Testing Openwall in Font

Creating Data Matrix 2d barcode in Font Testing Openwall

So you installed your Openwall patch and now you want to know if it does anything Well, the patch does come with some code you can use to test some functions. Inside the directory you unpacked you will find the Openwall, which is a C program called stacktest.c. You will compile this program and run some tests. Listing 1-63 shows how to compile the program. Listing 1-63. Compiling the stacktest.c Program puppy$ cd /usr/src/linux-.2.4.26-ow2/optional puppy$ gcc -o stacktest stacktest.c

This compile uses gcc to produce a binary called stacktest in the /usr/src/linux-2.4.26-ow2 directory. You can run stacktest to simulate a buffer overflow by running the following command: puppy# ./stacktest -e Attempting to simulate a buffer overflow exploit... Segmentation fault If the command execution ends in a Segmentation fault, then the buffer overflow attempt has failed and the patch is functioning as intended. If you have enabled the /tmp restrictions, you should also be able to test these by trying to create hard links in /tmp to files that you do not own or trying to write to named pipes you do not own. Do these tests as a normal user, not as the root user. Doing the tests as the root user proves nothing.

Other hardened kernels and kernel-hardening patches are available, and I will briefly cover some other available options. Many of the patches offer similar functionality, and I recommend you carefully read the documentation that accompanies them to find the one that suits you best.

The grsecurity package available at http://www.grsecurity.net/ provides a collection of detection, prevention, and containment modifications to the kernel. These include a rolebased access control system that allows you to add a finer granularity of access controls to users, applications, and processes based on defining roles. Amongst other features it also adds security to the chroot application, increases protection against buffer overflows, and provides a security infrastructure to the kernel. This package takes a considerable effort to configure and implement, and you need to design the role-based controls to suit your environment.

The Linux Intrusion Defense System (LIDS) is another patch that offers access controls such as SELinux and grsecurity. It also comes with a port scanner detector built into the kernel and provides some further file system hardening and network-hardening modifications that are related to security. LIDS is available from http://www.lids.org/, currently supports version 2.6 kernels, and is regularly updated.

The Rule Set Based Access Controls (RSBAC) project is one of the more fully featured kernel security packages. It offers a number of different access control models that you can use separately or together. It also offers process jails (a kernel-based version of the chroot command), resource controls, and support for the PaX project11 (designed to reduce the risk of buffer overflow and similar style of attacks). It is available at http://www.rsbac.org/, and it supports version 2.4 and 2.6 kernels.

11. http://pax.grsecurity.net/

The SELinux package is an initiative of the NSA and is available at http://www.nsa.gov/selinux/. Similar in style to the grsecurity package, it provides role-based access control lists (ACLs) that control what resources applications and processes are able to use. These ACLs are governed by a central security policy. The package comes with a kernel patch, some patches to system tools, and some administration tools. Like grsecurity this package also takes a considerable effort to configure and implement. You also need to design the role-based controls to suit your environment though the SELinux package does come with a sample security policy that you can modify for your purposes. SELinux also supports 2.6 kernels, and in the case of Red Hat Enterprise Linux it is integrated into version 3 of this distribution.