cendres at videotron.ca
Sun Oct 26 03:32:41 PST 2003
-----BEGIN PGP SIGNED MESSAGE-----
cendres at videotron dot ca
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xD4E26E10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
-----END PGP SIGNATURE-----
-------------- next part --------------
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
LICENSE: Public Domain
SYNOPSIS: ProPolice - Bullet proofing the penguin.
Intergrate a patch into the bootstrap stage to protect the new system from
This hint requires that you have sufficient knowledge of LinuxFromScratch.
*Developer use only. See ceveats below.
Only tested on x86.
This hint is available for GCC version 3.3.1.
Note: Gcc-2.95.3 and gcc-3.2.3 patches are coming soon.
Note: gcc-core package is the only required component. Others are optional.
ProPolice is a GCC extension for protecting applications from stack smashing
attacks. ProPolice stack guard has been used against xlockmore-3.10,
Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
Testing showed that when these programs were exploited the stack guard
terminated them with a message that a stack smashing attack had been detected.
This guard protects against bugs and attacks not yet conceived. It has shown
to be robust, practical to use, and preform well. ProPolice has been
intergrated into OpenBSD, and should be added to Gentoo Linux in the near
future, among others. The official website for ProPolice can be found in the
acknowledgments at the end of this document.
The base LFS system does build well with the ProPolice _Only_ patch. Binutils
make check gets 2-6 new errors, aside from that there should be no errors.
Grub, cracklib, tetex, and ocaml are reported not to build with the
-fstack-protector flag. I've built cracklib with the ProPolice _Only_ GCC
fine, but there are problems with PAM and Grub. PAM does build but the
examples don't for an unknown reason (ignore and make install).
Choose your patche(s)
There are 2 types of patches.
1. With the ProPolice _Only_ patch the -fstack-protector is used by default
including during GCC's boostrap phase. With this patch all the software you
build with GCC will be automaticly protected. If you experience any abnormal
errors, the -fno-stack-protector can be set to debug the error. Please report
2. With generic protection GCC does not utilize the patch, and is set
-fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
CXXFLAGS to enable the guard. This is good for testers.
tar jxf gcc-core-3.3.1.tar.bz2 &&
cd gcc-3.3.1 &&
patch -Np1 -i ../gcc-3.3.1-propolice_only.patch
When it is installed you can confirm the binaries are protected.
gcc -S hello.c &&
cat hello.s | grep stack_smash &&
gcc hello.c &&
objdump -d a.out | grep stack_smash &&
<cendres at videotron dot ca>
* Thanks to GNU for providing GCC at http://www.gnu.org/
* Thanks to Hiroaki Etoh for providing the patch to IBM - etoh at jp.ibm.com
* Thanks to IBM for providing the patch at
* IBM is a registered trademark of the IBM Corporation found at
* Thanks to Gentoo for providing documents (not code) http://www.gentoo.org/
* Reformat hint
* Reformated the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
* Added caveat.
* Fixed URLS.
* Lite edit
New bugs found.
More information about the hints