1 |
Good afternoon gentlemen. Thanks for your feedback to the other thread. |
2 |
|
3 |
Now due to the overwhelming positive feedback from the thread I'm faced |
4 |
with trying to find enough tasks for everybody to do. |
5 |
|
6 |
I will list a few things that I see as needing to be done. |
7 |
|
8 |
------------------------------------------------------------------------ |
9 |
1) Re review the existing packages which filter-flags -fPIC and find |
10 |
more creative solutions to them. |
11 |
------------------------------------------------------------------------ |
12 |
2) Re review the existing packages which filter-flags -fstack-protector |
13 |
and find more creative solutions to them. |
14 |
------------------------------------------------------------------------ |
15 |
3) Better documentation. |
16 |
Adam Mondl has started in on this task. So far he has developed a quick |
17 |
intro of what's up with xorg and a hardened toolchain. |
18 |
http://hardened.gentoo.org/hardenedxorg.xml |
19 |
|
20 |
He is also working on a Hardened FAQ which has not been published yet. |
21 |
http://tocharian.ath.cx/hardened/hardenedfaq.html |
22 |
------------------------------------------------------------------------ |
23 |
4) A Comparative analysis of security approaches taken by distributions. |
24 |
|
25 |
This should be written by somebody who has a fair amount of time on |
26 |
his/her hands and should include such things as benchmarks. |
27 |
Testing successful/unsuccessful exploitation rates. |
28 |
|
29 |
(People like graphs and things they can visualize) |
30 |
This would/should include why Gentoo has opted for PaX over RH's inhouse |
31 |
Exec-Shield. |
32 |
|
33 |
Google has a fair bit of info on this subject if you search long and |
34 |
hard which clearly proves why for security PaX is clearly a superior |
35 |
solution. (But do try to be objective in this) |
36 |
|
37 |
You will need more than one machine for this test. |
38 |
Suggested installs would be a hardened stage3 and fedora core 3. |
39 |
|
40 |
The focus should be strictly on memory protections and not access |
41 |
control. |
42 |
|
43 |
Target audience should be medium advanced. |
44 |
This may/should be written from an educational security perspective |
45 |
(hint hint dmonnier @ IU EDU) |
46 |
----------------------------------------------------------------------- |
47 |
5) Look for flaws in the design of the hardened toolchain. |
48 |
Are there any cases when using it may actually lower security? If so |
49 |
when? |
50 |
----------------------------------------------------------------------- |
51 |
6) Review the existing method that the hardened toolchain uses. |
52 |
Consider code cleanups which could make getting it to go mainstream |
53 |
easier. |
54 |
Currently it's a patch for gcc with some rules which control object code |
55 |
creation and linking scenario's. |
56 |
----------------------------------------------------------------------- |
57 |
7) Learn to understand the gcc.specs and what they are all about. |
58 |
http://dev.gentoo.org/~solar/toolchain/gcc/The_Specs_Language.txt |
59 |
----------------------------------------------------------------------- |
60 |
8) Supporting new arches. |
61 |
|
62 |
Currently only x86/amd64/sparc64 are supported by the hardened |
63 |
toolchain. |
64 |
|
65 |
ppc/ppc64/s390 could be added easy enough. (need people with supporting |
66 |
hardware) |
67 |
|
68 |
mips/arm are having linking problems with crt files. (undefined |
69 |
references to __csu_init/fini...) |
70 |
|
71 |
As a rule of thumb here we want to support every arch that Gentoo does. |
72 |
----------------------------------------------------------------------- |
73 |
9) Embedded (SBC style) things. |
74 |
Currently only x86-uclibc and ppc-uclibc support PIE with x86 being the |
75 |
only semi complete one. Need to support other arches here. |
76 |
----------------------------------------------------------------------- |
77 |
10) Take a proactive effort and think of something yourself that could |
78 |
use improvements. |
79 |
|
80 |
The ones of you that that take a proactive effort on your own will more |
81 |
likely make the team vs the ones of you that need hand holding. |
82 |
|
83 |
But all help is desired. Be that simple suggestions or the occasional |
84 |
xml document. |
85 |
|
86 |
http://bugs.gentoo.org/show_bug.cgi?id=51853 where Kevin Quinn is |
87 |
already getting to work is an example of one of you thats taking a |
88 |
proactive effort on his own to help solve a long standing bug. |
89 |
In addition to what Adam Mondl is doing with docs. |
90 |
|
91 |
Those of you that feel intimidated don't be. You can always send |
92 |
suggestions for the FAQ, proof read something, start a survey. |
93 |
|
94 |
----------------------------------------------------------------------- |
95 |
11) Hawk bugzilla! |
96 |
Become active on the mailing lists. (-hardened/-security/others) |
97 |
Not just 'hey XYZ does not compile', but try to help other users. |
98 |
Do public relations. Do cover art. Do regression testing. Write |
99 |
something with the aims of getting it published in a |
100 |
book/magazine/other. Join the irc channel and offer help to users. |
101 |
|
102 |
And mostly importantly try work with each other. |
103 |
|
104 |
Thanks for your time and I look fwd to working with you guys (gals?). |
105 |
-- |
106 |
Ned Ludd <solar@g.o> |
107 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |