunye neepakethe ezinenani elincinci lokuxhomekeka (umzekelo, ii-coreutils ku-Ubuntu okanye i-Debian). Ukuvavanya iyantlukwano, sikhuphele zonke iipakethe ezikhoyo, sikhuphe imixholo yazo, kwaye sihlalutye iibhinari kunye nokuxhomekeka. Kwiphakheji nganye, sigcine umkhondo wezinye iipakethe ezixhomekeke kuzo, kwaye kwibinary nganye, silandelele ukuxhomekeka kwayo. Kweli candelo sishwankathela izigqibo ngokufutshane.
unikezelo
Lilonke, sikhuphe iipakethe ze-361 kuzo zonke izabelo, sikhupha kuphela iipakethi kwizibuko ezingagqibekanga. Asizange sizihoye iipakethe ngaphandle kwe-ELF executables, njengemithombo, iifonti, njl. Emva kokucoca, iipakethe ze-556 zahlala, ziqulethe i-129 ye-binaries iyonke. Ukuhanjiswa kweepakethe kunye neefayile kuzo zonke izinikezelo kuboniswe kwiFig. 569.
Ikhiwane. 3
Unokuqaphela ukuba unikezelo lwangoku ngakumbi, kokukhona iipakethe ezininzi kunye nokubini iqulethe, okusengqiqweni. Nangona kunjalo, iipakethe ze-Ubuntu kunye ne-Debian ziquka iibhinari ezininzi (zombini eziphunyeziweyo kunye neemodyuli ezinamandla kunye namathala eencwadi) kune-CentOS, SUSE kunye ne-RHEL, enokuthi ichaphazele umphezulu wohlaselo we-Ubuntu kunye ne-Debian (kufuneka kuqatshelwe ukuba amanani abonisa zonke iibhinari zazo zonke iinguqulelo. iphakheji, oko kukuthi, ezinye iifayile zicazululwa amaxesha amaninzi). Oku kubaluleke ngakumbi xa ucinga ngokuxhomekeka phakathi kweepakethe. Ngoko ke, ukuba sesichengeni kwipakethe enye yokubini kunokuchaphazela iindawo ezininzi ze-ecosystem, njengokuba ithala leencwadi elisemngciphekweni linokuchaphazela zonke iibhinari eziyingenisayo ngaphandle. Njengesiqalo, makhe sijonge ukuhanjiswa kwenani lokuxhomekeka phakathi kweepakethe kwiinkqubo ezahlukeneyo zokusebenza:
Ikhiwane. 4
Phantse kuzo zonke izabelo, i-60% yeepakethe zinee-deelines ezili-10. Ukongeza, ezinye iipakethi zinenani elikhulu kakhulu lokuxhomekeka (ngaphezu kwe-100). Kukwasebenza okufanayo ukubuyisela umva ukuxhomekeka kwepakethe: njengoko kulindelekile, iipakethe ezimbalwa zisetyenziswa ngamanye amaphakheji amaninzi kunikezelo, ngoko ke ubuthathaka kwezo zimbalwa zikhethiweyo zinomngcipheko omkhulu. Njengomzekelo, le theyibhile ilandelayo idwelisa iipakethe ezingama-20 ngenani eliphezulu lokuxhomekeka umva kwi-SLES, i-Centos 7, i-Debian 9 kunye ne-Ubuntu 18.04 (iseli nganye ibonisa iphakheji kunye nenani lokuxhomekeka umva).
Ithebula 3
Inyaniso enomdla. Nangona zonke ii-OS ezihlalutyiweyo zakhelwe ulwakhiwo lwe-x86_64, kwaye uninzi lweepakethe zinezakhiwo ezichazwe njenge-x86_64 kunye ne-x86, iipakethe zihlala ziqulathe iibhinari zolunye ulwakhiwo, njengoko kubonisiwe kwiFig. 5.
Ikhiwane. 5
Kwicandelo elilandelayo, siya kungena kwiimpawu zeebhinari ezihlalutyiweyo.
Iinkcukacha-manani zokhuseleko lwefayile kanambambili
Njengobuncinci obupheleleyo, kufuneka ufunde iseti esisiseko yokhetho lokhuseleko lweebhinari ezikhoyo. Unikezelo oluninzi lweLinux luza nezikripthi ezenza uhlolo olunjalo. Umzekelo, iDebian/Ubuntu ineskripthi esinjalo. Nanku umzekelo womsebenzi wakhe:
$ hardening-check $(which docker)
/usr/bin/docker:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yesIscript sijonga ezintlanu :
- Isikhundla esiSebenzisiweyo esiZimeleyo (PIE): Ibonisa ukuba icandelo lombhalo weprogram linokufuduswa kwimemori ukuze kuphunyezwe i-randomization ukuba i-ASLR ivuliwe kwi-kernel.
- Isitaki sikhuselwe: Nokuba iicanaries ezipakishiweyo zenziwe ukuba zikhuseleke kuhlaselo lokungqubana kwezipaki.
- Yomeleza Umthombo: ingaba imisebenzi engakhuselekanga (umzekelo, strcpy) ithathelwa indawo ngoogxa bayo abakhuseleke ngakumbi, kwaye iminxeba ejongwe ngexesha lokuqhuba ithathelwa indawo ngoogxa bayo abangajongwanga (umzekelo, i-memcpy endaweni ye-__memcpy_chk).
- Ukufuduswa kokufunda kuphela (i-RELRO): Nokuba amangenelo etafile yokufuduswa aphawulwe ukuba afundeka kuphela ukuba aqhutywa phambi kokuba kuqaliswe ukubulawa.
- Ukubophelela kwangoku: Nokuba isinxibelelanisi sexesha lokusebenza sivumela zonke iintshukumo phambi kokuba kuqaliswe ukuphunyezwa kwenkqubo (oku kulingana ne-RELRO epheleleyo).
Ngaba ezi ndlela zingentla zanele? Ngelishwa akukho. Zikhona iindlela ezaziwayo zokugqitha kuzo zonke ezi zikhuselo zingentla, kodwa xa ukhuselo luqina, kokukhona iphezulu ibha kumhlaseli. Umzekelo, kunzima kakhulu ukufaka isicelo ukuba i-PIE kunye nokubophelela kwangoku kuyasebenza. Ngokukwanjalo, i-ASLR epheleleyo ifuna umsebenzi owongezelelekileyo ukwenza umsebenzi wokuxhaphaza. Nangona kunjalo, abahlaseli abanobuchule sele bekulungele ukuhlangabezana nokhuseleko olunjalo: ukungabikho kwabo kuya kukhawulezisa i-hack. Kuyimfuneko ke ngoko ukuba la manyathelo athathwe njengemfuneko ubuncinci.
Besifuna ukufunda ukuba zingaphi iibhinari kunikezelo ekuthethwa ngalo ezikhuselweyo zezi ndlela, kunye nezinye iindlela ezintathu:
- Isuntswana elingafezekiyo () inqanda ukuphunyezwa kuwo nawuphi na ummandla ekungafuneki ukuba uphunyezwe, njengemfumba yemfumba, njl.
- Ibonisa indlela yophumezo esetyenziswa ngumlayishi oguqukayo ukufumana amathala athelekisekayo. Eyokuqala ithi esisinyanzelo kuyo nayiphi na inkqubo yangoku: ukungabikho kwayo kuvumela abahlaseli ukuba babhale ngokungenasizathu umthwalo wokuhlawula kwinkumbulo kwaye bawuphumeze njengoko injalo. Okwesibini, ulungelelwaniso lwendlela yokubaleka engachanekanga lunceda ukwazisa ikhowudi engathenjwa enokukhokelela kwinani leengxaki (umzekelo, , kwakunye ).
- Ukhuseleko lokungqubana kwezitaki lubonelela ngokhuseleko kuhlaselo olubangela ukuba istaki sidibane nezinye iindawo zenkumbulo (ezifana nemfumba). Xa kujongwa izenzo ezigwenxa zamva nje , siye sabona kufanelekile ukubandakanya le ndlela kwi-dataset yethu.
Ke, ngaphandle kokuqhubeka, masiye kumanani. Iitheyibhile 4 kunye ne-5 ziqulethe isishwankathelo sokuhlalutya kweefayile ezinokusetyenziswa kunye neelayibrari zokuhanjiswa okuhlukeneyo, ngokulandelanayo.
- Njengoko ubona, ukhuseleko lwe-NX luphunyezwa kuyo yonke indawo, ngaphandle kokungaqhelekanga. Ngokukodwa, umntu unokuqaphela ukusetyenziswa kwayo okuphantsi kancinci kwi-Ubuntu kunye ne-Debian yosasazo xa kuthelekiswa ne-CentOS, i-RHEL kunye ne-OpenSUSE.
- Iicanaries ezipakishweyo azikho kwiindawo ezininzi, ngakumbi kunikezelo ngeenkozo ezindala. Kubekho inkqubela-phambili kulwabiwo lwamva nje lwe-Centos, i-RHEL, i-Debian kunye ne-Ubuntu.
- Ngaphandle kweDebian kunye ne-Ubuntu 18.04, uninzi losasazo lunenkxaso ye-PIE embi.
- Ukhuseleko lokungqubana kwezitaki aluphunyezwanga kakuhle kwi-OpenSUSE, i-Centos 7, kunye ne-RHEL 7, kwaye akukho nto ikhoyo kwezinye.
- Lonke unikezelo oluneenkozo zangoku lunenkxaso ye-RELRO, kunye no-Ubuntu 18.04 ekhokela indlela kunye ne-Debian iza okwesibini.
Njengoko sele kukhankanyiwe, iimetrics kule theyibhile zingumndilili wazo zonke iinguqulelo zefayile yokubini. Ukuba ujonga kuphela kwiinguqulelo zamva nje zeefayile, amanani aya kwahluka (umzekelo, bona ). Ngaphezu koko, uninzi lonikezelo luvavanya kuphela ukhuseleko lwemisebenzi embalwa kubini xa ubala izibalo, kodwa uhlalutyo lwethu lubonisa ipesenti yokwenyani yemisebenzi eyenziwe lukhuni. Ngoko ke, ukuba i-5 kwi-50 imisebenzi ikhuselwe kwi-binary, siya kuyinika amanqaku e-0,1, ehambelana ne-10% yemisebenzi eqiniswayo.
Itheyibhile 4. Iimpawu zokhuseleko kwiifayile eziphunyeziweyo eziboniswe kwiFig. 3 (ukuphunyezwa kwemisebenzi efanelekileyo njengepesenti yenani lilonke leefayile ezinokusetyenziswa)
Uluhlu 5. Iimpawu zokhuseleko zamathala eencwadi aboniswe kwifig. 3 (ukuphunyezwa kwemisebenzi efanelekileyo njengepesenti yenani lilonke lamathala eencwadi)
Ngaba ikho inkqubela? Ngokuqinisekileyo kukho: oku kunokubonwa kwizibalo zonikezelo lomntu ngamnye (umzekelo, ), ngokunjalo nakuluhlu olungasentla. Ngokomzekelo, kwikhiwane. Umzobo we-6 ubonisa ukuphunyezwa kweendlela zokukhusela kwi-Ubuntu LTS 5 ezintathu ezilandelelanayo (asishiyi izibalo zokukhusela ukungqubana kwe-stack). Siqaphela ukuba ukusuka kuguqulelo ukuya kuguqulelo lweefayile ezininzi zixhasa i-canaries, kwaye ngokuqhubekayo ngakumbi iibhinari ziza nokhuseleko olupheleleyo lwe-RELRO.
Ikhiwane. 6
Ngelishwa, inani leefayile eziphunyezwayo kunikezelo olwahlukeneyo alukabi nalo naluphi na ukhuselo olungentla. Umzekelo, ujonge ku-Ubuntu 18.04, ungabona i-ngetty binary (indawo ye-getty), kunye ne-mksh kunye namaqokobhe e-lksh, itoliki ye-picolisp, iipakethe ze-nvidia-cuda-toolkit (iphakheji edumileyo yezicelo ezikhawulezayo ze-GPU. ezifana nezikhokelo zokufunda koomatshini), kunye ne-klibc -utils. Ngokunjalo, i-binary ye-mandos-client (isixhobo solawulo esikuvumela ukuba uqalise ngokuzenzekelayo oomatshini abaneendlela zefayile ezifihliweyo) kunye ne-rsh-redone-client (ukuphunyezwa kwakhona kwe-rsh kunye ne-rlogin) iza ngaphandle kokhuseleko lwe-NX, nangona banamalungelo e-SUID: (. Kwakhona, Iibhinari ezininzi ze-suid ziswele ukhuseleko olusisiseko olufana neecanaries ezipakishweyo (umzekelo, iXorg.wrap yokubini ukusuka kwiphakheji ye-Xorg).
Isishwankathelo kunye namagqabantshintshi
Kweli nqaku, siye sagxininisa iimpawu ezininzi zokhuseleko losasazo lweLinux lwangoku. Uhlalutyo lubonise ukuba ukuhanjiswa kwe-Ubuntu LTS yamva nje (18.04) kusetyenziswa, ngokomndilili, olona qilima lwe-OS kunye nokhuseleko lwenqanaba lesicelo phakathi konikezelo kunye neenkozo ezintsha, ezinje ngo-Ubuntu 14.04, 12.04 kunye ne-Debian 9. Nangona kunjalo, unikezelo oluhloliweyo CentOS, RHEL kunye I-OpenSUSE kwiseti yethu ngokungagqibekanga bavelisa iseti exineneyo yeepakethe, kwaye kwiinguqulelo zamva nje (i-CentOS kunye ne-RHEL) banepesenti ephezulu yokhuseleko lokungqubana kwezitaki xa kuthelekiswa nabakhuphisana baseDebian (Debian kunye no-Ubuntu). Ukuthelekisa i-CentOS kunye neenguqulelo ze-RedHat, siqaphela ukuphuculwa okukhulu ekuphunyezweni kwee-canaries ze-stack kunye ne-RELRO ukusuka kwiinguqulelo ze-6 ukuya kwi-7, kodwa ngokomndilili we-CentOS uneempawu ezininzi eziphunyeziweyo kune-RHEL. Ngokubanzi, zonke izinikezelo kufuneka zihlawule ngokukodwa ukhuseleko lwe-PIE, ngaphandle kwe-Debian 9 kunye ne-Ubuntu 18.04, iphunyezwe ngaphantsi kwe-10% yeebhinari kwidatha yethu.
Ekugqibeleni, kufuneka kuqatshelwe ukuba nangona siqhube uphando ngesandla, kukho izixhobo ezininzi zokhuseleko ezikhoyo (umz. , , ) eyenza uhlalutyo kwaye incede ukuphepha ulungelelwaniso olungakhuselekanga. Ngelishwa, kwanokhuseleko oluluqilima kuqwalaselo olufanelekileyo aluqinisekisi ukungabikho kokuxhaphaza. Yiyo loo nto sikholelwa ngokuqinileyo ukuba kubalulekile ukuqinisekisa ngokujolisa kwiipateni zokuxhaphaza kunye nokuthintela.
umthombo: www.habr.com