On Fri, 5 Dec 2003 13:18, Steve Kemp <[EMAIL PROTECTED]> wrote: > On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote: > > On Fri, 5 Dec 2003 10:39, Steve Kemp <[EMAIL PROTECTED]> wrote: > > > ? I've been experimenting with producing a hardened Debian derivitive > > > ?as a small piece of paid work. ?This mostly means compiling things > > > with ?a stackguard compiler, using format guard, and enforcing > > > policies, etc. > > > > Are you using any extra patches to GCC? Or just a GCC built with the > > propolice option? > > Yes I am using slightly modified patches from http://www.immunix.org/. > > The propolice is something that I shall be evaluating next.
I believe that our GCC packages already have propolice patched in but not enabled. Therefore it should be a much easier change to make for it to be included. As propolice is not invoked unless a special command-line parameter is passed to GCC it seems like a harmless thing to include. Why aren't GCC packages being built with it? > > How difficult is it to bootstrap this? Can you compile glibc with these > > options without affecting anything else? > > So far I have built glibc with this modified GCC, (only so that I > could apply the "FormatGuard" patches which are designed to combat > format string attacks. Recompiling glibc wasn't something that I > really wanted to try on the PII 233Mhz machine I have as my test box! > > Bootstrapping was very simple just a matter of applying the patche to > GCC and rebuilding it, then having installed it I rebuilt several test > packages which were exploitable previously and failed to be exploitable > afterwards. (With the caveats that this patch doesnt protect against > all attacks). > > I confess that I haven't rebuilt _all_ the interesting packages yet > the kernel and X11 being the most likely to fail - but the packages > that I did build, bash, perl, etc did compile with no observed side > effects thus far. I think that the packages that need this most are glibc, X11, and Apache. At the moment even when running SE Linux X11 virtually owns the machine. For Fedora the X server needs to run modprobe and create arbitary device nodes, presumably when XFree86 4.3.x packages arrive in Debian we will have the same situation (at least for people who want to use 3D graphics). Currently the X server gets read/write access to all memory, things are being changed to give it only access to address space <1M, but bitblt functions in the newer graphics cards should still allow it arbitary memory access. Basically if you can exploit an X server you can own the machine and there's nothing we can do about it until/unless Linus adds more graphics support to the kernel. Because of this XFree86 needs such protection more than most programs. Apache also needs it a lot as it's very complex and exposed to the network. But this may lead to some painful issues with modules... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
