Mailing List Archive: Gentoo: Hardened

Hardened meeting summary 2010-05-16

Index | Next | Previous | View Threaded

zorry at gentoo

May 16, 2010, 1:20 PM

Post #1 of 10 (1023 views)
Permalink

Hardened meeting summary 2010-05-16

Hi

Here is the summary of the meeting 2010-05-16

1,0 Toolchain
We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
http://bugs.gentoo.org/show_bug.cgi?id=318171
We are waiting for toolchain to approve the changes to toolchain.eclass and glibc that we need.
Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support in the tree.
Grub need to be bumped to the new patchset.
We have no time line on it for we are waiting on toolchain.

2.0 Hardened-sources
We have new team for hardened-sourcs, three of the members were on the meeting.
Most of the discustion was about what needed to be done and change.
They have started the work to make the needed changes for move it to the tree.
Hope we can get something in the tree about 3-4 weeks but we don't have any time line.

3.0 Hardened Profile
We are trying to move away from the hardened/linux/arch/10.0/* profiles
to hardened/linux/arch/* profiles. We need more testing on that and all thing is not done.
No time line.

4.0 Hardened docs
Fist thing is to get the main and roadmap pages up to date.
But we have alot of work on the old and the new docs.
It would be good to have some help from users.
No time line.

On the meeting
Zorry Chainsaw quantumsummers bluenees xake

Hardened at gentoo.org
Magnus Granberg (Zorry)

tazok.id0 at gmail

May 17, 2010, 1:34 AM

Post #2 of 10 (997 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

I get realized of this question at the bad way, after seeing that the
binaries didn't have the canary inside. After that I compiled the system
with ssp in the unclean way, -fstack-protector-all in CFLAGS and CXXFLAGS in
make.conf with the exception of glibc that works only with
-fstack-protector. If someone need ssp with this versions it could be the
way to have it working until it gets solved.

¿Do you recommend this "workaround" until solution?

1,0 Toolchain
> We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
> http://bugs.gentoo.org/show_bug.cgi?id=318171
> We are waiting for toolchain to approve the changes to toolchain.eclass
> and glibc that we need.
> Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support
> in the tree.
> Grub need to be bumped to the new patchset.
> We have no time line on it for we are waiting on toolchain.
>
>

zorry at gentoo

May 17, 2010, 4:05 AM

Post #3 of 10 (995 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

måndag 17 maj 2010 10.34.05 skrev Javier Juan Martínez Cabezón:
> I get realized of this question at the bad way, after seeing that the
> binaries didn't have the canary inside. After that I compiled the system
> with ssp in the unclean way, -fstack-protector-all in CFLAGS and CXXFLAGS
> in make.conf with the exception of glibc that works only with
> -fstack-protector. If someone need ssp with this versions it could be the
> way to have it working until it gets solved.
>
> ¿Do you recommend this "workaround" until solution?
>
I do not recommend it but it is up to you.
For some packages may brake like glibc do.

Hardened at gentoo.org
Magnus Granberg (zorry)

lists at wildgooses

May 17, 2010, 1:28 PM

Post #4 of 10 (991 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

On 16/05/2010 21:20, Magnus Granberg wrote:
> Hi
>
> Here is the summary of the meeting 2010-05-16
>
> 1,0 Toolchain
> We have an open bug #318171 for the merge of SSP and GCC>=4.4.3 support.
> http://bugs.gentoo.org/show_bug.cgi?id=318171
> We are waiting for toolchain to approve the changes to toolchain.eclass and glibc that we need.
> Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support in the tree.
> Grub need to be bumped to the new patchset.
> We have no time line on it for we are waiting on toolchain.
>

I see a comment in there: "Cleaned some code and removed SSP support for
gcc 4.3.X " - I think this might need some watching and perhaps a
warning here? Sounds like if you now update say a "stable" hardened
amd64 machine pulling in stable gcc 4.3.X then you might be suddenly
loosing your hardened compiler?

I understand this is avoided if using your overlay, but it seems like a
potential pitfall for anyone using the "stable" hardened tree?

Can anyone comment if this is the case or I'm worrying over nothing?

Ta

Ed W

xake at rymdraket

May 17, 2010, 3:11 PM

Post #5 of 10 (987 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

mÃ¥n 2010-05-17 klockan 21:28 +0100 skrev Ed W:
> Can anyone comment if this is the case or I'm worrying over nothing?
>
> Ta
>
> Ed W
>

I would say you're worrying too much.

The important part in the toolchain equation is really PIE (and of
course -z,now, relro and those other stuff people forgets about) to give
you ASLR, and it is there in hardened gcc-4.3 in tree. SSP is also there
to some extent because it is implemented in FORTIFY_SOURCE which is
enabled in all of gentoo by default.
So I would say that the extra part SSP from GCC is nice but not
necessary.

Regards
Peter

zorry at gentoo

May 17, 2010, 3:37 PM

Post #6 of 10 (988 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

måndag 17 maj 2010 22.28.05 skrev Ed W:
> On 16/05/2010 21:20, Magnus Granberg wrote:
> > Hi
> >
> > Here is the summary of the meeting 2010-05-16
> >
> > 1,0 Toolchain
> > We have an open bug #318171 for the merge of SSP and GCC>=4.4.3
> > support. http://bugs.gentoo.org/show_bug.cgi?id=318171
> > We are waiting for toolchain to approve the changes to toolchain.eclass
> > and glibc that we need. Then we will have GCC 4.4.3 and 4.5.0 with full
> > hardened (PIE/SSP) support in the tree. Grub need to be bumped to the new
> > patchset.
> > We have no time line on it for we are waiting on toolchain.
>
> I see a comment in there: "Cleaned some code and removed SSP support for
> gcc 4.3.X " - I think this might need some watching and perhaps a
> warning here? Sounds like if you now update say a "stable" hardened
> amd64 machine pulling in stable gcc 4.3.X then you might be suddenly
> loosing your hardened compiler?
>
> I understand this is avoided if using your overlay, but it seems like a
> potential pitfall for anyone using the "stable" hardened tree?
>
> Can anyone comment if this is the case or I'm worrying over nothing?
>
> Ta
>
> Ed W
>
I only removed the code for default enable option for SSP. GCC 4.3.X still
support SSP if you add -fstack-protector. The GCC 4.4.3 is on the way to get
stable in 1-4 weeks i hope. Is up to the archs teams now to mark it stablel.

Hardened at gentoo.org
Magnus Granberg (Zorry)

tazok.id0 at gmail

May 17, 2010, 8:19 PM

Post #7 of 10 (988 views)
Permalink

Re: Re: Hardened meeting summary 2010-05-16 [In reply to]

AFAIK FORTIFY_SOURCE only works in fixed size buffers. To me ssp is a more
complete (and slightly different) approach, while FORTIFY_SOURCE checks the
existence of a buffer overflow directly, ssp does it by checking the
modification of the canary (indirect approach) but could get applied with
any kind of code since it's not limited to fixed size buffers. SSP to me is
really necessary

http://www.trl.ibm.com/projects/security/ssp/
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

2010/5/18 Peter Hjalmarsson <xake [at] rymdraket>

>
>
> I would say you're worrying too much.
>
> The important part in the toolchain equation is really PIE (and of
> course -z,now, relro and those other stuff people forgets about) to give
> you ASLR, and it is there in hardened gcc-4.3 in tree. SSP is also there
> to some extent because it is implemented in FORTIFY_SOURCE which is
> enabled in all of gentoo by default.
> So I would say that the extra part SSP from GCC is nice but not
> necessary.
>
> Regards
> Peter
>
>
>
>

radegand at o2

May 20, 2010, 2:05 AM

Post #8 of 10 (978 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

Hi Zorry (and rest of the Hardened Team :))

Thanks for the information&update. I think it's a great way to keep users &
community aware of what's happening in the gentoo hardened world. It also
shows to all non-believers that the project is alive and is making progress!
:)

I'll be happy to help within realms of my capabilities with docs and testing
and maybe more as I learn along...

Keep up with the good work Guys! :)
radegand

On Sunday 16 May 2010 21:20:17 you wrote:
> Hi
>
> Here is the summary of the meeting 2010-05-16
>
> 1,0 Toolchain
> We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
> http://bugs.gentoo.org/show_bug.cgi?id=318171
> We are waiting for toolchain to approve the changes to toolchain.eclass
> and glibc that we need. Then we will have GCC 4.4.3 and 4.5.0 with full
> hardened (PIE/SSP) support in the tree. Grub need to be bumped to the new
> patchset.
> We have no time line on it for we are waiting on toolchain.
>
> 2.0 Hardened-sources
> We have new team for hardened-sourcs, three of the members were on the
> meeting. Most of the discustion was about what needed to be done and
> change. They have started the work to make the needed changes for move it
> to the tree. Hope we can get something in the tree about 3-4 weeks but we
> don't have any time line.
>
> 3.0 Hardened Profile
> We are trying to move away from the hardened/linux/arch/10.0/* profiles
> to hardened/linux/arch/* profiles. We need more testing on that and all
> thing is not done. No time line.
>
> 4.0 Hardened docs
> Fist thing is to get the main and roadmap pages up to date.
> But we have alot of work on the old and the new docs.
> It would be good to have some help from users.
> No time line.
>
> On the meeting
> Zorry Chainsaw quantumsummers bluenees xake
>
> Hardened at gentoo.org
> Magnus Granberg (Zorry)

lists at wildgooses

May 20, 2010, 11:06 AM

Post #9 of 10 (972 views)
Permalink

Re: Hardened meeting summary 2010-05-16 [In reply to]

On 16/05/2010 21:20, Magnus Granberg wrote:
> Hi
>
> Here is the summary of the meeting 2010-05-16
>

Hi, is this the kind of meeting that you would like more "competent
users" to get involved with?

I have too limited availability to volunteer for too much, but hardened
gentoo is important to me and I run a few servers here and would be
happy to donate some of my limited capacity to helping on any available
smaller projects?

I guess there are a few other folks here that are time limited but might
have some limited capacity to help out? How should we best volunteer
these poor services...?

Ed W

johansson_fredric at hotmail

May 27, 2010, 2:54 AM

Post #10 of 10 (948 views)
Permalink

RE: Hardened meeting summary 2010-05-16 [In reply to]

> From: zorry [at] gentoo
>snip...
> 4.0 Hardened docs
> Fist thing is to get the main and roadmap pages up to date.
> But we have alot of work on the old and the new docs.
> It would be good to have some help from users.
> No time line.

Do you have a list of things that should be done on this part?
I might be able in the coming few weeks and I would prefer
to have a list on what needs to be added, updated, rewritten...

//fredricj

_________________________________________________________________
Vårfina smileys till Messenger här!
http://springpack.msn.se

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads