ssp hint

Robert Connolly robert at linuxfromscratch.org
Sat Oct 30 08:14:33 PDT 2004


I added one line. Please update this hint.
-------------- next part --------------
AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)

DATE:		2004-10-30

LICENSE:	Public Domain

SYNOPSIS:	Smashing Stack Protector and Libsafe

PRIMARY URL:	http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt

DESCRIPTION:
Smashing Stack Protector is a C and C++ security extension for GCC.
Libsafe prevents format string attacks.

Based on StackGaurd, SSP was developed by IBM for protecting applications
from stack smashing attacks. This is the single largest class of attacks and
many security oriented vendors have added it to their default compiler. The
overhead lost to this type of guard is minimal. In practice if the entire
system is built with SSP users shouldn't notice any difference in preformance.

The official homepage for ProPolice Smashing Stack Srotector is at:
http://www.trl.ibm.com/projects/security/ssp/

http://www.usenix.org/events/sec01/full_papers/frantzen/frantzen_html/\
        node30.html
"Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a
random canary between any stack allocated character buffers and the return
pointer [5]. It then validates that the canary has not been dirtied by an
overflowed buffer before the function returns. ProPolice can also reorder local
variables to protect local pointers from being overwritten in a buffer overflow.
"
Also see:
http://www.linuxfromscratch.org/hlfs/
http://www.linuxfromscratch.org/~robert/FreeBSD/freebsd-ssp.txt
http://www.linuxfromscratch.org/~robert/NetBSD/netbsd-ssp.txt

PREREQUISITES: None
The frandom kernel patch is now required for SSP. This provides the erandom
device and sysctl interface. Using erandom stops a serious entropy depletion
problem while still providing urandom quality random bytes. Idealy you should
reboot an frandom kernel before installing SSP, but SSP will build without it.
If the erandom sysctl interface is missing from the system (vanilla kernel)
then /dev/urandom will be used; if /dev/urandom is missing (chroot) then
gettimeofday() will be used. Read this to install frandom:
http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt
You will need the header from the frandom patch installed to build glibc.

HINT:

=======
Context
=======

	Introduction
	Extras
		Extra security patches
		Libsafe
	Installation
	Testing
	Feedback
	Acknowledgments

============
Introduction
============

Smashing Stack Protector

The GCC patch will add -fstack-protector-all, -fstack-protector, and
-fno-stack-protector to GCC extensions for C and C++; and
__guard_setup and __stack_smash_handler are defined in libgcc2.c. This code is
supplied by IBM, I have changed one definition to enable libc functions, and
added "ssp" to the version string. The gcc2 patch is only needed if you plan to
use gcc2 to build the kernel, and want stack protection in the kernel.

If any of these links are broken look for a newer version.

*** All of these patches are in:
http://www.linuxfromscratch.org/~robert/hlfs/downloads/cvs/\
	hlfs-patches-{date}.tar.bz2
For example: hlfs-patches-20041028.tar.bz2

Note: gcc-3.3 patches apply to gcc-3.3.* too. Likewise with gcc-3.4 patches.

http://www.linuxfromscratch.org/patches/downloads/gcc/\
        gcc-3.3-ssp-4.patch
	gcc-3.4-ssp-2.patch
        gcc-2.95.3-ssp-4.patch

The Glibc patch will define __guard_setup and __stack_smash_handler in libc.so
so the kill function can be kept in a shared object. In the Glibc patch the
erandom device is used to gather a small amount of random bits for the gaurd
value. /dev/log will also need to be present in chroot for syslog to log stack
overflows. It is reccomended intrusion detection systems monitor the system
logs for these alerts.

http://www.linuxfromscratch.org/patches/downloads/glibc/\
        glibc-2.3.2-ssp-frandom-5.patch
	glibc-2.3.4-ssp_frandom-4.patch # This works for glibc-2.3.3 too.

This GCC Specs patch adds -fstack-protector-all to GCC's default compiler flags.
Filters prevent libraries and the kernel from being built with unnessesary
smash symbols. This patch will build all main executables with stack protection.
This patch makes using stack protector almost transparent. This gcc2 patch is
not nessesary for anyone using gcc3 as their main compiler, it is provided for
legacy.

http://www.linuxfromscratch.org/patches/downloads/gcc/\
	gcc-3.3-sspspecs-3.patch
	gcc-3.4-sspspecs-2.patch
	gcc-2.95.3-sspspecs-2.patch

The Linux kernel patch adds support to the Linux kernel for smash symbols. It
can only build with -fstack-protector, not -fstack-protector-all, and is
therefore excluded from the default specs in the sspspecs patch.

http://www.linuxfromscratch.org/patches/downloads/linux/\
        linux-2.4.27-ssp-1.patch # or
        linux-2.6.5-ssp-1.patch # This still works on newer 2.6 kernels.

http://www.linuxfromscratch.org/patches/downloads/linux/\
        linux-2.4.27-frandom-1.patch # or
	linux-2.6.8.1-frandom-1.patch # This works on 2.6.9 too.

There is also an mktemp patch for frandom:

http://www.linuxfromscratch.org/patches/downloads/mktemp/\
	mktemp-1.5-frandom-1.patch

The XFree86 patch disables stack protection for some modules.

http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
        XFree86-4.3.0-ssp-1.patch

And for LFS-6

http://www.linuxfromscratch.org/patches/downloads/\
        linux-libc-headers/linux-libc-headers-2.6-frandom-1.patch
ftp://twocents.mooo.com/pub/hlfs-patches/linux-libc-headers-2.6-frandom-1.patch

======
Extras
======
----------------------
Extra security patches
----------------------
This patch fixes a bug in both glibc-2.3.2 and glibc-2.3.3. This bug can be
reproduced by bind9's testsuite.
http://www.linuxfromscratch.org/patches/downloads/glibc/\
	glibc-2.3.3-got-fix-1.diff

This patch adds a sanity check to malloc. Backported from the Owl project.
(http://www.openwall.com/Owl/)

Note: This patch was integrated in the latest glibc-2.3.4 (cvs) package.

http://www.linuxfromscratch.org/patches/downloads/glibc/\
	glibc-2.3.3-owl-malloc-unlink-sanity-check-1.patch

--------
Libsafe
--------
Official site:
http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz

Note: Libsafe is obsolete, you can still use it if you wish.

Libsafe was developed by Avaya Labs to protect against format string
vulnerabilities. Though not widely used it has been widely tested. This
protection can be installed on an already running system, using ld.so.preload
to watch applications at runtime for functions which are known to be vulnerable.
This of course only protects dynamically linked applications. There should not
be a noticeable performance decrease, and it also logs to syslog.

We get some errors if we install Libsafe early in the build.
GCC
FAIL: g++.dg/expr/anew1.C execution test
FAIL: g++.dg/expr/anew2.C execution test
FAIL: g++.dg/expr/anew3.C execution test
FAIL: g++.dg/expr/anew4.C execution test

Binutils
FAIL: S-records
FAIL: S-records with constructors

To avoid these errors install Libsafe after GCC in chapter 6. Libsafe is
somewhat obsolete. Most modern software either doesn't use these strings, or
uses them properly. All of the example exploits in exploits/ will fail because
of SSP.

=====================
Installation
=====================

Do not use -O3 (or -O4) optimizations with stack protector or things will
not work.

---------
Chapter 5
---------
Kernel headers
(See under PREREQUISITES above)
patch -Np1 -i ../linux-2.4.27-frandom-1.patch

 - GCC pass 1
If the host system has SSP in Glibc already, then you can patch gcc
here. Otherwise do not. If in doubt, wait until pass two.
 - Glibc
patch -Np1 -i ../glibc-2.3.4-ssp-frandom-4.patch # or 2.3.2's patch

 - GCC pass 2
If you use sspspecs patch then a `make bootstrap` is a good idea too.
patch -Np1 -i ../gcc-3.3-ssp-3.patch
patch -Np1 -i ../gcc-3.3-sspspecs-3.patch

 - Binutils pass 2
Just for the testsuite.
make CFLAGS="-fno-stack-protector" check

---------
Chapter 6
---------
Make sure the frandom header get installed again.

 - Glibc
patch -Np1 -i ../glibc-2.3.4-ssp-frandom-4.patch

 - Binutils
make CFLAGS="-fno-stack-protector" check

 - GCC
hgcc -fa
patch -Np1 -i ../gcc-3.3-ssp-3.patch
patch -Np1 -i ../gcc-3.3-sspspecs-3.patch

 - Grub
CFLAGS="-fno-stack-protector" ./configure...

 - GCC 2.95.3
patch -Np1 -i ../gcc-2.95.3-ssp-4.patch

---------
Chapter 8
---------
Linux kernel

make mrproper &&
patch -Np1 -i ../linux-2.4.27-ssp-1.patch
patch -Np1 -i ../linux-2.4.27-frandom-1.patch

make menuconfig

make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage
...

========
Testing
========
There are a couple tests in this package which may also be usefull here.
http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
There are also tests in the libsafe source.

This will test -fstack-protector-all

cat > fail.c << "EOF"
#include <stdio.h>
#include <unistd.h>

int foo(char *blah) {
  char buffer[7];
  sprintf(buffer, "12345678901234567890123456789012345678901234567890");
  return(1234);
}

int main(int argc, char **argv) {
  printf("before foo()\n");
  foo("blah");
  printf("after foo()\n");
}
EOF

gcc -fstack-protector-all -o fail fail.c &&
./fail

This will display the __guard value. It should change each runtime. This will
test erandom/urandom/gettimeofday is working. Test urandom by booting a
vanilla kernel, test gettimeofday by removing /dev/urandom with a vanilla
kernel, or compile this statically linked and `chroot . ./guard-test`.

cat > guard-test.c << "EOF"
extern unsigned long __guard[];
int main () {
        printf("__guard\t=\t0x%08x;\n", __guard[0]);
        return 0;
}
EOF

ACKNOWLEDGMENTS:

* Thanks to Hiroaki Etoh for providing the SSP patch to IBM
* Thanks to IBM for providing the SSP patch at
	http://www.research.ibm.com/trl/projects/security/ssp/
* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
* Thanks to netsys.com for this
	http://www.netsys.com/cgi-bin/display_article.cgi?1266
* Thanks to securityfocus.com and immunix.com for this
	http://www.securityfocus.com/archive/1/333986/2003-08-17/2003-08-23/2
* Thanks to adamantix.org for kernel patches. http://www.adamantix.org/
* Thanks to Avaya Labs for Libsafe
	http://www.research.avayalabs.com/project/libsafe/
* Thanks to Teemu Tervo for nptl hint
	http://www.linuxfromscratch.org/hints/downloads/files/nptl.txt
* Thanks to cross compiling hint
	http://www.linuxfromscratch.org/hints/downloads/files/ \
		crosscompiling-x86.txt
* Thanks to http://www.isecurelabs.com/news/64 for proof of concept tests.
* Thanks to Eli Billauer for the Frandom suite
        http://frandom.sourceforge.net/
	http://www.billauer.co.il/

CHANGELOG:
[2003-10-18]
* Debut
* Reformat hint
[2003-10-22]
* Reformatted the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
[2003-10-24]
* Added caveat.
* Fixed URLS.
* Lite edit
[2003-10-25]
* New bugs found.
[2003-10-26]
* GCC 2.95.3 patches made.
[2003-10-27]
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
[2003-11-03]
* Edit
* Reformatted patches.
[2003-11-12]
* Reformat patches.
* Update/edit hint.
* Add new example tests.
[2003-11-21]
* Reformat patches.
* Add homepage/mirror url.
* Small edit.
[2003-12-01]
* Added Glibc and kernel patches.
* Rewrote install procedure.
[2003-12-20]
* Try to be more informative.
* Removed Gentoo property.
* Added Libsafe.
* Added Pax.
* Added new versions of binutils and glibc.
* Added GCC PIE.
* Rename filename to winter.txt.
[2003-12-21]
* Do not use "Enforce non-executable pages"
* Spell check.
* Fixed URL.
[2003-12-22]
* Added LOPTS to Net-tools.
* Added LDFLAGS to Perl.
[2003-12-25]
* More cflags.
* New tests.
[2003-12-30]
* Renamed hint back to propolice.txt.
* Added back Gentoo property as optional.
[2004-01-01]
* Added HCC
[2004-01-17]
* Cleanup
[2004-02-08]
* Update urls
* Convert propolice to ssp
[2004-02-15]
* Update gcc-3.3.3 and linux-2.6.2 ssp patches
[2004-02-19]
* Update linux-2.6.3 patch and hgcc url
[2004-03-27]
* Add sspspecs patch. Update.
[2004-04-18]
* Added entropy.txt link for erandom.
[2004-04-25]
* Fix more/again for erandom.
* Update some patches.
[2004-10-01]
* New patches.
* Added guard-test.c
[2004-10-28]
* New patches
[2004-10-30]
* Do not use -O3 or -O4


More information about the hints mailing list