cvs commit: hints winter.txt propolice.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Sat Dec 20 16:06:12 PST 2003


tushar      03/12/20 17:06:12

  Added:       .        winter.txt
  Removed:     .        propolice.txt
  Log:
  Renamed propolice to winter
  
  Revision  Changes    Path
  1.1                  hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
  
  DATE:   2003-12-20
  
  LICENSE:        Public Domain
  
  SYNOPSIS:       ProPolice + Libsafe + Pax + PIE
  
  PRIMARY URI:	http://www.topside.org/~ashes/
  
  DESCRIPTION:
  ProPolice is a C and C++ security extension for GCC.
  Libsafe is a preloaded library that prevents dangerous functions from being
  executed by applications.
  Pax is a kernel patch which adds obscurity and lessens the vulnerability of
  attacks.
  PIE is a gcc-3.4 backport to enable Position Independent Executables, which
  takes advantage of Pax.
  The combination of these provide powerfull security features in the toolchain.
  All of the above can work independently of eachother.
  
  PREREQUISITES: LFS-5.0
  
  HINT:
  
  =======
  Context
  =======
  
  	Introduction
  		ProPolice
  		Libsafe
  		Pax
  		Pie
  	Downloads
  	Installation
  	Testing ProPolice
  	Feedback
  	Acknowledgments
  
  ============
  Introduction
  ============
  On my desktop, 800mhz duron 512mb ram, I get one gcc error total from following
  this hint.
  The cvs LFS book is reccomended at this time.
  
  ----------------------------------
  Propolice Smashing Stack Protector
  ----------------------------------
  -The good news:
  
  Based on StackGaurd, Propolice was developed by IBM for protecting applications
  from stack smashing attcks. This is the single largest class of attacks and many
  hope Propolice will find its way into the mainstream GCC and become the default
  smash gaurd. This protection uses the urandom device to determine the gaurd
  value, and uses minimal time and space overhead. In practice users do not
  complain about loss in system preformance even when the entire system is build
  with this gaurd.
  
  The patch will add -fstack-protector-all, -fstack-protector, and
  -fno-stack-protector to GCC's extensions for C and C++; and
  __guard_setup and __stack_smash_handler are defined in libgcc2.c. It is
  reccomended the entire system be built with -fstack-protector, with the
  exception of Grub. Programs compiled with this which are run in chroot will
  need access to /dev/urandom and for logging /dev/log. Syslog puts it in
  /var/log/sys.log where intrusion detection can use it.
  I have tested propolice on kernel 2.4 and 2.6, and libc linuxthreads and nptl.
  It should work with any custom configuration you may have.
  
  -The bad news:
  
  Propolice assumes only character arrays are dangerous, and does not protect
  arrays of length 7 or less. Propolice does nothing to protect the heap.
  Optimizing more then -O2 may optimize away things propolice needs.
  
  You can expect one error from gcc3's testsuite.
  FAIL: gcc.dg/asm-names.c (test for excess errors)
  
  --------
  Libsafe
  --------
  -The good news:
  
  Libsafe was developed by Avaya Labs to protect against format string
  vulnerabilities. Though not widely used it has been widely tested. This
  protection can be installed on an already running system, using ld.so.preload
  to watch applications at runtime for functions which are known to be vulnerable.
  This of course only protects dynamicly linked applications. There should not be
  a noticable preformance decrease, and it also logs to syslog.
  
  -The bad news:
  
  We get some errors if we install libsafe early in the build.
  From gcc3
  FAIL: g++.dg/expr/anew1.C execution test
  FAIL: g++.dg/expr/anew2.C execution test
  FAIL: g++.dg/expr/anew3.C execution test
  FAIL: g++.dg/expr/anew4.C execution test
  
  From binutils
  FAIL: S-records
  FAIL: S-records with constructors
  
  To avoid these errors we install libsafe after gcc in chapter 6.
  Other bad news is unknown.
  
  ----
  Pax
  ----
  -The good news:
  TODO
  -The bad news:
  Unknown
  
  ----
  PIE
  ----
  -The good news:
  TODO
  -The bad news:
  This currently only works using a gcc-3.4 backport. It also needs Glibc-2.3.3
  (cvs) to work.
  This also requires a binutils which understands -pie.
  X, kde, and others, do not like building with gcc -pie. They can still be
  installed without -pie, for now.
  
  =========
  Downloads
  =========
  ----------
  Propolice
  ----------
  This site isn't very reliable, use it if you can.
  http://www.topside.org/~ashes/files/
  or
  ftp://twocents.mooo.com/pub/
  
  Patches are available for GCC 2.95.3, 3.3.1, and 3.3.2.
  The protector_only patches will make GCC use -fstack-protector all the time.
  http://www.linuxfromscratch.org/patches/downloads/gcc/ \
          gcc-{$ver}-protector-2.patch
  http://www.linuxfromscratch.org/patches/downloads/gcc/ \
          gcc-{$ver}-protector_only-2.patch
  
  This patch enables the kernel to be built with -fstack-protector.
  http://www.linuxfromscratch.org/patches/downloads/linux/ \
  	linux-2.4.23-protector-1.patch
  or
  	linux-2.6.0-protector-1.patch
  
  Use this patch when building xfree86. It will use -fno-stack-protector when
  building modules.
  http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
          XFree86-4.3.0-protector-1.patch
  
  --------
  Libsafe
  --------
  Official site:
  http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
  My mirror:
  http://www.topside.org/~ashes/files/libsafe/libsafe-2.0-16.tgz
  
  ----
  Pax
  ----
  http://www.linuxfromscratch.org/patches/downloads/linux/ \
  	linux-2.4.23-pax-1.patch
  Official site:
  http://pageexec.virtualave.net/ \
  	pax-linux-2.4.23-200312021730.patch
  http://cr0.org/aslr26/aslr26-linux-2.6.0-test9-200310272244.patch
  My mirror:
  http://www.topside.org/~ashes/files/pax/ \
  	linux-2.4.23-pax-1.patch
  http://www.topside.org/~ashes/files/pax/mirror/ \
  	aslr26-linux-2.6.0-test9-200310272244.patch
  
  This is an information leak patch. Its not available for 2.4.23 or 2.6.0 yet :(
  http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz
  
  ----
  PIE
  ----
  http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  	gcc-3.3.2-pie-1.patch
  For Gcc 3.3 and 3.3.1
  	gcc-3.3-pie-1.patch
  My mirror:
  http://www.topside.org/~ashes/files/pax/gcc-3.3.2-pie-1.patch
  http://www.topside.org/~ashes/files/pax/gcc-3.3-pie-1.patch
  
  --------------------
  Full Bounds Checking
  --------------------
  This is an auditing tool to give verbose debugging. Applications built with thiswill run like a pig. This is not intended for real world use, only for
  debugging. -fbounds-checking is added to gcc's extentions, and is not used by
  default.
  Official site:
  http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ \
  	bounds-checking-gcc-3.3.2-1.00.patch.bz2
  My mirror:
  http://www.topside.org/~ashes/files/fbounds/gcc-3.3.2-bounds-checking-1.patch
  or
  http://www.topside.org/~ashes/files/fbounds/gcc-3.3.2-bounds-plus-pie-1.patch
  
  ---------------------
  Binutils-2.14.90.0.7
  ---------------------
  You only need this for PIE.
  ftp://ftp.kernel.org/pub/linux/devel/binutils/
  
  ----------
  Glibc-cvs
  ----------
  # You only need this for PIE.
  # Like the nptl hint shows. Get glibc-cvs like this.
  cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc &&
  mv libc glibc-2.3-`date +%Y%m%d` &&
  tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d` &&
  rm -rf glibc-2.3-`date +%Y%m%d`
  
  =====================
  Installation
  =====================
  Propolice and libsafe can be used effectively on LFS-5.0. If you want to use PIE
  you need to get a copy of glibc-2.3.3-cvs, and binutils-2.14.90.0.7 or later.
  
  ---------
  Chapter 5
  ---------
   - Binutils
  Install binutils-2.14.90.0.7 just like the book says.
  Bison, m4, and flex need to be installed in chapter 5 to satisfy this version of
  binutils.
  
   - GCC pass 1
  If this is your second round with propolice, and the host system is running
  protector_only, you can use the protector_only patch in GCC pass 1. If it's your
  second round with PIE, you can use the PIE patch in gcc pass 1 also.
  The old version of this hint used a move to glibc patch which I have removed. I
  don't think its nessesary. In order to escape it do not patch at this stage,
  prepend CFLAGS="-fno-stack-protector -O2" to configure, and append it to make.
  This will work out after glibc is installed.
  
   - Glibc-cvs
  No need for the scanf patch with glibc-cvs. Add --enable-add-ons=linuxthreads to
  configure. This also works with nptl. Make check should pass with no errors. If
  you have libsafe on the host system you might want to remove "/lib/libsafe.so.2"
  from /etc/ld.so.preload just for glibc, and add it back after glibc is
  installed. This is not because of a libsafe violation, but libsafe will cause
  the glibc build to fail.
  
   - GCC pass 2
  Auditors might want to install gcc-3.3.2-bounds-plus-pie-1.patch, or
  gcc-3.3.2-bounds-checking-1.patch. The the patch contains instructions about its
  use. Use the gcc-3.3.2.tar.bz2 tarball to keep the patch from complaining.
  The Bounds Checking patch and PIE are merged, if applied seperatly they conflict
  on one file. If you're using PIE you should see "checking linker position
  independent executable support... yes" durring configure.
  
  patch -Np1 -i ../gcc-3.3.2-protector_only-2.patch
  patch -Np1 -i ../gcc-3.3.2-pie-1.patch
  
   - Binutils pass 2
  env CFLAGS="-pie -O2" ../binutils-2.14.90.0.7/configure \
  	 --prefix=/tools --enable-shared --with-lib-path=/tools/lib &&
  env CFLAGS="-pie -O2" make
  # There is a propolice, and PIE bug in the testsuite. Do this to pass the tests.
  make CFLAGS="-fno-stack-protector -O2" check
  
  # And now we have "shared object" because of -pie.
  $ file /tools/bin/ld
  /tools/bin/ld: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not 
  stripped
  
  The easiest thing do to now is this. Or pass env like we did above.
  This assumes you installed the propolice_only patch.
  export CFLAGS="-pie -O2"
  export CXXFLAGS="-pie -O2"
  
   - Bzip2
  cp Makefile Makefile.backup &&
  sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' Makefile.backup > Makefile &&
  make OPT="$CFLAGS" PREFIX=/tools install
  
  Install the rest of chapter 5, and don't forget to install m4, bison, and flex
  in /tools.
  
  ---------
  Chapter 6
  ---------
  # Glibc
  With this all your libraries will be shared objects.
  export CFLAGS="-pie -O2"
  export CXXFLAGS="-pie -O2"
  
  # Binutils
  make CFLAGS="-fno-stack-protector -O2" check
  
  # GCC
  patch -Np1 -i ../gcc-3.3.2-protector_only-2.patch
  patch -Np1 -i ../gcc-3.3.2-pie-1.patch
  
  # Libsafe
  # There are tests in the libsafe source you should look at.
  make &&
  make install
  
  # Net-tools
  make COPTS="-D_GNU_SOURCE -Wall $CFLAGS"
  
  # Bzip2
  cp Makefile Makefile.backup
  sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' \
  Makefile.backup > Makefile
  cp Makefile-libbz2_so Makefile-libbz2_so.backup
  sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' \
  Makefile-libbz2_so.backup > Makefile-libbz2_so
  
  make -f Makefile-libbz2_so OPT="$CFLAGS"
  make clean
  make OPT="$CFLAGS"
  
  # Kbd
  make CFLAGS="$CFLAGS"
  
  # Grub
  env CFLAGS="" ./configure --prefix=/usr
  make CFLAGS=-fno-stack-protector
  
  # Man
  cp man2html/Makefile.in man2html/Makefile.in.backup
  sed -e "s/CFLAGS = /CFLAGS = $CFLAGS /" \
  man2html/Makefile.in.backup > man2html/Makefile.in
  
  # Procinfo
  make LDLIBS=-lncurses CFLAGS="$CFLAGS"
  
  # Procps
  make CC="gcc -fpie"
  
  # Sysklogd
  make RPM_OPT_FLAGS="$CFLAGS"
  
  # Sysvinit
  make -C src CFLAGS="-Wall -D_GNU_SOURCE $CFLAGS"
  
  # GCC 2.95.3
  unset CFLAGS CXXFLAGS
  patch -Np1 -i ../gcc-2.95.3-protector.patch
  
  ---------
  Chapter 8
  ---------
  Linux kernel
  Choose all the Pax kernel options.
  
  make mrproper &&
  patch -Np1 -i ../linux-2.4.23-propolice-1.patch &&
  patch -Np1 -i ../linux-2.4.23-pax-1.patch
  
  make menuconfig
  
  make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
  make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage
  make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" modules
  make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" modules_install
  
  Try to remember to add -pie to CFLAGS/CXXFLAGS when to install other packages.
  
  =================
  Testing ProPolice
  =================
  
  ## This program overflows the stack.
  
  cat > test-propolice.c << "EOF"
  /* test-propolice.c */
  
  #define OVERFLOW "This is longer than 10 bytes"
  
  int main (int argc, char *argv[]) {
      char buffer[10];
      strcpy(buffer, OVERFLOW);
      return 0;
  }
  EOF
  
  # Then compile and run as follows
  
  gcc -fstack-protector -o test-propolice test-propolice.c &&
  ./test-propolice
  
  # That should return this to show the gaurd is working.
  # "stack smashing attack in function main"
  
  # You should also see a syslog message similar to this:
  
  # test-propolice[19961]: [ID 702911 auth.crit] stack smashing attack in function
  # main
  
  # This program segfaults and the gaurd ignores it.
  
  cat > fail.c << "EOF"
  #include <stdio.h>
  #include <unistd.h>
  
  int foo(char *blah) {
    char buffer[7];
    sprintf(buffer, "12345678901234567890123456789012345678901234567890");
    return(1234);
  }
  
  int main(int argc, char **argv) {
    printf("before foo()\n");
    foo("blah");
    printf("after foo()\n");
  }
  EOF
  
  gcc -fstack-protector -o fail fail.c &&
  ./fail
  
  # Which should return this.
  # before foo()
  # Segmentation fault
  
  ========
  Feedback
  ========
  
  <cendres at videotron dot ca>
  
  ACKNOWLEDGMENTS:
  
  * Thanks to Hiroaki Etoh for providing the protector patch to IBM
  * Thanks to IBM for providing the protector patch at
  	http://www.research.ibm.com/trl/projects/security/ssp/
  * Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
  * Thanks to netsys.com for this
  	http://www.netsys.com/cgi-bin/display_article.cgi?1266
  * Thanks to securityfocus.com and immunix.com for this
  	http://www.securityfocus.com/archive/1/333986/2003-08-17/2003-08-23/2
  * Thanks to adamantix.org for kernel patches. http://www.adamantix.org/
  * Thanks to Avaya Labs for Libsafe
  	http://www.research.avayalabs.com/project/libsafe/
  * Thanks to the Pax Team at http://pageexec.virtualave.net/
  * Thanks to Teemu Tervo for nptl hint
  	http://www.linuxfromscratch.org/hints/downloads/files/nptl.txt
  * Thanks to crosscompiling hint
  	http://www.linuxfromscratch.org/hints/downloads/files/ \
  		crosscompiling-x86.txt
  
  
  CHANGELOG:
  [2003-10-18]
  * Debut
  * Reformat hint
  [2003-10-22]
  * Reformatted the patches so they're much easier to apply.
  * Edit/rewrite hint & synopsis.
  [2003-10-24]
  * Added caveat.
  * Fixed URLS.
  * Lite edit
  [2003-10-25]
  * New bugs found.
  [2003-10-26]
  * GCC 2.95.3 patches made.
  [2003-10-27]
  * XFree86-4.3.0 patch made.
  * Hint is now Beta - Need more feedback.
  [2003-11-03]
  * Edit
  * Reformatted patches.
  [2003-11-12]
  * Reformat patches.
  * Update/edit hint.
  * Add new example tests.
  [2003-11-21]
  * Reformat patches.
  * Add homepage/mirror url.
  * Small edit.
  [2003-12-01]
  * Added Glibc and kernel patches.
  * Rewrote install procedure.
  [2003-12-20]
  * Try to be more informative.
  * Removed Gentoo property.
  * Added Libsafe.
  * Added Pax.
  * Added new versions of binutils and glibc.
  * Added GCC PIE.
  * Rename filename to winter.txt.
  
  
  



More information about the hints mailing list