richinseattle

Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean

It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet.

We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening".

Note: The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.2.x (test) patch. The URLs and filenames in this document may become outdated, so fetch the latest from grsecurity.net and kernel.org.

Install dependencies:

richinseattle

./run_demo.sh 
Build demo binary..
gcc -m32 demo.c -o demo


Tracing taint propagation in demo vuln binary with pintool..
Logging initially enabled: 0
Code cache limit is 0
Starting program
This is modload()

richinseattle

Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
Richard Johnson

Biography

Richard Johnson is a computer security specialist with a focus on software
vulnerability analysis. Currently the Research Technical Lead of Talos Group
for Cisco, Richard offers 15 years of expertise and leadership in the software
security industry. Current responsibilities include research and development of
advanced fuzzing and crash analysis technologies facilitating the automation of

richinseattle

Vulnerability Discovery and Triage Automation Training

Richard Johnson

Jan 11, 2017

Overview

richinseattle

#include <Windows.h>
#include <time.h>

#include <string>
using namespace std;

#define BTF_FLAG   0x300 
#define TRAP_FLAG  0x100 

LONG CALLBACK TraceCallback(LPEXCEPTION_POINTERS ex)

richinseattle

#![feature(const_fn)]

// rust self-tracing benchmark using DebugCtl.BTF

extern crate winapi;
extern crate kernel32;
extern crate libc;

use std::time::Instant;

richinseattle

Static analysis

• panopticon - amd64 -> RREIL, slicing, SSA, VSA
  https://github.com/das-labor/panopticon

Graphs

• petgraph - adjacency list graph
  https://github.com/bluss/petgraph
  https://docs.rs/petgraph/0.4.4/petgraph/
• rust-graph-algos - Boost Graph Lib ported to rust
  https://github.com/flanfly/rust-graph-algos

richinseattle

#include <stdio.h>
#include <ctype.h>
 
#ifndef HEXDUMP_COLS
#define HEXDUMP_COLS 16
#endif
 
void hexdump(void *mem, unsigned int len)
{
        unsigned int i, j;

richinseattle

C:\code\radamsa>bin\libtest.exe

============= TEST: MEM TO MEM =============

virtualized radamsa_read(fd=3, buf=000000000118D180, count=2824)
requested: 2824  input_size: 64  input_index: 0  returned: 64

virtualized radamsa_read(fd=3, buf=000000000118D310, count=2760)
requested: 2760  input_size: 64  input_index: 64  returned: 0

richinseattle

// rust main skeleton 
//
// references: 
// error_chain: https://brson.github.io/2016/11/30/starting-with-error-chain

#![recursion_limit = "1024"]
#[macro_use]
extern crate error_chain;
// Create the Error, ErrorKind, ResultExt, and Result types
// note: other modules `use errors::*;` to get access to everything