/gatekeeper

GATEKEEPER: Inline and on-target defense

Primary LanguageC

Gatekeeper

A collection of programs for controlling subprocesses on Linux and related operating systems.

Each module is available as a stand-alone binary, which will either fork and execve, or apply its mitigation and execve directly to the next in the chain.

Each module is also available as a library, which can be compiled into a larger, monolithic binary.

Requirements

apt-get -y install make gcc libpcre3-dev libcap-dev libpcap-dev libseccomp-dev

Building

You can use clang or gcc.

make
make CC=clang-3.5

You can also build a specific project.

cd src/chroot
make

Cross-Compiling

Just specify the name of the target. You must have an appropriate compiler toolchain installed.

make CROSS_COMPILE=aarch64-linux-gnu
make CROSS_COMPILE=arm-linux-gnueabihf

Testing

Requires bats.

make test

Chaining Modules

The modules are designed to be included in a larger project, or chained directly. For example:

$ ./blacklist/blacklist \
  ./pcap/pcap foo.pcap \
  ./alarm/alarm 10 \
  ./got_nobind/got_nobind \
  ./malloc/malloc \
  ./no_network/no_network \
  ./randenv/randenv \
  ./rlimit_cpu/rlimit_cpu 5 \
  ./rlimit_fsize/rlimit_fsize 0 \
  ./rlimit_nproc/rlimit_nproc 0 \
  ./segv/segv MYSEGV \
  ./setpgid/setpgid \
  ./setsid/setsid \
  /usr/bin/env LD_PRELOAD="$PWD/ldfuck/ldfuck.so $PWD/no_execve/no_execve.so" \
  /bin/sh

Modules

Here's a short descrption of each module. To build a module, just run make in its directory.

  • alarm - Kills the process and all of its children with SIGALRM after a period of time
  • blacklist - Blocks connections from blacklisted IP/IPv6 address ranges, by inspecting getpeername on stdin, stdout, stderr.
  • chroot - Does what it says on the tin.
  • delay - Adds in a time delay after every proxied read or write
  • devctf - Hooks calls to open to catch open("/dev/ctf",...) and returns a pre-determined file descriptor. This allows access to /dev/ctf from within a chroot.
  • got_bind - Forces the GOT to bind immediately
  • got_nobind - Prevents the GOT from binding, which prevents ASLR defeats by leaking the GOT
  • inotify_child - Watches only its own child process, and inspects its file table (via SIGSTOP and /proc/.../fd) to see if any handles are open.
  • inotify - Watches for events on a specific file, and kills all children (in a new process group) on an event.
  • ldfuck - Fucks with internal linker structures which are used to leak function addresses over-the-wire.
  • malloc - Sets environment variables understood by glibc and eglibc, which cause malloced memory to be initialized to a pattern, and freeed memory to be overwritten with a pattern. Useful for heap leaks/UAFs.
  • no_execve - Hooks all exec* and related (system, popen) function calls via the PLT. Also disables execve via seccomp-bpf.
  • no_network - Uses seccomp to prevent most socket-related syscalls.
  • noparent - Performs a double-fork before execveing so that, in the child process, getppid() will return 1 (pid of init) so that kill(SIGTERM, getppid()) shellcode is useless.
  • onepath - Allows execve calls, but checks /proc/self/exe in the new process to see if it is a specific, permitted path.
  • openfile - Opens a specific file on a specific file descriptor.
  • pcap - Captures all stdin/stdout/stderr to a pcap file, with accurate address information gathered from getpeername.
  • proxy - Communications forwarding template and hook library. Ideally suited to only performing a single copy of stdin/stdout/stderr instead of multiple copies between various consumers.
  • randenv - Adds a random-length environment variable to the environment, which should modify offsets on the stack.
  • regex - I/O filtering based on regular expressions
  • rlimit_cpu - Adds CPU time limits to all subprocesses
  • rlimit_fsize - Adds limits on the size of file which may be created
  • rlimit_nproc - Effectively prevents child processes from forking.
  • segv - Installs a SIGSEGV handler library, which will dump stack traces to a file. Requires libSegFault.so from libsegfault.
  • setpgid - Spawns the child in a new process group. All of its descendants can be easily killed with kill(SIGTERM, -pid).
  • setsid - Spawns the child in a new session.
  • signal - Masks off all signals. May interfere with segv and alarm modules.
  • unbuffer - Effectively disables libc buffering of stdout in the child by creating a pseudo-terminal (PTY) as its stdout (instead of a pipe).
  • unsocket - Turns all send and recv calls, which only work on sockets, into write and read calls, which work just fine on sockets, files, or pipes.