cvs commit: hints propolice.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Sat Jan 17 12:28:51 PST 2004


tushar      04/01/17 13:28:51

  Modified:    .        propolice.txt
  Log:
  Updated propolice.txt
  
  Revision  Changes    Path
  1.12      +80 -132   hints/propolice.txt
  
  Index: propolice.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/propolice.txt,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -u -r1.11 -r1.12
  --- propolice.txt	17 Jan 2004 03:30:02 -0000	1.11
  +++ propolice.txt	17 Jan 2004 20:28:51 -0000	1.12
  @@ -1,12 +1,12 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2003-12-30
  +DATE:   2004-01-17
   
   LICENSE:        Public Domain
   
   SYNOPSIS:       ProPolice and Libsafe
   
  -PRIMARY URL:	ftp://twocents.mooo.com/pub/
  +PRIMARY URL:	ftp://twocents.mooo.com/pub/hcc/
   
   DESCRIPTION:
   ProPolice is a C and C++ security extension for GCC.
  @@ -22,8 +22,7 @@
   
   	Introduction
   		ProPolice in Glibc vs GCC
  -		CFLAGS and ProPolice
  -		ProPolice bugs
  +		CFLAGS and Bugs
   		Hardened GCC
   		Libsafe
   	Downloads
  @@ -35,7 +34,6 @@
   ============
   Introduction
   ============
  -This whole hint is experimental.
   
   ProPolice Smashing Stack Protector
   -The good news:
  @@ -45,7 +43,7 @@
   many hope ProPolice will find its way into the mainstream GCC and become the
   default smash guard. This protection uses the urandom device to determine the
   guard value, and uses minimal time and space overhead. In practice users do not
  -complain about loss in system performance even when the entire system is build
  +complain about loss in system performance even when the entire system is built
   with this guard.
   
   The patch will add -fstack-protector-all, -fstack-protector, and
  @@ -59,21 +57,23 @@
   
   -The bad news:
   
  -ProPolice does not protect the heap. It was designed to trade security for
  -portability and performance.
  -Optimizing more then -O2 may optimize away things ProPolice needs.
  +ProPolice does not protect against everything, infact it has been a long time
  +since a stack smashing exploit has been a threat, and with modern software it's
  +somewhat unlikely to happen again, but never say never. It was designed to trade
  +security for portability and performance.
   
   ------------------------
   ProPolice in Libc vs GCC
   ------------------------
  -The official ProPolice maintainer has added support for a Gentoo Glibc stack
  +The official ProPolice maintainer has added support for Gentoo Glibc stack
   protector implementation. Gentoo states this patch for Glibc is to correct
   static linking problems with some software, and was aided by OpenBSD developers.
  -The Gentoo Glibc method might be the more secure stable choice, feedback and
  -research is needed.
  +Some of the reasons this is better are that stack symbols are kept in a shared
  +library instead of in the binary, where they can be stripped or optimizted away.
  +Aside from being cleaner, it should minutely improve preformance.
   
   --------------------
  -CFLAGS and ProPolice
  +CFLAGS and Bugs
   --------------------
   The ProPolice maintainer distributes two patches. The main patch is the guts of
   the code, the second patch enables -fstack-protector by default. This isn't as
  @@ -81,46 +81,10 @@
   -fstack-protector-all protects all functions regardless of array size, while
   -fstack-protector does not protect arrays of length seven or less. ProPolice
   often triggers bugs in software, -fstack-protector-all causes even more. The
  -only serious bugs I have noticed so far have been with XFree86 and tool chain test
  -suites. The patch for X makes use of OpenBSD code in XFree86 so it builds with
  -ProPolice. Adding -fstack-protector-all to your cflags is encouraged, but right
  -now I know it will cause yet more errors.
  -
  -------------
  -Hardened GCC
  -------------
  -Gentoo developers have created a shell script which edits the GCC spec file for
  -us. This makes ProPolice easier to use, and adds et_dyn. Their source include
  -crt1S.S which is distributed by PaX to make use of et_dyn in Glibc-2.3.2.
  -Glibc-2.3.3 has intergrated this feature. I have taken the Gentoo source for
  -sys-devel/hardened-gcc and adapted it for LFS. I basicly only changed "ewarn" to
  -"echo" and /usr to /tools, where it was needed. However this doesn't end.
  -Gentoo's newest hardened-gcc depends on gcc-config (another Gentoo script), and
  -Python. So hopefully one of us will be able to rewrite this script in the future
  -to drop the Python dependency. This script won't disable the protector_only patch,
  -so don't use it. You will need sed-4.x on your host. And binutils that understands
  --pie to use et_dyn.
  -
  ---------------
  -ProPolice bugs
  ---------------
  -I have ways of making most of these go away.
  -
  -Binutils
  -FAIL: bootstrap with --static
  -FAIL: S-records
  -FAIL: S-records with constructors
  -
  -GCC
  -You only get the first two with -ftsack-protector and the GCC method.
  -Otherwise you get all of them. I'm looking for fixes.
  -
  -FAIL: gcc.dg/asm-names.c (test for excess errors)
  -FAIL: gcc.dg/duff-2.c (test for excess errors)
  -FAIL: gcc.dg/uninit-C.c (test for excess errors)
  -FAIL: gcc.dg/special/gcsec-1.c (test for excess errors)
  -FAIL: g++.dg/tls/init-2.C
  -FAIL: g++.law/weak.C (test for excess errors)
  +only unresolved bug I have noticed so far have been with binutils test suite.
  +However its only with the test suite, not anything that will be installed. By
  +removing -fstack-protector just for make check, the tests should all pass. Also
  +because of the nature of Grub, it can not be built with ProPolice.
   
   --------
   Libsafe
  @@ -147,46 +111,58 @@
   FAIL: S-records
   FAIL: S-records with constructors
   
  -To avoid these errors we install Libsafe after gcc in chapter 6.
  -Other bad news is unknown.
  +To avoid these errors install Libsafe after gcc in chapter 6. Libsafe is
  +somewhat obsolete. Most modern software either doesn't use these strings, or
  +uses them properly. All of the example exploits in exploits/ will fail because
  +of propolice.
   
   =========
   Downloads
   =========
  +Primary site. This will have the latest docs and patches.
  +ftp://twocents.mooo.com/pub/hcc/propolice.tar.bz2
  +
   ----------
   ProPolice
   ----------
  -This is all available from:
  -ftp://twocents.mooo.com/pub/
  -
  -Patches are available for GCC 2.95.3, 3.3.1, and 3.3.2.
  -The protector_only patches will make GCC use -fstack-protector all the time.
  -http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -        gcc-{$ver}-protector-3.patch
  -http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -        gcc-{$ver}-protector_only-3.patch
  +The protector_only patches will no longer be supported because hgcc is better
  +(see below).
   
  -Patches are for glibc-2.3.2 and 2.3.3.
   http://www.linuxfromscratch.org/patches/downloads/glibc/ \
   	glibc-2.3.2-propolice-guard-functions-1.patch
   http://www.linuxfromscratch.org/patches/downloads/glibc/ \
   	glibc-2.3.3-propolice-guard-functions-1.patch
   
  +http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  +        gcc-{$ver}-protector-4.patch
  +	gcc-2.95.3-protector-5.patch
  +
   This patch enables the kernel to be built with -fstack-protector.
  +Patches cleanly on 2.4.24 aswell.
  +
   http://www.linuxfromscratch.org/patches/downloads/linux/ \
   	linux-2.4.23-protector-1.patch
   or
  -	linux-2.6.0-protector-1.patch
  +	linux-2.6.1-protector-1.patch
   
   Use this patch when building xfree86. It will use -fno-stack-protector when
  -building modules.
  +building video modules.
   http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
           XFree86-4.3.0-protector-1.patch
   
   ------------
   Hardened GCC
   ------------
  -ftp://twocents.mooo.com/pub/hcc/hlfs-hcc-0.1.tar.bz2
  +This is a bash script that will edit the gcc specs file.
  +ftp://twocents.mooo.com/pub/hcc/hgcc.sh
  +
  +# hgcc
  +Hardened Gnu C Compiler version zero dot three dot one
  +Currently Supporting - ProPolice
  +                 -fa Set -fstack-protector-all (Recommended default)
  +                 -V Show current setting
  +                 -r Restore Spec file to original condition
  +                 -v Show script version
   
   --------
   Libsafe
  @@ -200,9 +176,12 @@
   Full Bounds Checking
   --------------------
   This is an auditing tool to give verbose debugging. Applications built with this
  -will run like a pig. This is not intended for real world use, only for
  +will run very slowly. This is not intended for real world use, only for
   debugging. -fbounds-checking is added to GCC extensions, and is not used by
  -default.
  +default. You can also add this to the specs, but I don't reccomend it with
  +-fstack-protector with debugging if you want to get consistent results (read up
  +about /dev/urandom). Applications compiled with this will crash if any part of
  +the program goes out of bounds.
   Official site:
   http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ \
   	bounds-checking-gcc-3.3.2-1.00.patch.bz2
  @@ -217,83 +196,52 @@
   ---------
   Chapter 5
   ---------
  - - GCC pass 1
  -If you are using the GCC method, ProPolice can be added to GCC pass one. If you
  -are switching methods, or using the Glibc method from a generic host, wait
  -until GCC pass two. If the host system is using the Glibc method, it can be
  -repeated in GCC pass one. If in doubt, wait until pass two.
  +Before all binutils make check, do hgcc -r, after make check, do hgcc -fa
   
  + - GCC pass 1
  +If the host system has ProPolice in Glibc already, then you can patch gcc
  +here. Otherwise do not. If in doubt, wait until pass two.
    - Glibc
  -If you're using the Glibc method (recommenced) add this patch, otherwise do not.
   patch -Np1 -i ../glibc-2.3.2-propolice-guard-functions-1.patch
   
    - GCC pass 2
  -You could get some errors from the tests. More for for the using Glibc method.
  -Don't worry too much about errors here, you'll get fewer after hcc is installed.
  -patch -Np1 -i ../gcc-3.3.1-protector-3.patch
  +patch -Np1 -i ../gcc-3.3.2-protector-4.patch
  +
  + - HGCC
  +Now you can turn on -fstack-protector-all in the specs file with the hgcc script.
  +cp hgcc.sh /tools/bin/hgcc
  +chmod +x /tools/bin/hgcc
  +hgcc -fa
   
  - - HLFS GCC
  -Note: crt1S.S can be edited for a specific kernel version. I used 2.4.1 as the
  -min version number.
  -cp /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.1/specs ~/gcc.tools.specs
  -cp chapter5/hardened-gcc-* /tools/bin
  -cp chapter5/hcc.conf /tools/etc
  -ln -s hardened-gcc-arch-specific.sh /tools/bin/hcc
  -cd glibc-2.3.2 && make
  -cp crt1S.o /tools/lib
  -hcc -a
  -
  - - Binutils pass 2
  -The only way to make this stable is by using `hcc -r` before make. The best I
  -could do still produced "FAIL: bootstrap with --static". Untill this is fixed I
  -do not reccomend building binutils with propolice.
  -
  -hcc -a should work fine for the rest of the chapter.
  -Don't forget to install m4, bison, and flex to /tools if you're using HJL binutils
  -for et_dyn.
   ---------
   Chapter 6
   ---------
    - Glibc
  -No errors from make check. hcc -a just to be sure.
  +No errors from make check.
  +hgcc -fp
   patch -Np1 -i ../glibc-2.3.2-propolice-guard-functions-1.patch
   
  - - Binutils
  -hcc -r
  -
    - GCC
  -hcc -a
  -patch -Np1 -i ../gcc-3.3.2-protector-3.patch
  +hgcc -fa
  +patch -Np1 -i ../gcc-3.3.2-protector-4.patch
   
  -I get:
  -FAIL: gcc.dg/duff-2.c (test for excess errors)
  -FAIL: gcc.dg/uninit-C.c (test for excess errors)
  -FAIL: g++.dg/tls/init-2.C (test for excess errors)
  -
  - - HCC GCC
  -cp /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.1/specs ~/gcc.specs
  -Never overwrite this file. This file is the only file hcc changes. Copy it back
  -if you ever have serious problems.
  -
  -cp chapter6/hardened-gcc-* /usr/bin &&
  -cp chapter6/hcc.conf /etc &&
  -ln -s hardened-gcc-arch-specific.sh /usr/bin/hcc &&
  -cd glibc-2.3.2 && make &&
  -cp crt1S.o /usr/lib &&
  -hcc -a
  + - HLFS GCC
  +cp hgcc.sh /usr/bin/hgcc
  +hgcc -fa
   
    - Libsafe
  -All of the exploits in exploits/ will fail because of hcc. Libsafe is obsolete.
  -You can install it if you want to, it has worked fine for me with kde, etc.
   make &&
   make install
   
    - Grub
  -make CFLAGS=-fno-stack-protector
  +hgcc -r
  +...
  +make install
  +hgcc -fa
  +...
   
    - GCC 2.95.3
  -The protector_only patch does not seem to work with the Glibc method.
  -patch -Np1 -i ../gcc-2.95.3-protector-3.patch
  +patch -Np1 -i ../gcc-2.95.3-protector-5.patch
   
   ---------
   Chapter 8
  @@ -312,10 +260,6 @@
   ========
   Testing
   ========
  -The purpose of these examples is not to create havoc, but instead to help anyone
  -abuse their own software so they can make reports, and get them fixed, before
  -they are exploited. I hope to add more general ways of testing software. 
  -
   These exploits are obsolete.
   
   ## This program overflows the stack.
  @@ -473,7 +417,7 @@
   
   This only demonstrates that bad code can freak out and exit to a shell.
   If this code were part of a daemon running as root, or suid, it would give
  -root shell. The exploits in the libsafe source, and paxtest is basicly the
  +root shell. The exploits in the libsafe source, and paxtest are basically the
   same as this. The paxtest ones are the most modern.
   
   Now lets try this code with propolice.
  @@ -491,7 +435,7 @@
   0x40047b81 in kill () from /lib/libc.so.6
   (gdb)
   
  -Here we can see propolice aborted the program, and now ./x.pl also aborts.
  +Here we can see ProPolice aborted the program, and now ./x.pl also aborts.
   Next we test libsafe.
   
   rm foo && gcc -fno-stack-protector -o foo foo.c
  @@ -510,7 +454,7 @@
   Killed
   
   And now if you want to build the PaX patch into your kernel, reboot,
  -and start again you will notice the first test doesn't work because
  +and start again. You will notice the first test doesn't work because
   the return address keeps changing.
   
   ========
  @@ -594,3 +538,7 @@
   [2003-12-30]
   * Renamed hint back to propolice.txt.
   * Added back Gentoo property as optional.
  +[2004-01-01]
  +* Added HCC
  +[2004-01-17]
  +* Cleanup
  
  
  



More information about the hints mailing list