Last one for a while - ProPolice Update :)
cendres at videotron.ca
Mon Oct 27 04:22:45 PST 2003
-----BEGIN PGP SIGNED MESSAGE-----
I again apologies for the up to the minute updates. This will be the last one
untill GCC has a new stable release. I have added one new trivial patch for
XFree86-4.3.0. I believe the md5sums and url's in the hint should work after
the patch is uploaded, if not I will have to correct it. Aside from that the
hint is frozen waiting future releases of the toolchain or XFree86.
Patches are being send to patches at linuxfromscratch.org
P.S. I will continue testing and running these patches on my desktop to verify
they're stable. And I will start working on the security hint :)
cendres at videotron dot ca
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xD4E26E10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
-----END PGP SIGNATURE-----
-------------- next part --------------
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
LICENSE: Public Domain
SYNOPSIS: ProPolice - Bullet proofing the penguin.
Intergrate a patch into the bootstrap stage to protect the new system from
This hint requires that you have sufficient knowledge of Linux.
See ceveats below.
This hint is available for GCC version 3.3.1 and 2.95.3.
Note: gcc-core package is the only required component. Others are optional.
ProPolice is a GCC extension for protecting applications from stack smashing
attacks. ProPolice stack guard has been used against xlockmore-3.10,
Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
Testing showed that when these programs were exploited the stack guard
terminated them with a message stating a stack smashing attack had been
detected. This guard protects against bugs and attacks not yet conceived.
It has shown to be robust, practical to use, and preform well. ProPolice has
been intergrated into OpenBSD, and should be added to Gentoo Linux in the near
future, among others. The official website for ProPolice can be found in the
acknowledgments at the end of this document. ProPolice is still young and has
not been widely tested. It is my opinion ProPolice, or a varient, will become
a normal part of all GNU systems after enough real world testing has been done.
This patch adds two compile options to GCC; -fstack-protector enables the
protection, and -fno-stack-protector disables the protection.
You can expect a handfull of errors from regression tests in the toolchain.
Binutils being the worse. I tested the ProPolice _Only_ patch on several systems
with similiar results. Grub will only build with -fno-stack-protector, or you
can use lilo. Xfree needs a patch to enable OpenBSD ProPolice code. The X server
will be protected, but not the modules. You can also expect problems with
libPAM, and likely some unknown problems exist. I have made the authors of these
software bundles aware of the problems, and hope they're resolved in future
Choose your patche(s)
There are 2 types of patches for GCC.
1. With the ProPolice _Only_ patch the -fstack-protector is used by default
including during GCC's boostrap phase. With this patch all the software you
build with GCC will be automaticly protected. If you experience any abnormal
errors, the -fno-stack-protector can be set to debug the error. Please report
any problems. ProPolice build errors are easy to spot, look for "smash".
2. With generic protection GCC does not utilize the patch, and is set
-fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
CXXFLAGS to enable the guard. This is good for testers.
If you read this patch you will see how simple it is.
tar jxf gcc-core-3.3.1.tar.bz2 &&
cd gcc-3.3.1 &&
patch -Np1 -i ../gcc-3.3.1-propolice_only.patch
patch -Np1 -i ../XFree86-4.3.0-propolice.patch
When it is installed you can confirm the binaries are protected.
gcc -S hello.c &&
cat hello.s | grep stack_smash &&
gcc hello.c &&
objdump -d a.out | grep stack_smash &&
<cendres at videotron dot ca>
* Thanks to GNU for providing GCC at http://www.gnu.org/
* Thanks to Hiroaki Etoh for providing the patch to IBM - etoh at jp.ibm.com
* Thanks to IBM for providing the patch at
* IBM is a registered trademark of the IBM Corporation found at
* Thanks to Gentoo for providing documents and patch http://www.gentoo.org/
* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
* Reformat hint
* Reformated the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
* Added caveat.
* Fixed URLS.
* Lite edit
* New bugs found.
* GCC 2.95.3 patches made.
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
More information about the hints