r1081 - trunk

robert at linuxfromscratch.org robert at linuxfromscratch.org
Thu Aug 9 02:41:23 PDT 2007

Author: robert
Date: 2007-08-09 03:41:23 -0600 (Thu, 09 Aug 2007)
New Revision: 1081

Updated ssp hint

Modified: trunk/ssp.txt
--- trunk/ssp.txt	2007-08-09 09:40:36 UTC (rev 1080)
+++ trunk/ssp.txt	2007-08-09 09:41:23 UTC (rev 1081)
@@ -1,290 +1,178 @@
 AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)
-DATE:		2005-02-18
+DATE:		2007-08-08
 LICENSE:	Public Domain
-SYNOPSIS:	Stack Smashing Protector and Libsafe
+SYNOPSIS:	Stack Smashing Protector, and _FORTIFY_SOURCE
 PRIMARY URL:	http://www.linuxfromscratch.org/hints/
-Smashing Stack Protector is a C and C++ security extension for GCC.
-Libsafe prevents format string attacks.
-Based on StackGaurd, SSP was developed by IBM for protecting applications
-from stack smashing attacks. This is the single largest class of attacks and
-many security oriented vendors have added it to their default compiler. The
-overhead lost to this type of guard is minimal. In practice if the entire
-system is built with SSP users shouldn't notice any difference in performance.
-The official homepage for ProPolice Smashing Stack Srotector is at:
-        node30.html
+Stack Smashing Protector (SSP) is a C, C++, Obj, and Obj++ debugging/security
+extension for GCC. SSP was originally developed by IBM for protecting
+applications from the single largest class of program attacks, and it has
+since been adopted by many security oriented operating systems. More recently
+SSP was officially added to GCC, Glibc, and uClibc. This recent addition
+modified the original SSP implementation to add SSP to Tread Local Storage,
+so that each thread can be guarded separately. The IBM homepage for SSP is
+here: http://www.trl.ibm.com/projects/security/ssp/
+Another nice description is here:
+	node30.html
 "Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a
 random canary between any stack allocated character buffers and the return
 pointer [5]. It then validates that the canary has not been dirtied by an
 overflowed buffer before the function returns. ProPolice can also reorder local
 variables to protect local pointers from being overwritten in a buffer overflow.
-Also see:
+_FORTIFY_SOURCE is a Glibc feature which adds memory and string function
+protection. There is no home site for this feature, but it is described well
+on this page: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
-The basic version of SSP uses /dev/urandom directly. When a whole system is
-built with SSP this tends to consume all the kernel entropy. This hint uses
-arc4random() from the entropy.txt hint, which uses /dev/erandom. This stops
-the entropy starvation caused by the vanilla SSP. This hint will walk through
-everything you need, but you can read more about entropy and arc4random here:
+GCC-4.1 (or newer) for SSP and _FORTIFY_SOURCE.
+Glibc-2.4 (or newer) for SSP and _FORTIFY_SOURCE.
+The standard version of SSP uses /dev/urandom directly. When a whole system is
+built with SSP this tends to consume all the kernel entropy. /dev/erandom is
+reccomended for SSP to conserve kernel entropy. See the entropy.txt hint for
+this at: http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt
+	Context
+		Stack Smashing Protector
-	Introduction
-	Libsafe
-	Installation
-	Testing
-	Feedback
-	Acknowledgments
+- Stack Smashing Protector
+The GCC options for SSP are -fstack-protector, -fstack-protector-all, and
+-Wstack-protector. The -fstack-protector option only protects functions with
+character arrays, and is generally not recomended. The -fstack-protector-all
+option protects all functions. The -Wstack-protector option will produce a
+warning about any functions which are not protected. This warning can occure
+in functions with buffers smaller than 8 bytes.
-Smashing Stack Protector
+The '--param=ssp-buffer-size=' GCC option controls the minimum buffer size
+protected by SSP.
-The GCC patch will add -fstack-protector-all, -fstack-protector, and
--fno-stack-protector to GCC extensions for C and C++; and
-__guard_setup and __stack_smash_handler are defined in libgcc2.c. This code is
-supplied by IBM, I have changed one definition to enable libc functions, and
-added "ssp" to the version string.
 There have been reports of problems with SSP and 'gcc -O3' with Python. It
 may or may not cause problems in other packages with -O3.
-If any of these links are broken look for a newer version.
+The GCC manual page says to avoid using '-Wp' whenever possible, so use
-*** All of these patches are in:
-Note: The gcc-3.4 patch works on 3.4.0, 3.4.1, 3.4.2, and 3.4.3.
-	gcc-3.4-ssp-3.patch
-The Glibc patch will define __guard_setup and __stack_smash_handler in libc.so
-so the kill function can be kept in a shared library. /dev/log will also need
-to be present in chroot for syslog to log stack overflows. It is recommended
-intrusion detection systems monitor the system logs for these alerts.
-	glibc-2.3.4-ssp_arc4random-1.patch
-This patch is for chapter 6.
-	glibc-2.3.4-fstack_protector-1.patch
-The sspspecs patch is depreciated. Use the Perl commands.
-	linux-libc-headers-
-The Linux kernel patch for SSP is depreciated. The kernel has its own overflow
-	linux-2.6.10-pseudo_random-1.patch
-The XFree86 patch disables stack protection for some modules. This patch
-works for Xorg and XFree86-4.4 too. (Also see note below).
-http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
-        XFree86-4.3.0-ssp-1.patch
-Official site:
-Note: Libsafe is obsolete, you can still use it if you wish.
-Libsafe was developed by Avaya Labs to protect against format string
-vulnerabilities. Though not widely used it has been widely tested. This
-protection can be installed on an already running system, using ld.so.preload
-to watch applications at runtime for functions which are known to be vulnerable.
-This of course only protects dynamically linked applications. There should not
-be a noticeable performance decrease, and it also logs to syslog.
-We get some errors if we install Libsafe early in the build.
-FAIL: g++.dg/expr/anew1.C execution test
-FAIL: g++.dg/expr/anew2.C execution test
-FAIL: g++.dg/expr/anew3.C execution test
-FAIL: g++.dg/expr/anew4.C execution test
-FAIL: S-records
-FAIL: S-records with constructors
-To avoid these errors install Libsafe after GCC in chapter 6. Libsafe is
-somewhat obsolete. Most modern software either doesn't use these strings, or
-uses them properly. All of the example exploits in exploits/ will fail because
-of SSP.
+# In chapter 5 of the LFS book, you don't need to do anything different.
-Chapter 5
+Chapter 6
- - GCC pass 1
-No patches.
-- Libc-linux-headers headers
-patch --no-backup-if-mismatch \
-	-Np1 -i ../linux-libc-headers-
+# - Glibc
+# Make SSP use /dev/erandom:
- - Glibc
-patch -Np1 -i ../glibc-2.3.4-arc4random-1.patch &&
-patch -Np1 -i ../glibc-2.3.4-ssp_arc4random-1.patch
+sed -i 's@/dev/urandom@/dev/erandom@' sysdeps/unix/sysv/linux/dl-osinfo.h
- - GCC pass 2
-patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
-sed -e 's at gcc.gnu.org/bugs.html at bugs.linuxfromscratch.org/@' \
-        -e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c
+# The following does not work with Glibc-2.6.1... the build will go into an
+# infinite loop. This does work with Glibc-2.5.
-After make install do this. This will add -fstack-protector-all for C and C++:
+# Glibc's libraries can not be built with SSP or _FORTIFY_SOURCE, but the
+# applications can. This is optional.
+# The 'nscd' program is built with -fstack-protector by default. The following
+# command will make -fstack-protector-all be used instead, for better
+# protection:
-cat > hardened-specs.sh << "EOF"
-perl -pi -e 's@\*cc1:\n@$_%(cc1_ssp) @;' \
-        $(gcc --print-file specs) &&
-perl -pi -e 's@\*cc1plus:\n@$_%(cc1_ssp) @;' \
-        $(gcc --print-file specs) &&
-echo '*cc1_ssp:
-%{!fno-stack-protector*: -fstack-protector-all}
-' >> $(gcc --print-file specs)
-install hardened-specs.sh /tools/bin &&
+sed -i 's/fstack-protector/&-all/' nscd/Makefile
- - Binutils pass 2
-Just for the testsuite.
-make CFLAGS="-fno-stack-protector" check
+# After running ./configure, the follwing command will tell Glibc to build
+# the libraries but not the application programs:
-Chapter 6
-- Libc-linux-headers headers
-patch --no-backup-if-mismatch \
-	-Np1 -i ../linux-libc-headers-
+echo 'build-programs=no' > configparms
- - Glibc
-patch -Np1 -i ../glibc-2.3.4-arc4random-1.patch &&
-patch -Np1 -i ../glibc-2.3.4-ssp_arc4random-1.patch &&
-patch -Np1 -i ../glibc-2.3.4-fstack_protector-1.patch
+# Then run 'make' normally. Now the programs can be built with SSP and
+# _FORTIFY_SOURCE. You can build the applications with SSP and/or
+# _FORTIFY_SOURCE... both are optional and independent of eachother. To build
+# Glibc's applications with both SSP and _FORTIFY_SOURCE use the following
+# command after building the libraries:
-Then modify CC. This will let some parts get skipped, but the fstack_protector
-patch above will add -fstack-protector-all on most of the utils and libs.
+echo 'CC = gcc -fstack-protector-all -D_FORTIFY_SOURCE=2
+CXX = g++ -fstack-protector-all -D_FORTIFY_SOURCE=2
+' > configparms
-env CC="gcc -fno-stack-protector" ../glibc-2.3.4/configure...
+# Then run 'make' again.
- - Binutils
-make CFLAGS="-fno-stack-protector" check
+# The CC and CXX variables are used instead of CFLAGS and CXXFLAGS because
+# CFLAGS and CXXFLAGS are sometimes ignored by the Glibc build system.
- - GCC
-patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
-sed -e 's at gcc.gnu.org/bugs.html at bugs.linuxfromscratch.org/@' \
-        -e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c
+# The Glibc test suite should pass as if -fstack-protector-all and
+# -D_FORTIFY_SOURCE=2 were not used. Continue to test and install Glibc
+# normally.
-make CFLAGS="-fstack-protector-all -O2" CXXFLAGS="-fstack-protector-all -O2"
+# - GCC
+# To make GCC use SSP by default get:
+# http://www.linuxfromscratch.org/patches/downloads/gcc/
+#	gcc-4.1.2-fstack_protector-1.patch
+# or
+# http://www.linuxfromscratch.org/~robert/new/patches/
+#	gcc-4.2.1-fstack_protector.patch
-After make install run the script again to put -fstack-protector-all back in
-the specs file:
+patch -Np1 -i gcc-4.1.2-fstack_protector-1.patch
+# This SSP patch adds -fstack-protector-all as the default for C, C++, OBJC,
+# and OBJC++.
- - Grub
-env CC="gcc -fno-stack-protector" ./configure...
+# To make GCC use -D_FORTIFY_SOURCE=2 by default get (this patch works for
+# gcc-4.2.1 too):
+# http://www.linuxfromscratch.org/patches/downloads/gcc/
+#	gcc-4.1.2-fortify_source-1.patch
-Chapter 8
-Linux kernel
-There are two options added by this patch. Sysctl urandom and frandom. They
-are enabled by default. Be sure not to build frandom as a module or else
-sysctl will not be able to work with it.
+# If you want to build GCC itself with SSP and _FORTIFY_SOURCE, then use
+# 'make bootstrap'. If you want to build Binutils with SSP and _FORTIFY_SOURCE
+# then rebuild and reinstall it. Add --disable-werror to work around warnings
+# caused by _FORTIFY_SOURCE.
-make mrproper &&
-patch -Np1 -i ../linux-2.6.10-pseudo_random-1.patch
+# - Grub
+env CC="gcc -fno-stack-protector -U_FORTIFY_SOURCE" ./configure...
-make menuconfig
-make CC="gcc -fstack-protector"
+# ---------
+# Chapter 8
+# ---------
-As of 6.8.0 Xorg added an option in the host.def file for propolice. When you
-compile Xorg simply do this instead of using the patch (the patch still works
+# - Kernel
+# The recent 2.6 kernels will detect SSP and disable it. _FORTIFY_SOURCE can
+# be built into the kernel, or you can disable it with:
+# make CC="gcc -U_FORTIFY_SOURCE"
-echo "#define ProPoliceSupport YES" >> config/cf/host.def
+# -----
+# -----
-mcopidl from Arts has issues with SSP. Use the following command to disable
-propolice just for the mcopidl program.
+# - Arts
+# mcopidl from Arts has issues with SSP. Use the following command to disable
+# propolice just for the mcopidl program.
 sed -e 's/^KDE_CXXFLAGS .*$/& -fno-stack-protector/' \
 	-i mcopidl/Makefile.in
-There are a couple tests in this package which may also be usefull here.
-There are also tests in the libsafe source.
+# ========
+# Testing
+# ========
+# The Glibc test suite includes tests for SSP and _FORTIFY_SOURCE.
+# Additional regression tests can be found in NetBSD's regress/lib/libc/ssp/.
+# There are a couple tests in the 'paxtest' package which may also be usefull.
+# http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
-This will test -fstack-protector-all and will display the __guard value.
-cat > test.c << "EOF"
-#include <stdio.h>
-#include <unistd.h>
-extern long __guard[];
-int overflow(char *test) {
-        char buffer[7];
-        sprintf(buffer, "12345678901234567890123456789012345678901234567890");
-        return(1234);
-int main(int argc, char **argv) {
-        printf("__guard\t=\t0x%08x;\n", __guard[0]);
-        overflow("test");
-        printf("This line should never get printed.\n");
-gcc -o fail fail.c &&
-./fail &&
-g++ -o fail++ fail.c &&
-This should display abort signals for each. The __guard value should change
-for each runtime. The system syslog daemon should also log each of these.
-Should a program on your system ever have a stack overflow you should get
-similar messages in your logs and perhaps in the console controling the
 * Thanks to Hiroaki Etoh for providing the SSP patch to IBM
@@ -420,3 +308,8 @@
 * Added note for "ProPoliceSupport YES" in Xorg.
 * Added sed for Arts.
+* Finally updated for Glibc-2.4+ and GCC-4.1.
+* Removed Libsafe. It's own docs explain how to install it well.

More information about the hints mailing list