update

ashes cendres at videotron.ca
Sun Oct 26 03:32:41 PST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

update

- -- 
cendres at videotron dot ca
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xD4E26E10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/m7DmX4k9bNTibhARAk6qAJ99DVOnoSvcXn4s5Z3dz0BJZQY1HQCbBGlR
MrEzEjy4UEI1NEEF26PJ9qg=
=+6Zj
-----END PGP SIGNATURE-----
-------------- next part --------------
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)

DATE:   2003-10-24

LICENSE:        Public Domain

SYNOPSIS:       ProPolice - Bullet proofing the penguin.

DESCRIPTION:
Intergrate a patch into the bootstrap stage to protect the new system from
buffer overflows.

PREREQUISITES:
This hint requires that you have sufficient knowledge of LinuxFromScratch.
*Developer use only. See ceveats below.
Only tested on x86.
This hint is available for GCC version 3.3.1.
Note: Gcc-2.95.3 and gcc-3.2.3 patches are coming soon.
Note: gcc-core package is the only required component. Others are optional.

HINT:

Introduction
=============
ProPolice is a GCC extension for protecting applications from stack smashing
attacks. ProPolice stack guard has been used against xlockmore-3.10,
Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
Testing showed that when these programs were exploited the stack guard
terminated them with a message that a stack smashing attack had been detected.
This guard protects against bugs and attacks not yet conceived. It has shown
to be robust, practical to use, and preform well. ProPolice has been
intergrated into OpenBSD, and should be added to Gentoo Linux in the near
future, among others. The official website for ProPolice can be found in the
acknowledgments at the end of this document.

Caveats
=======
The base LFS system does build well with the ProPolice _Only_ patch. Binutils
make check gets 2-6 new errors, aside from that there should be no errors.
Grub, cracklib, tetex, and ocaml are reported not to build with the
-fstack-protector flag. I've built cracklib with the ProPolice _Only_ GCC
fine, but there are problems with PAM and Grub. PAM does build but the
examples don't for an unknown reason (ignore and make install).

Choose your patche(s)
======================
There are 2 types of patches.

1. With the ProPolice _Only_ patch the -fstack-protector is used by default
including during GCC's boostrap phase. With this patch all the software you
build with GCC will be automaticly protected. If you experience any abnormal
errors, the -fno-stack-protector can be set to debug the error. Please report
any problems. 

2. With generic protection GCC does not utilize the patch, and is set
-fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
CXXFLAGS to enable the guard. This is good for testers.

Download
========
md5sum
f7169c00be8383f1387beac0e93414b3  gcc-3.3.1-propolice_only.patch
69b6f17d03e6fd95a47246e2180f9f45  gcc-3.3.1-propolice.patch

http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice_only.patch
http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice.patch

Examples
=========

tar jxf gcc-core-3.3.1.tar.bz2 &&
cd gcc-3.3.1 && 
patch -Np1 -i ../gcc-3.3.1-propolice_only.patch

Conclusion
===========
When it is installed you can confirm the binaries are protected.

gcc -S hello.c &&
cat hello.s | grep stack_smash &&
rm hello.s

or

gcc hello.c &&
objdump -d a.out | grep stack_smash &&
rm a.out

TODO
=====
More testing.

Feedback
========
<cendres at videotron dot ca>

ACKNOWLEDGMENTS:

* Thanks to GNU for providing GCC at http://www.gnu.org/
* Thanks to Hiroaki Etoh for providing the patch to IBM - etoh at jp.ibm.com
* Thanks to IBM for providing the patch at
	http://www.research.ibm.com/trl/projects/security/ssp/
* IBM is a registered trademark of the IBM Corporation found at
	http://www.ibm.com
* Thanks to Gentoo for providing documents (not code) http://www.gentoo.org/

CHANGELOG:
[2003-10-18]
* Debut
* Reformat hint
[2003-10-22]
* Reformated the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
[2003-10-24]
* Added caveat.
* Fixed URLS.
* Lite edit
[2003-10-25}
New bugs found.



More information about the hints mailing list