Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: trelane@...
From: Ned Ludd <solar@g.o>
Subject: Re: propolice on amd64
Date: 20 Jan 2004 07:35:29 -0500
On Mon, 2004-01-19 at 10:21, Joseph Pingenot wrote:
> From John Chronister on Monday, 19 January, 2004:
> >how do i get stack smashing protection on amd64?  i am using the latest 
> >experimental amd64 live cd.
> >-chron

> You don't.  IIRC, linux sets the stack noexec on amd64, and amd64 processors
>   honor it.  Remember the hullaballoo about Microsoft doing the same thing?

Simply trying to take advantage of the NX bit on the 64 bit arch won't
do the job alone of preventing arbitrary code execution whihc I assume
is the goal here.
He in fact will want to enable ssp on the amd64 as well as have a kernel
that can take advantage of it. As far as I'm aware of PaX
http://pax.grsecurity.net/ is the only kernel patch that will let you
take advantage of the NX bit on any of the 64 bit arches.

solar@amd64 solar $ cat vuln.c 
#include <string.h>
int main(int argc, char **argv) {
	char buf[10];
	strcpy(buf, argv[1]);
	return 0;
}
solar@amd64 solar $ make vuln
gcc     vuln.c   -o vuln
solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901
Segmentation fault
solar@amd64 solar $ gcc     vuln.c   -o vuln -fstack-protector
solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901
vuln: stack smashing attack in function main 
Aborted

Here is my suggestion for a secure set of CFLAGS for the amd64 after
getting and applying the PaX patch for amd64 and enabling Address Space
Layout Randomizations.

CFLAGS="${CFLAGS} -fomit-frame-pointer -fstack-protector -fPIC -pie
-fforce-addr"

This will build you a position independent executable without debugging
frames as well as force memory address constants to be copied into
registers before any arithmetic is preformed on them them.

The hardened project at gentoo is planning on releasing stages which
have this same set of flags enabled after gcc-3.3.x goes stable.

[snip]

> Many thanks to the amd64 kernel hackers!
> 
> -Joseph
-- 
Ned Ludd <solar@g.o>
Gentoo Linux Developer
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: propolice on amd64
-- Joseph Pingenot
Re: propolice on amd64
-- John Chronister
References:
propolice on amd64
-- John Chronister
Re: propolice on amd64
-- Joseph Pingenot
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: propolice on amd64
Next by thread:
Re: propolice on amd64
Previous by date:
Re: propolice on amd64
Next by date:
Re: propolice on amd64


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.