cvs commit: hints propolice.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Tue Oct 28 21:25:12 PST 2003


tushar      03/10/28 22:25:12

  Modified:    .        propolice.txt
  Log:
  Updated Hint: propolice
  
  Revision  Changes    Path
  1.4       +54 -21    hints/propolice.txt
  
  Index: propolice.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/propolice.txt,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -u -r1.3 -r1.4
  --- propolice.txt	25 Oct 2003 00:36:51 -0000	1.3
  +++ propolice.txt	29 Oct 2003 05:25:12 -0000	1.4
  @@ -1,6 +1,6 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2003-10-24
  +DATE:   2003-10-27
   
   LICENSE:        Public Domain
   
  @@ -11,9 +11,9 @@
   buffer overflows.
   
   PREREQUISITES:
  -This hint requires that you have sufficient knowledge of LinuxFromScratch.
  -This hint is available for GCC version 3.3.1.
  -Note: Gcc-2.95.3 and gcc-3.2.3 patches are coming soon.
  +This hint requires that you have sufficient knowledge of Linux.
  +See ceveats below.
  +This hint is available for GCC version 3.3.1 and 2.95.3.
   Note: gcc-core package is the only required component. Others are optional.
   
   HINT:
  @@ -24,44 +24,65 @@
   attacks. ProPolice stack guard has been used against xlockmore-3.10,
   Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
   Testing showed that when these programs were exploited the stack guard
  -terminated them with a message that a stack smashing attack had been detected.
  -This guard protects against bugs and attacks not yet conceived. It has shown
  -to be robust, practical to use, and preform well. ProPolice has been
  -intergrated into OpenBSD, and should be added to Gentoo Linux in the near
  +terminated them with a message stating a stack smashing attack had been
  +detected. This guard protects against bugs and attacks not yet conceived.
  +It has shown to be robust, practical to use, and preform well. ProPolice has
  +been intergrated into OpenBSD, and should be added to Gentoo Linux in the near
   future, among others. The official website for ProPolice can be found in the
  -acknowledgments at the end of this document.
  +acknowledgments at the end of this document. ProPolice is still young and has
  +not been widely tested. It is my opinion ProPolice, or a varient, will become
  +a normal part of all GNU systems after enough real world testing has been done.
  +This patch adds two compile options to GCC; -fstack-protector enables the
  +protection, and -fno-stack-protector disables the protection.
   
   Caveats
   =======
  -Binutils make check dies from errors when using gcc-propolice.
  -FAIL: S-records
  -FAIL: S-records with constructors
  -This was tested on several machines.
  -Aside from that it looks good.
  -This hint is _alpha_ atm.
  +You can expect a handfull of errors from regression tests in the toolchain.
  +Binutils being the worse. I tested the ProPolice _Only_ patch on several systems
  +with similiar results. Grub will only build with -fno-stack-protector, or you
  +can use lilo. Xfree needs a patch to enable OpenBSD ProPolice code. The X server
  +will be protected, but not the modules. You can also expect problems with
  +libPAM, and likely some unknown problems exist. I have made the authors of these
  +software bundles aware of the problems, and hope they're resolved in future
  +releases.
   
   Choose your patche(s)
   ======================
  -There are 2 types of patches.
  +There are 2 types of patches for GCC.
   
   1. With the ProPolice _Only_ patch the -fstack-protector is used by default
   including during GCC's boostrap phase. With this patch all the software you
   build with GCC will be automaticly protected. If you experience any abnormal
   errors, the -fno-stack-protector can be set to debug the error. Please report
  -any problems. 
  +any problems. ProPolice build errors are easy to spot, look for "smash". 
   
   2. With generic protection GCC does not utilize the patch, and is set
   -fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
  -CXXFLAGS to enable the guard.
  +CXXFLAGS to enable the guard. This is good for testers.
   
   Download
   ========
   md5sum
   f7169c00be8383f1387beac0e93414b3  gcc-3.3.1-propolice_only.patch
   69b6f17d03e6fd95a47246e2180f9f45  gcc-3.3.1-propolice.patch
  +31aa81589fefff88aaaaf9255f6b367b  gcc-2.95.3-propolice_only.patch
  +20e22a1453fba4425042ec13a14f84f9  gcc-2.95.3-propolice.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  +	gcc-3.3.1-propolice_only.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  +	gcc-3.3.1-propolice.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  +	gcc-2.95.3-propolice_only.patch
  +http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  +	gcc-2.95.3-propolice.patch
   
  -http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice_only.patch
  -http://www.linuxfromscratch.org/patches/downloads/gcc/gcc-3.3.1-propolice.patch
  +Xfree86
  +=======
  +If you read this patch you will see how simple it is.
  +md5sum
  +d6d4537e30f0d477666fa429a938b74c  XFree86-4.3.0-propolice.patch
  +http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
  +	XFree86-4.3.0-propolice.patch
   
   Examples
   =========
  @@ -70,6 +91,9 @@
   cd gcc-3.3.1 && 
   patch -Np1 -i ../gcc-3.3.1-propolice_only.patch
   
  +cd xc/
  +patch -Np1 -i ../XFree86-4.3.0-propolice.patch
  +
   Conclusion
   ===========
   When it is installed you can confirm the binaries are protected.
  @@ -86,7 +110,7 @@
   
   TODO
   =====
  -* More testing.
  +More testing.
   
   Feedback
   ========
  @@ -100,6 +124,8 @@
   	http://www.research.ibm.com/trl/projects/security/ssp/
   * IBM is a registered trademark of the IBM Corporation found at
   	http://www.ibm.com
  +* Thanks to Gentoo for providing documents and patch http://www.gentoo.org/
  +* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
   
   CHANGELOG:
   [2003-10-18]
  @@ -112,4 +138,11 @@
   * Added caveat.
   * Fixed URLS.
   * Lite edit
  +[2003-10-25]
  +* New bugs found.
  +[2003-10-26]
  +* GCC 2.95.3 patches made.
  +[2003-10-27]
  +* XFree86-4.3.0 patch made.
  +* Hint is now Beta - Need more feedback.
   
  
  
  



More information about the hints mailing list