On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote: > On Fri, 5 Dec 2003 10:39, Steve Kemp <[EMAIL PROTECTED]> wrote: > > ? I've been experimenting with producing a hardened Debian derivitive > > ?as a small piece of paid work. ?This mostly means compiling things with > > ?a stackguard compiler, using format guard, and enforcing policies, etc. > > Are you using any extra patches to GCC? Or just a GCC built with the > propolice option?
Yes I am using slightly modified patches from http://www.immunix.org/. The propolice is something that I shall be evaluating next. > How difficult is it to bootstrap this? Can you compile glibc with these > options without affecting anything else? So far I have built glibc with this modified GCC, (only so that I could apply the "FormatGuard" patches which are designed to combat format string attacks. Recompiling glibc wasn't something that I really wanted to try on the PII 233Mhz machine I have as my test box! Bootstrapping was very simple just a matter of applying the patche to GCC and rebuilding it, then having installed it I rebuilt several test packages which were exploitable previously and failed to be exploitable afterwards. (With the caveats that this patch doesnt protect against all attacks). I confess that I haven't rebuilt _all_ the interesting packages yet the kernel and X11 being the most likely to fail - but the packages that I did build, bash, perl, etc did compile with no observed side effects thus far. Steve -- # Debian Security Audit Project http://www.steve.org.uk/Debian/
