entropy and ssp.txt

Robert Connolly robert at linuxfromscratch.org
Sun Apr 18 21:41:03 PDT 2004

Please update these attachments.
-------------- next part --------------
AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)

DATE:		2004-04-18

LICENSE:	Public Domain

SYNOPSIS:	Software controlled random number generation

PRIMARY URL:	http://www.linuxfromscratch.org/~robert/hlfs/hints/files/

Fast and Economical Random number suite:
Frandom uses an arcfour stream cipher of seed data from the kernel's internal
pool. The advantage to frandom is that 4 bytes of kernel entropy can be
expanded into gigabytes of random output. Ideal for wiping discs, and maybe
even for online gaming. A new addition to the frandom package is erandom.
Economical random uses the state of frandom as a seed, and its use does not
drain any kernel entropy. This is done very efficiently, completely in the
kernel. Erandom is ideal for Smashing Stack Protector. Frandom now also
supports sysctl so SSP can use it regardless if /dev/erandom exists or not.
This is slightly faster and works threw chroot.

audio/video entropy daemon:
Many system components including smashing stack protector, mkstemp,
cryptography, aslr in Pax/Grsec depend on a supply of random bits to insure
data integrity. In the Linux kernel a combination of input devices are used
to gather randomness from. This includes the keyboard, mouse, and hard disc.
On an idle system none of these devices are receiving input, and the entropy
(randomness) of the system is easy to deplete, especially with cryptography.
This hint describes two daemons which use either the static noise from the
system audio, or the video frames from a video4linux device. These devices
have a never ending supply of randomness created by thermal fluctuation and
electric fields on the devices. These entropy gathering daemons depend on the
kernel driver for your hardware to work properly, be it your sound or video
card. These programs will re-seed the kernel entropy pool. The programs can
be used together in combination with the kernel's internal values to create
a very random pool from several different sources.



Audio entropy daemon:

make &&
install -g 0 -o 0 -m 755 audio-entropyd /usr/sbin/audio-entropyd

Edit your /etc/rc.d/init.d/random and start audio-entropyd just after seeding
urandom, and stop it just after saving random-seed. The pid file will be in
/var/run. You don't need to reboot to use it, but you do need your sound card
driver loaded, and be root.

Video entropy daemon:

make &&
install -g 0 -o 0 -m 755 video_entropyd /usr/sbin/video_entropyd

Add this to root's crontab every minute or so. It can not run as a daemon
because it will lock the video device. Depends on video4linux. Using one or
both of these daemons should be adequate for sustained moderate-to-heavy use.

Nothing else needs to be done, applications can continue to use /dev/random
and /dev/urandom normally. You should notice crypto keys get made faster.


You don't need the frandom-0.8 source, its presented so you can read more
about it if you want. The Linux kernel patch is all we need.
Frandom is built in by default with this patch. It can be found in the
character devices menu. Build and install the new kernel.

cd linux-2.4.26
patch -Np1 -i ../linux-2.4.26-frandom-1.patch

mknod /dev/frandom c 235 11
mknod /dev/erandom c 235 12

To use it for SSP use the glibc-ssp-frandom patch.

 - Testing entropy
You should try to test this on an idle machine. Nothing compiling in
background, no updatedb running, etc. Moving/clicking the mouse, keyboard, and
even network traffic will create entropy in the pool, and affect results.
Todo: Have tests for entropy quality, not just quantity.

Fetch this:

Open two windows with non-root login. This is easiest to do in X, else split
a console window in two. In one window do this:

gcc -o entropy_watch entropy_watch.c

In the next window do something like this:

dd if=/dev/{u,f,e}random of=/dev/null bs=1 count=1024

If one or both of the entropyd programs are running you should see the pool
being refilled. Kill the entropyd program(s) and you should see it does not
refill so quickly. Move the mouse and play with it if you like. If you use a
small count like count=512 the entropyd program(s) may not refill immedietly
because the pool is still large enough. This is to improve preformance.

* Thanks to Solar for entropy_watch.c. - http://dev.gentoo.org/~solar/
* Thanks to Eli Billauer for the Frandom suite. -

* Initial post
* Added test. Thanks to Solar.
* Added frandom/erandom.
-------------- next part --------------
AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)

DATE:		2004-04-18

LICENSE:	Public Domain

SYNOPSIS:	Smashing Stack Protector and Libsafe

PRIMARY URL:	http://www.linuxfromscratch.org/~robert/winter/Linux/

Smashing Stack Protector is a C and C++ security extension for GCC.
Libsafe prevents format string attacks.

Based on StackGaurd, SSP was developed by IBM for protecting applications
from stack smashing attacks. This is the single largest class of attacks and
many security oriented vendors have added it to their default compiler. The
overhead lost to this type of guard is minimal. In practice if the entire
system is built with SSP users shouldn't notice any difference in preformance.

The official homepage for ProPolice Smashing Stack Srotector is at:

"Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a
random canary between any stack allocated character buffers and the return
pointer [5]. It then validates that the canary has not been dirtied by an
overflowed buffer before the function returns. ProPolice can also reorder local
variables to protect local pointers from being overwritten in a buffer overflow.
Also see:

It is strongly reccomendend that you read about and install frandom/erandom,
before installing from this hint.



		Extra security patches
		Full Bounds Checking


Smashing Stack Protector
All the patches and this hint are in here:

The GCC patch will add -fstack-protector-all, -fstack-protector, and
-fno-stack-protector to GCC extensions for C and C++; and
__guard_setup and __stack_smash_handler are defined in libgcc2.c. This code is
supplied by IBM, I have changed one definition to enable libc functions, and
added "ssp" to the version string. The gcc2 patch is only needed if you plan to
use gcc2 to build the kernel, and want stack protection in the kernel.

        gcc-3.3.{1|2|3}-ssp-1.patch # and/or

The libc patch will define __guard_setup and __stack_smash_handler in libc.so
so the kill function can be kept in a shared object. In the Glibc patch the
urandom device is used to gather a small amount of random bits for the gaurd
value. This steals entropy from the rest of the system every time a program runs
and isn't as ideal as using arc4() from libc/sysctl and the kernel, however this
is not yet available in Linux (ask your local Guru). If you wish, you can
use Entropy Gathering Daemon (http://egd.sourceforge.net/) as a replacement
for /dev/urandom. Remember the random device must be present in chroot
enviroments or the function will fallback to using the terminator canary for a
random value. The fallback is neither efficient nor very random. /dev/log will
also need to be present in chroot for syslog to log stack overflows. It is
reccomended intrusion detection systems monitor the system logs for these

        glibc-2.3.{2,3}-ssp-frandom-1.patch # <- Recommended
	glibc-2.3.{2,3}-ssp-functions-1.patch # <- Depreciated

The GCC Specs patch adds -fstack-protector-all to GCC's default compiler flags.
Filters prevent libraries and the kernel from being built with unnessesary
smash symbols. This patch will build all main executables with stack protection.
This patch makes using stack protector almost transparent. This gcc2 patch is
not nessesary for anyone using gcc3 as their main compiler, it is provided for

	gcc-3.3-sspspecs-3.patch # and/or

The Linux kernel patch adds support to the Linux kernel for smash symbols. It
can only build with -fstack-protector, not -fstack-protector-all, and is
therefore excluded from the default specs in the sspspecs patch.

        linux-2.4.26-ssp-1.patch # or

The XFree86 patch disables stack protection for some modules. XFree86 4.4 is
not yet patched/supported.

http://www.linuxfromscratch.org/patches/downloads/XFree86/ \

Extra security patches
This patch fixes a bug in both glibc-2.3.2 and glibc-2.3.3. This bug can be
reproduced by bind9's testsuite.

This patch adds a sanity check to malloc. Backported from the Owl project.

Official site:
-The good news:

Libsafe was developed by Avaya Labs to protect against format string
vulnerabilities. Though not widely used it has been widely tested. This
protection can be installed on an already running system, using ld.so.preload
to watch applications at runtime for functions which are known to be vulnerable.
This of course only protects dynamically linked applications. There should not
be a noticeable performance decrease, and it also logs to syslog.

-The bad news:

Libsafe is obsolete, you can still use it if you wish.
We get some errors if we install Libsafe early in the build.
FAIL: g++.dg/expr/anew1.C execution test
FAIL: g++.dg/expr/anew2.C execution test
FAIL: g++.dg/expr/anew3.C execution test
FAIL: g++.dg/expr/anew4.C execution test

FAIL: S-records
FAIL: S-records with constructors

To avoid these errors install Libsafe after gcc in chapter 6. Libsafe is
somewhat obsolete. Most modern software either doesn't use these strings, or
uses them properly. All of the example exploits in exploits/ will fail because
of SSP.

Hardened GCC
This is now sspspecs.patch.

Full Bounds Checking
This is an auditing tool to give verbose debugging. Applications built with this
will run very slowly. This is not intended for real world use, only for
debugging. -fbounds-checking is added to GCC extensions, and is not used by
default. You can also add this to the specs, but I don't reccomend it with
-fstack-protector with debugging if you want to get consistent results (read up
about /dev/urandom). Applications compiled with this will crash if any part of
the program goes out of bounds.

Official site (more versions are available):


Chapter 5
Don't forget to install the frandom kernel patch from entropy.txt.
(See under PREREQUISITES above)

 - GCC pass 1
If the host system has SSP in Glibc already, then you can patch gcc
here. Otherwise do not. If in doubt, wait until pass two.
 - Glibc
patch -Np1 -i ../glibc-2.3.2-ssp-frandom-1.patch

 - GCC pass 2
patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
patch -Np1 -i ../gcc-3.3-sspspecs-3.patch

 - Binutils pass 2
Just for the testsuite.
make CFLAGS="-fno-stack-protector" check

Chapter 6
 - Glibc
patch -Np1 -i ../glibc-2.3.2-ssp-frandom-1.patch

 - Binutils
make CFLAGS="-fno-stack-protector" check

 - GCC
hgcc -fa
patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
patch -Np1 -i ../gcc-3.3-sspspecs-3.patch

 - Grub
CFLAGS="-fno-stack-protector" ./configure...

 - GCC 2.95.3
patch -Np1 -i ../gcc-2.95.3-ssp-1.patch

Chapter 8
Linux kernel

make mrproper &&
patch -Np1 -i ../linux-2.4.26-ssp-1.patch

make menuconfig

make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage

There are a couple tests in this package which may also be usefull here.
There are also tests in the libsafe source.

This will test -fstack-protector-all

cat > fail.c << "EOF"
#include <stdio.h>
#include <unistd.h>

int foo(char *blah) {
  char buffer[7];
  sprintf(buffer, "12345678901234567890123456789012345678901234567890");

int main(int argc, char **argv) {
  printf("before foo()\n");
  printf("after foo()\n");

gcc -fstack-protector-all -o fail fail.c &&


<cendres at videotron dot ca>


* Thanks to Hiroaki Etoh for providing the SSP patch to IBM
* Thanks to IBM for providing the SSP patch at
* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
* Thanks to netsys.com for this
* Thanks to securityfocus.com and immunix.com for this
* Thanks to adamantix.org for kernel patches. http://www.adamantix.org/
* Thanks to Avaya Labs for Libsafe
* Thanks to the Pax Team at http://pageexec.virtualave.net/
* Thanks to Teemu Tervo for nptl hint
* Thanks to cross compiling hint
	http://www.linuxfromscratch.org/hints/downloads/files/ \
* Thanks to http://www.isecurelabs.com/news/64 for proof of concept tests.
* Thanks to Gentoo http://www.gentoo.org/proj/en/hardened/etdyn-ssp.xml
* Thanks to Eli Billauer for the Frandom suite. -

* Debut
* Reformat hint
* Reformatted the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
* Added caveat.
* Fixed URLS.
* Lite edit
* New bugs found.
* GCC 2.95.3 patches made.
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
* Edit
* Reformatted patches.
* Reformat patches.
* Update/edit hint.
* Add new example tests.
* Reformat patches.
* Add homepage/mirror url.
* Small edit.
* Added Glibc and kernel patches.
* Rewrote install procedure.
* Try to be more informative.
* Removed Gentoo property.
* Added Libsafe.
* Added Pax.
* Added new versions of binutils and glibc.
* Added GCC PIE.
* Rename filename to winter.txt.
* Do not use "Enforce non-executable pages"
* Spell check.
* Fixed URL.
* Added LOPTS to Net-tools.
* Added LDFLAGS to Perl.
* More cflags.
* New tests.
* Renamed hint back to propolice.txt.
* Added back Gentoo property as optional.
* Added HCC
* Cleanup
* Update urls
* Convert propolice to ssp
* Update gcc-3.3.3 and linux-2.6.2 ssp patches
* Update linux-2.6.3 patch and hgcc url
* Add sspspecs patch. Update.
* Added entropy.txt link for erandom.

More information about the hints mailing list