| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
I'm probably repeting myself here . . .heh. |
| 5 |
|
| 6 |
Thierry Carrez wrote: |
| 7 |
| Thierry Carrez wrote: |
| 8 |
| |
| 9 |
| |
| 10 |
|>Restricting ssp to daemons and +s programs is not very |
| 11 |
|>useful. |
| 12 |
| |
| 13 |
| |
| 14 |
| Clarifying this : |
| 15 |
| |
| 16 |
| SSP is very useful, and it should be used on all executables on a given |
| 17 |
| machine. I don't think we should only use it to protect daemons and SUID |
| 18 |
| programs, since a lot of buffer overflows are discovered in client |
| 19 |
| software and they are also a way of remotely compromising a machine. If |
| 20 |
| you protect only exposed services, attackers will turn to passive |
| 21 |
| attacks, like virus images, to always exploit the weakest link. |
| 22 |
| |
| 23 |
|
| 24 |
How about, make.conf default and make.conf.example: |
| 25 |
|
| 26 |
# |
| 27 |
# The "auto-nossp" USE flag will disable -fstack-protector on ebuilds |
| 28 |
# that take a significant hit from SSP and aren't a major security |
| 29 |
# threat. Ebuilds that break with SSP will have SSP disabled in all |
| 30 |
# cases anyway. |
| 31 |
#USE="X" |
| 32 |
... |
| 33 |
# |
| 34 |
# For added security, the -fstack-protector flag can be added to prevent |
| 35 |
# buffer overflow based attacks. -fno-stack-protector will disable this |
| 36 |
# universally; nothing forces it on. |
| 37 |
# |
| 38 |
# Decent examples: |
| 39 |
#CFLAGS="-march=i686 -O2 -pipe -fstack-protector" |
| 40 |
#CFLAGS="-mcpu=pentium4 -O3 -pipe -fstack-protector" |
| 41 |
|
| 42 |
|
| 43 |
This solution may have extra perks. As you said, more than just daemon |
| 44 |
software is affected. Rather than tracking it all down, perhaps simply |
| 45 |
looking for not-always-great-for-SSP things such as gcc (can you attack |
| 46 |
gcc anyway? No really, I want to know) and have a USE flag disable SSP |
| 47 |
for them. |
| 48 |
|
| 49 |
Another reason for this route would be that using -fno-stack-protector |
| 50 |
in CFLAGS would be overriden by builds explicitely enabling |
| 51 |
- -fstack-protector. Using -fstack-protector in CFLAGS would be overriden |
| 52 |
by ebuilds explicitely setting -fno-stack-protector. The logical |
| 53 |
consequences of each (i.e. when -fstack would and wouldn't be applied |
| 54 |
based on combinations of the user and portage enabling/disabling it) in |
| 55 |
my eyes seem better with this approach. |
| 56 |
|
| 57 |
It all depends on if you want fine control of programs which have SSP, |
| 58 |
or fine control of programs which don't have SSP. This solution would |
| 59 |
be the latter, and I think it makes more sense than the original |
| 60 |
proposal; a wider spread usage of SSP is probably the only way to ensure |
| 61 |
the best protection. |
| 62 |
|
| 63 |
Comments? |
| 64 |
|
| 65 |
| -K |
| 66 |
| |
| 67 |
| -- |
| 68 |
| gentoo-dev@g.o mailing list |
| 69 |
| |
| 70 |
| |
| 71 |
|
| 72 |
- -- |
| 73 |
All content of all messages exchanged herein are left in the |
| 74 |
Public Domain, unless otherwise explicitly stated. |
| 75 |
|
| 76 |
-----BEGIN PGP SIGNATURE----- |
| 77 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 78 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 79 |
|
| 80 |
iD8DBQFBU5K8hDd4aOud5P8RAo08AJ4xNx6IkHDjDhQX43sfKNiNJmz10wCfbrM7 |
| 81 |
eI5ZweX0wl8uG7l0vH3Z+YI= |
| 82 |
=C/8F |
| 83 |
-----END PGP SIGNATURE----- |
| 84 |
|
| 85 |
-- |
| 86 |
gentoo-dev@g.o mailing list |
Archives