cvs commit: hints propolice.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Fri Oct 24 17:36:51 PDT 2003


tushar      03/10/24 18:36:51

  Modified:    .        propolice.txt
  Log:
  Updated Hint: propolice
  
  Revision  Changes    Path
  1.3       +35 -39    hints/propolice.txt
  
  Index: propolice.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/propolice.txt,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -u -r1.2 -r1.3
  --- propolice.txt	23 Oct 2003 03:04:45 -0000	1.2
  +++ propolice.txt	25 Oct 2003 00:36:51 -0000	1.3
  @@ -1,6 +1,6 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2003-10-22
  +DATE:   2003-10-24
   
   LICENSE:        Public Domain
   
  @@ -12,15 +12,14 @@
   
   PREREQUISITES:
   This hint requires that you have sufficient knowledge of LinuxFromScratch.
  -This hint is available for GCC versions 2.95.3 and 3.3.1.
  -Note: 2.95.3 patch not available yet -- Comming soon
  +This hint is available for GCC version 3.3.1.
  +Note: Gcc-2.95.3 and gcc-3.2.3 patches are coming soon.
   Note: gcc-core package is the only required component. Others are optional.
   
   HINT:
   
   Introduction
   =============
  -
   ProPolice is a GCC extension for protecting applications from stack smashing
   attacks. ProPolice stack guard has been used against xlockmore-3.10,
   Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
  @@ -32,64 +31,62 @@
   future, among others. The official website for ProPolice can be found in the
   acknowledgments at the end of this document.
   
  +Caveats
  +=======
  +Binutils make check dies from errors when using gcc-propolice.
  +FAIL: S-records
  +FAIL: S-records with constructors
  +This was tested on several machines.
  +Aside from that it looks good.
  +This hint is _alpha_ atm.
  +
   Choose your patche(s)
   ======================
  -
   There are 2 types of patches.
   
   1. With the ProPolice _Only_ patch the -fstack-protector is used by default
  -including durring GCC's boostrap phase. With this patch all the software you
  -build with GCC will be automaticly protected. If you expirence any abnormal
  +including during GCC's boostrap phase. With this patch all the software you
  +build with GCC will be automaticly protected. If you experience any abnormal
   errors, the -fno-stack-protector can be set to debug the error. Please report
   any problems. 
   
   2. With generic protection GCC does not utilize the patch, and is set
   -fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
  -CXXFLAGS to enable the gaurd.
  -Note: I discourage using the generic patch. Setting your own CFLAGS means you
  -will override the optimizations set by the people who wrote what you are
  -compiling. Overiding CFALGS should only be done for cross compiling.
  +CXXFLAGS to enable the guard.
   
   Download
   ========
  -md5sum 
  -6b6d13feb5bd1ec80d6707976ef68950  gcc-3.3.1-propolice_only.patch
  -f0ef92b32b0104505500d7380232ed96  gcc-3.3.1-propolice.patch
  -
  +md5sum
  +f7169c00be8383f1387beac0e93414b3  gcc-3.3.1-propolice_only.patch
  +69b6f17d03e6fd95a47246e2180f9f45  gcc-3.3.1-propolice.patch
   
  -http://www.linuxfromscratch.org/patches/lfs/5.0/gcc-3.3.1-propolice_only.patch
  -http://www.linuxfromscratch.org/patches/lfs/5.0/gcc-3.3.1-propolice.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice_only.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice.patch
   
   Examples
   =========
   
   tar jxf gcc-core-3.3.1.tar.bz2 &&
   cd gcc-3.3.1 && 
  -patch -p1 < ../gcc-3.3.1-propolice_only.patch
  -
  -tar zxf gcc-2.95.3.tar.gz &&
  -cd gcc-2.95.3 &&
  -patch -p1 < ../gcc-2.95.3-propolice_only.patch
  +patch -Np1 -i ../gcc-3.3.1-propolice_only.patch
   
   Conclusion
   ===========
   When it is installed you can confirm the binaries are protected.
   
   gcc -S hello.c &&
  -cat hello.s | grep stack_smash
  +cat hello.s | grep stack_smash &&
   rm hello.s
   
   or
   
  -gcc hello.c
  -objdump -d a.out | grep stack_smash
  +gcc hello.c &&
  +objdump -d a.out | grep stack_smash &&
   rm a.out
   
   TODO
   =====
  -* Real world testing.
  -* Test on non-x86 systems.
  -* Audit.
  +* More testing.
   
   Feedback
   ========
  @@ -97,23 +94,22 @@
   
   ACKNOWLEDGMENTS:
   
  -Thanks to GNU for providing GCC at http://www.gnu.org/
  -
  -Thanks to Hiroaki Etoh for providing the patch to IBM - etoh at jp.ibm.com
  -
  -Thanks to IBM for providing the patch at
  -http://www.research.ibm.com/trl/projects/security/ssp/
  -
  -IBM is a registered trademark of the IBM Corporation found at
  -http://www.ibm.com
  +* Thanks to GNU for providing GCC at http://www.gnu.org/
  +* Thanks to Hiroaki Etoh for providing the patch to IBM - etoh at jp.ibm.com
  +* Thanks to IBM for providing the patch at
  +	http://www.research.ibm.com/trl/projects/security/ssp/
  +* IBM is a registered trademark of the IBM Corporation found at
  +	http://www.ibm.com
   
   CHANGELOG:
   [2003-10-18]
   * Debut
   * Reformat hint
   [2003-10-22]
  -* Binutils problem fixed - Thanks to Hiroaki Etoh.
   * Reformated the patches so they're much easier to apply.
   * Edit/rewrite hint & synopsis.
  -* Fixed URLS
  +[2003-10-24]
  +* Added caveat.
  +* Fixed URLS.
  +* Lite edit
   
  
  
  



More information about the hints mailing list