ProPolice Hint Submission

ashes cendres at videotron.ca
Fri Oct 17 18:27:28 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please consider adding the following to the list of hints.
###########################################

TITLE - LFS with ProPolice
LFS_VERSION - 0.1 Test Release - Please give feedback to author
AUTHOR - Robert Connolly <cendres at videotron dot ca> (aka ashes)

SYNOPSIS -
	Simple guild to use the LFS book to build with ProPolice enabled
	More info at - http://www.research.ibm.com/trl/projects/security/ssp/
	and of course at - http://www.linuxfromscratch.org/

HINT -
	ProPolice is a GCC extension for protecting applications from
	stack-smashing attacks. Basicly this is protection against buffer
	overflows.

To elaborate -
	This has been used against xlockmore-3.10, Perl-5.003,elm-2.003, and
	SuperProbe-2.11 which have known root exploits, and with this
	protection the application terminates with a message that a stack-smashing
	attack had been detected, instead of opening a shell. This gaurd protects
	against bugs and attacks not yet conceived.

1 - Prerequisites
- -----------------------

	Complete at least one LFS system install as per the book.
	This hint is intended to fit somewhere in chapter 5

2 - Installing the patches
- ---------------------------------
/* This presumes you are starting from a fresh installation of LFS. The 
patches should work on gcc-2.95.3 and 3.3. I have not tested this on gcc-3.2.
You may have to improvise he pathnames.
Use this hint with any future gcc upgrade.
*/
# For updates check http://www.research.ibm.com/trl/projects/security/ssp/

mkdir -p $LFS/tools/usr/src/patches/propolice/3.3
cd $LFS/tools/usr/src/patches/propolice/3.3
wget 
http://www.research.ibm.com/trl/projects/security/ssp/gcc3_3/protector-3.3-4.tar.gz
wget 
http://www.research.ibm.com/trl/projects/security/ssp/gcc3_3/protector-3.3-4.tar.gz.md5
md5sum -c protector-3.3-4.tar.gz

# You should get "protector-3.3-4.tar.gz: OK"

tar zxf protector-3.3-4.tar.gz

# This isn't complex stuff. So I'm reccomending we patch the source and 
repack.

cd $LFS/tools/usr/src
cp .../gcc-core-3.3.1.tar.bz2 .	# Unpacking all the packages in 
$LFS/tools/usr/src isn't a bad idea either
md5sum gcc-core-3.3.1.tar.bz2

# Should give us "8c113f495402c5ab8bf35133268de561  gcc-core-3.3.1.tar.bz2"

rm -rf gcc-{3.3.1,build}
tar jxf gcc-core-3.3.1.tar.bz2
cd gcc-3.3.1/gcc
patch -p 1 < $LFS/tools/usr/src/patches/propolice/3.3/protector.dif
cp $LFS/tools/usr/src/patches//propolice/3.3/protector.c .
cp $LFS/tools/usr/src/patches/propolice/3.3/protector.h .

/* This next step enables propolice by default with anything this gcc will 
build. The flag '-fstack-protector' explicidly enables propolice if you do 
not use this next patch, and it can be added to CFLAGS and CXXFLAGS.' 
- -fno-stack-protector' explicidly disables the stack protection if for any 
reason you want to.
Note: It is reccomended all your software be built with this protection. It 
should work on a wide variety of software, including xfree86. OpenBSD has 
adopted it in their system, and Gentoo Linux is planning to in the near 
future.
*/

patch -p 1 < $LFS/tools/usr/src/patches/propolice/3.3/protectonly.dif

# Hint: edit  $LFS/tools/usr/src/gcc-3.3.1/gcc/version.c to reflect that you 
have patched it with propolice.
/* Repack it. This will allow automated LFS to use it without much trouble, 
after correcting the md5sum in the nALFS profile.
*/

cd $LFS/tools/usr/src/
mv gcc-core-3.3.1.tar.bz2 gcc-core-3.3.1.tar.bz2.orig
tar jcf gcc-core-propolice-3.3.1.tar.bz2 gcc-3.3.1/
ln -s gcc-core-propolice-3.3.1.tar.bz2 gcc-core-3.3.1.tar.bz2

# The same steps apply for gcc-2.95.3
# For updates check http://www.research.ibm.com/trl/projects/security/ssp/

mkdir $LFS/tools/usr/src/patches/propolice/2.95.2
cd $LFS/tools/usr/src/patches/propolice/2.95.3
wget 
http://www.research.ibm.com/trl/projects/security/ssp/gcc2_95_3/protector-2.95.3-23.tar.gz
wget 
http://www.research.ibm.com/trl/projects/security/ssp/gcc2_95_3/protector-2.95.3-23.tar.gz.md5
md5sum -c protector-2.95.3-23.tar.gz.md5

# You should get "protector-2.95.3-23.tar.gz: OK"

tar zxf protector-2.95.3-23.tar.gz
cd $LFS/tools/usr/src
cp .../gcc-2.95.3.tar.bz2 .	# Unpacking all the packages in $LFS/tools/usr/src 
isn't a bad idea either
md5sum gcc-2.95.3.tar.bz2

# Should give you "87ee083a830683e2aaa57463940a0c3c  gcc-2.95.3.tar.bz2"

rm -rf gcc-{2.95.3,build}
tar jxf gcc-2.95.3.tar.bz2
cd gcc-2.95.3/gcc
patch -p 1 < $LFS/tools/usr/src/patches/propolice/2.95.3/protector.dif
cp $LFS/tools/usr/src/patches//propolice/2.95.3/protector.c .
cp $LFS/tools/usr/src/patches/propolice/2.95.3/protector.h .

/* This next step enables propolice by default with anything this gcc will 
build. The flag -fstack-protector explicidly enables propolice if you do not 
use this next patch, and it can be added to CFLAGS and CXXFLAGS. 
- -fno-stack-protector explicidly disables the stack protection if for any 
reason you want to.
Note: It is reccomended all your software be built with this protection. It 
should work on a wide variety of software, including xfree86. OpenBSD has 
adopted it in their system, and Gentoo Linux is planning to in the near 
future.
*/

patch -p 1 < $LFS/tools/usr/src/patches/propolice/2.95.3/protectonly.dif

# Hint: edit  $LFS/tools/usr/src/gcc-2.95.3/gcc/version.c to reflect that you 
have patched it with propolice.
/* Repack it. This will allow automated LFS to use it without much trouble, 
after correcting the md5sum in the nALFS profile.
*/

cd $LFS/tools/usr/src/
mv gcc-core-2.95.3.tar.bz2 gcc-core-2.95.3.tar.bz2.orig
tar jcf gcc-core-propolice-2.95.3.tar.bz2 gcc-2.95.3/
ln -s gcc-core-propolice-2.95.3.tar.bz2 gcc-2.95.3.tar.bz2

/* With that all done, we have applied the patches and it should work 
transparently from here on. `make boostrap`, `make boostrap-lean`, and `make` 
will utilize the patches. Aswell the patches included in the LFS book can be 
used on top. It will have to be boostrapped if this is the first time it was 
build.
When it is installed you can conferm the binaries are protected. `obj -d 
/path/to/binary | grep stack_smash` is one way or `gcc -S hello.c && cat 
hello.s | grep stack_smash` is another.
*/


Best Regards :)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/kJcIX4k9bNTibhARAnzSAJ9TcUGRdf7xdzEYejV+JBVdOLiL1wCcCyve
v67MXrIVD9XiELAe6rC6jwA=
=+wr3
-----END PGP SIGNATURE-----




More information about the hints mailing list