cvs commit: hints propolice.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Wed Oct 22 20:04:45 PDT 2003


tushar      03/10/22 21:04:45

  Modified:    .        propolice.txt
  Log:
  Updated Hint: propolice
  
  Revision  Changes    Path
  1.2       +70 -112   hints/propolice.txt
  
  Index: propolice.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/propolice.txt,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -u -r1.1 -r1.2
  --- propolice.txt	18 Oct 2003 16:00:30 -0000	1.1
  +++ propolice.txt	23 Oct 2003 03:04:45 -0000	1.2
  @@ -1,10 +1,10 @@
  -AUTHOR:	Robert Connolly <cendres at videotron dot ca> (ashes)
  +AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:	2003-10-18
  +DATE:   2003-10-22
   
  -LICENSE:	Public Domain
  +LICENSE:        Public Domain
   
  -SYNOPSIS:	Building an LFS with ProPolice enabled.
  +SYNOPSIS:       ProPolice - Bullet proofing the penguin.
   
   DESCRIPTION:
   Intergrate a patch into the bootstrap stage to protect the new system from
  @@ -12,7 +12,9 @@
   
   PREREQUISITES:
   This hint requires that you have sufficient knowledge of LinuxFromScratch.
  -This hint is available for GCC versions 2.95.3 and 3.3.
  +This hint is available for GCC versions 2.95.3 and 3.3.1.
  +Note: 2.95.3 patch not available yet -- Comming soon
  +Note: gcc-core package is the only required component. Others are optional.
   
   HINT:
   
  @@ -30,118 +32,68 @@
   future, among others. The official website for ProPolice can be found in the
   acknowledgments at the end of this document.
   
  -Installation
  -=============
  +Choose your patche(s)
  +======================
   
  -It is recommended this hint is used as part of an LFS installation between
  -chapsters four and five. You will need all the packages and the LFS partition
  -and /tools setup in advance. In this example source packages are put in
  -$LFS/tools/usr/src. This is not strictly important, but it is important you
  -are able to keep track of your ProPolice patched GCC tar ball during the
  -normal installation of LFS, and use the patch on any future installations of
  -GCC.
  +There are 2 types of patches.
   
  -Procedure
  -=========
  +1. With the ProPolice _Only_ patch the -fstack-protector is used by default
  +including durring GCC's boostrap phase. With this patch all the software you
  +build with GCC will be automaticly protected. If you expirence any abnormal
  +errors, the -fno-stack-protector can be set to debug the error. Please report
  +any problems. 
  +
  +2. With generic protection GCC does not utilize the patch, and is set
  +-fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
  +CXXFLAGS to enable the gaurd.
  +Note: I discourage using the generic patch. Setting your own CFLAGS means you
  +will override the optimizations set by the people who wrote what you are
  +compiling. Overiding CFALGS should only be done for cross compiling.
  +
  +Download
  +========
  +md5sum 
  +6b6d13feb5bd1ec80d6707976ef68950  gcc-3.3.1-propolice_only.patch
  +f0ef92b32b0104505500d7380232ed96  gcc-3.3.1-propolice.patch
   
  -# For GCC-3.3
   
  -mkdir -p $LFS/tools/usr/src/patches/propolice/3.3
  -cd $LFS/tools/usr/src/patches/propolice/3.3
  -wget
  -http://www.research.ibm.com/trl/projects/security/ssp/gcc3_3/protector-3.3-4.tar.gz
  -wget
  -http://www.research.ibm.com/trl/projects/security/ssp/gcc3_3/protector-3.3-4.tar.gz.md5
  -md5sum -c protector-3.3-4.tar.gz
  -
  -# You should get "protector-3.3-4.tar.gz: OK"
  -
  -tar zxf protector-3.3-4.tar.gz
  -
  -cd $LFS/tools/usr/src
  -md5sum gcc-core-3.3.1.tar.bz2
  -
  -# Should give us "8c113f495402c5ab8bf35133268de561  gcc-core-3.3.1.tar.bz2"
  -
  -rm -rf gcc-{3.3.1,build}
  -tar jxf gcc-core-3.3.1.tar.bz2
  -cd gcc-3.3.1/gcc
  -patch -p 1 < $LFS/tools/usr/src/patches/propolice/3.3/protector.dif
  -cp $LFS/tools/usr/src/patches//propolice/3.3/protector.c .
  -cp $LFS/tools/usr/src/patches/propolice/3.3/protector.h .
  -
  -# This next step enables propolice by default with anything this gcc will
  -# build. The flag '-fstack-protector' explicitly enables propolice if you do
  -# not use this next patch, and it can be added to CFLAGS and CXXFLAGS.'
  -# -fno-stack-protector' explicitly disables the stack protection if for any
  -# reason you want to.
  -# Note: It is reccomended all your software be built with this protection. It
  -# should work on a wide variety of software, including xfree86.
  -
  -patch -p 1 < $LFS/tools/usr/src/patches/propolice/3.3/protectonly.dif
  -
  -# Hint: edit  $LFS/tools/usr/src/gcc-3.3.1/gcc/version.c to reflect that you
  -# have patched it with propolice.
  -
  -cd $LFS/tools/usr/src/
  -mv gcc-core-3.3.1.tar.bz2 gcc-core-3.3.1.tar.bz2.orig
  -tar jcf gcc-core-propolice-3.3.1.tar.bz2 gcc-3.3.1/
  -ln -s gcc-core-propolice-3.3.1.tar.bz2 gcc-core-3.3.1.tar.bz2
  -
  -# For GCC 2.95.3
  -
  -mkdir $LFS/tools/usr/src/patches/propolice/2.95.2
  -cd $LFS/tools/usr/src/patches/propolice/2.95.3
  -wget
  -http://www.research.ibm.com/trl/projects/security/ssp/gcc2_95_3/protector-2.95.3-23.tar.gz
  -wget
  -http://www.research.ibm.com/trl/projects/security/ssp/gcc2_95_3/protector-2.95.3-23.tar.gz.md5
  -md5sum -c protector-2.95.3-23.tar.gz.md5
  -
  -# You should get "protector-2.95.3-23.tar.gz: OK"
  -
  -tar zxf protector-2.95.3-23.tar.gz
  -cd $LFS/tools/usr/src
  -md5sum gcc-2.95.3.tar.bz2
  -
  -# Should give you "87ee083a830683e2aaa57463940a0c3c  gcc-2.95.3.tar.bz2"
  -
  -rm -rf gcc-{2.95.3,build}
  -tar jxf gcc-2.95.3.tar.bz2
  -cd gcc-2.95.3/gcc
  -patch -p 1 < $LFS/tools/usr/src/patches/propolice/2.95.3/protector.dif
  -cp $LFS/tools/usr/src/patches//propolice/2.95.3/protector.c .
  -cp $LFS/tools/usr/src/patches/propolice/2.95.3/protector.h .
  -
  -# This next step enables propolice by default with anything this gcc will
  -# build. The flag -fstack-protector explicitly enables propolice if you do
  -# not use this next patch, and it can be added to CFLAGS and CXXFLAGS.
  -# -fno-stack-protector explicitly disables the stack protection if for any
  -# reason you want to.
  -# Note: It is reccomended all your software be built with this protection.
  -# It should work on a wide variety of software, including xfree86.
  -
  -patch -p 1 < $LFS/tools/usr/src/patches/propolice/2.95.3/protectonly.dif
  -
  -# Hint: edit  $LFS/tools/usr/src/gcc-2.95.3/gcc/version.c to reflect that
  -# you have patched it with propolice.
  -
  -cd $LFS/tools/usr/src/
  -mv gcc-core-2.95.3.tar.bz2 gcc-core-2.95.3.tar.bz2.orig
  -tar jcf gcc-core-propolice-2.95.3.tar.bz2 gcc-2.95.3/
  -ln -s gcc-core-propolice-2.95.3.tar.bz2 gcc-2.95.3.tar.bz2
  -
  -# With that all done, we have applied the patches and it should work
  -# transparently from here on. `make boostrap`, and `make` will utilize
  -# the patches. Aswell the patches included in the LFS book can be used on
  -# top.
  -# When it is installed you can confirm the binaries are protected. `objdump
  -# -d /path/to/binary | grep stack_smash` is one way or `gcc -S hello.c &&
  -# cat hello.s | grep stack_smash` is another.
  +http://www.linuxfromscratch.org/patches/lfs/5.0/gcc-3.3.1-propolice_only.patch
  +http://www.linuxfromscratch.org/patches/lfs/5.0/gcc-3.3.1-propolice.patch
  +
  +Examples
  +=========
  +
  +tar jxf gcc-core-3.3.1.tar.bz2 &&
  +cd gcc-3.3.1 && 
  +patch -p1 < ../gcc-3.3.1-propolice_only.patch
  +
  +tar zxf gcc-2.95.3.tar.gz &&
  +cd gcc-2.95.3 &&
  +patch -p1 < ../gcc-2.95.3-propolice_only.patch
  +
  +Conclusion
  +===========
  +When it is installed you can confirm the binaries are protected.
  +
  +gcc -S hello.c &&
  +cat hello.s | grep stack_smash
  +rm hello.s
  +
  +or
  +
  +gcc hello.c
  +objdump -d a.out | grep stack_smash
  +rm a.out
  +
  +TODO
  +=====
  +* Real world testing.
  +* Test on non-x86 systems.
  +* Audit.
   
   Feedback
   ========
  -cendres at videotron dot ca
  +<cendres at videotron dot ca>
   
   ACKNOWLEDGMENTS:
   
  @@ -157,5 +109,11 @@
   
   CHANGELOG:
   [2003-10-18]
  -* Debut release
  -* Reformat
  +* Debut
  +* Reformat hint
  +[2003-10-22]
  +* Binutils problem fixed - Thanks to Hiroaki Etoh.
  +* Reformated the patches so they're much easier to apply.
  +* Edit/rewrite hint & synopsis.
  +* Fixed URLS
  +
  
  
  



More information about the hints mailing list