Gatekeeper
A collection of programs for controlling subprocesses on Linux and related operating systems.
Each module is available as a stand-alone binary, which will either fork
and execve
, or apply its mitigation and execve
directly to the next in the chain.
Each module is also available as a library, which can be compiled into a larger, monolithic binary.
Requirements
apt-get -y install make gcc libpcre3-dev libcap-dev libpcap-dev libseccomp-dev
Building
You can use clang
or gcc
.
make
make CC=clang-3.5
You can also build a specific project.
cd src/chroot
make
Cross-Compiling
Just specify the name of the target. You must have an appropriate compiler toolchain installed.
make CROSS_COMPILE=aarch64-linux-gnu
make CROSS_COMPILE=arm-linux-gnueabihf
Testing
Requires bats
.
make test
Chaining Modules
The modules are designed to be included in a larger project, or chained directly. For example:
$ ./blacklist/blacklist \
./pcap/pcap foo.pcap \
./alarm/alarm 10 \
./got_nobind/got_nobind \
./malloc/malloc \
./no_network/no_network \
./randenv/randenv \
./rlimit_cpu/rlimit_cpu 5 \
./rlimit_fsize/rlimit_fsize 0 \
./rlimit_nproc/rlimit_nproc 0 \
./segv/segv MYSEGV \
./setpgid/setpgid \
./setsid/setsid \
/usr/bin/env LD_PRELOAD="$PWD/ldfuck/ldfuck.so $PWD/no_execve/no_execve.so" \
/bin/sh
Modules
Here's a short descrption of each module. To build a module, just run make
in its directory.
alarm
- Kills the process and all of its children withSIGALRM
after a period of timeblacklist
- Blocks connections from blacklisted IP/IPv6 address ranges, by inspectinggetpeername
on stdin, stdout, stderr.chroot
- Does what it says on the tin.delay
- Adds in a time delay after every proxiedread
orwrite
devctf
- Hooks calls toopen
to catchopen("/dev/ctf",...)
and returns a pre-determined file descriptor. This allows access to/dev/ctf
from within a chroot.got_bind
- Forces the GOT to bind immediatelygot_nobind
- Prevents the GOT from binding, which prevents ASLR defeats by leaking the GOTinotify_child
- Watches only its own child process, and inspects its file table (viaSIGSTOP
and/proc/.../fd
) to see if any handles are open.inotify
- Watches for events on a specific file, and kills all children (in a new process group) on an event.ldfuck
- Fucks with internal linker structures which are used to leak function addresses over-the-wire.malloc
- Sets environment variables understood by glibc and eglibc, which causemalloc
ed memory to be initialized to a pattern, andfree
ed memory to be overwritten with a pattern. Useful for heap leaks/UAFs.no_execve
- Hooks allexec*
and related (system
,popen
) function calls via the PLT. Also disablesexecve
via seccomp-bpf.no_network
- Usesseccomp
to prevent most socket-related syscalls.noparent
- Performs a double-fork beforeexecve
ing so that, in the child process,getppid()
will return1
(pid ofinit
) so thatkill(SIGTERM, getppid())
shellcode is useless.onepath
- Allowsexecve
calls, but checks/proc/self/exe
in the new process to see if it is a specific, permitted path.openfile
- Opens a specific file on a specific file descriptor.pcap
- Captures all stdin/stdout/stderr to a pcap file, with accurate address information gathered fromgetpeername
.proxy
- Communications forwarding template and hook library. Ideally suited to only performing a single copy of stdin/stdout/stderr instead of multiple copies between various consumers.randenv
- Adds a random-length environment variable to the environment, which should modify offsets on the stack.regex
- I/O filtering based on regular expressionsrlimit_cpu
- Adds CPU time limits to all subprocessesrlimit_fsize
- Adds limits on the size of file which may be createdrlimit_nproc
- Effectively prevents child processes fromfork
ing.segv
- Installs aSIGSEGV
handler library, which will dump stack traces to a file. RequireslibSegFault.so
fromlibsegfault
.setpgid
- Spawns the child in a new process group. All of its descendants can be easily killed withkill(SIGTERM, -pid)
.setsid
- Spawns the child in a new session.signal
- Masks off all signals. May interfere withsegv
andalarm
modules.unbuffer
- Effectively disables libc buffering of stdout in the child by creating a pseudo-terminal (PTY) as its stdout (instead of a pipe).unsocket
- Turns allsend
andrecv
calls, which only work on sockets, intowrite
andread
calls, which work just fine on sockets, files, or pipes.