| 1 |
Hi All, |
| 2 |
On нд, 2004-09-26 at 03:58, Jason Wever wrote: |
| 3 |
> On Sat, 25 Sep 2004 19:26:26 +0200 |
| 4 |
> Bart Lauwers <blauwers@g.o> wrote: |
| 5 |
> |
| 6 |
> > Having read the whole thread here are some I feel important points to be |
| 7 |
> > made: 1) Safety is important, it should be our aim to have our default |
| 8 |
> > system as secure as it possibly could be. Just look at the reviews some |
| 9 |
> > OS providers get over security. A good computer system should be |
| 10 |
> > protected against bad code as much as possible. |
| 11 |
> |
| 12 |
> Then shut it off, unplug it from the wall, permanently erase all data and |
| 13 |
> then eject the physical components into the sun. Otherwise you will |
| 14 |
> always be at some form of security risk, know or unknown. |
| 15 |
> |
| 16 |
> Also make sure you don't get the Operating System confused with the extra |
| 17 |
> software provided. 99% of all software on your installation is not part |
| 18 |
> of the Operating System. If you plan on making Gentoo accountable for |
| 19 |
> that, I hope you have an army of developers waiting in the wings. |
| 20 |
> |
| 21 |
I think both are right but no common point still. |
| 22 |
> > 2) The risk is real and errors against this seem common. |
| 23 |
> |
| 24 |
> Sure, there is risk in almost everything too. However just because |
| 25 |
> driving an automobile can be dangerous doesn't mean I'll buy a tank or |
| 26 |
> stay inside just to feel safe. |
| 27 |
> |
| 28 |
According to some statistics presented here before 1/3 of vuln. are due |
| 29 |
to stack overflow attacks. Fact. Confirm? |
| 30 |
> > 3) A good housefather does not leave the front door of any home open at |
| 31 |
> > |
| 32 |
> > night. |
| 33 |
> |
| 34 |
> See reply to 1. |
| 35 |
> |
| 36 |
Again a matter of balance, security vs stability/usability |
| 37 |
> > 4) Protection is possible/available (to a degree) at system level. |
| 38 |
This is a point that i'm more interested in. |
| 39 |
Just some facts (mine of course). Since august 2003 build a Gentoo 1.4 |
| 40 |
system (stage3) using hardened (as of then). Added -fstack-protector and |
| 41 |
-DPIC if i remember correctly. Also hardened-gcc. There was an easy way |
| 42 |
to disable GCC-hardened if needed :). Not so easy now, but now it's |
| 43 |
integrated in the toolchain. Evolution is good. |
| 44 |
This on my home desktop system with some servers (apache2, subversion, |
| 45 |
qmail, djbdns-caching, MySQL and PostgreSQL, postfix /before qmail/, |
| 46 |
spamd, music soft, Xine and mplayer /from 1_pre5 wont compile/, nvidia |
| 47 |
with 3-D for half of the time other things also). Used it from a 2.4.20 |
| 48 |
till now 2.6.7 kernels. |
| 49 |
Leave alone SSP i also have PaX(kernel) & PIC/PIE(binaries) and |
| 50 |
grsec/grsec2 installed. IMHO most bugs are due to using PaX&PIC/PIE and |
| 51 |
SSP not grsec2. |
| 52 |
The strange thing is that in overall most of (my) bugs are with the |
| 53 |
src-packages ebuilds etc. not of using hardened, some are due to this of |
| 54 |
course, but maybe some 10-15 % not more. |
| 55 |
Think that most important in this discussion is if SSP alone could break |
| 56 |
too many things so it's shouldn't be in the default CLAGS. |
| 57 |
Checked in b.g.o with 'ALL stack-protector' (a rough search & all archs) |
| 58 |
and found nearly ~50 bugs due to SSP: NEW - 6 (1-blocker, 1-major); |
| 59 |
40-RESO (1-LATE,4-INVA,1-UPST,1-CANT,1-WORK,1-WONT and 14-DUPL). This is |
| 60 |
for all archs. |
| 61 |
Don't think there are too many bugs due to SSP (IMHO). |
| 62 |
Think that to have a 'light' protection in hardened using only SSP is |
| 63 |
silly as things work (almost) even with all hardened now. So question is |
| 64 |
'Is it ready for inclusion in default CLAGS?'. |
| 65 |
There was a good (IMO) suggestion from JStubbs to include SSP only in |
| 66 |
stage3 tarball and GRP. |
| 67 |
Maybe it's very useful to have some opinions (with facts) from other |
| 68 |
devs and users, so it's not just plain pro/cons in theory only :) |
| 69 |
My subjective opinion is that there isn't a big performance hit in using |
| 70 |
SSP, but i just don't have alternative experience. |
| 71 |
> > 5) most people prefer to know they can have a reasonable trust in their |
| 72 |
> > computer system to operate reliably and consistently by default |
| 73 |
> |
| 74 |
> Doesn't this exist already? if people didn't trust Gentoo then why are |
| 75 |
> they using it? We can't be held ultimately responsible for software we |
| 76 |
> didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
| 77 |
> are you can knock it over on another Linux or possibly any other platform |
| 78 |
> it runs on either. |
| 79 |
No comment. |
| 80 |
> |
| 81 |
> > Here are some of the things not to like about what is proposed so far: |
| 82 |
> > 1) Adjusting all ebuilds (not very productive, only adds clutter to |
| 83 |
> > ebuilds) 2) Making new features, use flags whatever (same idea) |
| 84 |
> > 3) Not doing anything would not be very responsible |
| 85 |
> |
| 86 |
> Are we in the insurance business or are we in the Linux distribution |
| 87 |
> business? Maybe I'm way out in left field here but I'm not holding Gentoo |
| 88 |
> responsible for software they didn't write. |
| 89 |
> |
| 90 |
> > What I propose to do (pick the low hanging fruit): |
| 91 |
> > 1) Add stack protector and and any similar 'features' stable in hardened |
| 92 |
> > to the default CLFAGS of the gentoo install/profiles. By stable I mean |
| 93 |
> > things which do not break the majority of functionality. |
| 94 |
> |
| 95 |
Again the main issue is does SSP breaks too many things? If YES then put |
| 96 |
'-fstack-protector' only as an extra option (as of now). But if NOT put |
| 97 |
it by default and add a comment how to disable it. |
| 98 |
Another point the initial discussion was mostly on adding SSP ONLY to |
| 99 |
daemons and critical services inet-connecting programs etc. |
| 100 |
Now question has shifted to: make it default CFLAG or not. What about |
| 101 |
the first proposal (it's more work tough). |
| 102 |
PS: now remember we have 'hardened-stages' also, but again with ALL |
| 103 |
(SSP&PIE) features added (not sure what really is included). |
| 104 |
> Feel free to take on the ownership of making this work on every arch's |
| 105 |
> toolchain then. Also feel free to deal with all upstream authors who |
| 106 |
> start instantly dismissing any bugs from Gentoo due to the fact that the |
| 107 |
> toolchain is quite modified to accomplish this task. Take the current |
| 108 |
> stance the GAIM team has with us as an example of what would be to come. |
| 109 |
> |
| 110 |
This IMO is an important issue (don't have experience here). Other |
| 111 |
opinions? |
| 112 |
> > 2) broken ebuilds can filter-flags until fixed (better approach since |
| 113 |
> > you are only fixing up ebuilds for broken stuff and may also prompt the |
| 114 |
> > devs to try and make the protection work). |
| 115 |
> |
| 116 |
> The protection itself is a work-around to the original problem. You want |
| 117 |
> to continue to work around the problem even more? |
| 118 |
> |
| 119 |
Think it's better to have some 'stop-vuln.' till fixed than nothing |
| 120 |
(again the option to add SSP /on choice/ only for some packages). |
| 121 |
See the discussion on the layers of protection. Each one have its place |
| 122 |
and role. |
| 123 |
> > 3) People who prefer not to be protected can remove the settings from |
| 124 |
> > their CFLAGS |
| 125 |
> |
| 126 |
> Personally, I don't think opting out is the way to do this. Having CFLAGS |
| 127 |
> that are in by default that may or may not work across all architectures |
| 128 |
> is not a good thing. |
| 129 |
> |
| 130 |
> > 4) get stuff virus, spam, etc protection functional and leveraged into |
| 131 |
> > the defaults in other words turn on those USE flags in the standard |
| 132 |
> > profiles |
| 133 |
> |
| 134 |
As linux is evolving very rapidly you could expect more bugs and vuln. |
| 135 |
as a constant tendency so think it's time to get ready for this (make |
| 136 |
some steps even small ones, or at least prepare for them). |
| 137 |
PS:there are enough such projects and progs in other distros: SELinux, |
| 138 |
RSBAC-kernel patch, exec-shield in RH not to mention Adamantix (much |
| 139 |
common things with Gentoo-hardened), OpenBSD etc. In this projects many |
| 140 |
things are overly working even with much more security features added. |
| 141 |
> No thanks. I don't want to have to spend the first 24 hours or so of |
| 142 |
> using my new"trusted" operating system opting out of all of the overly |
| 143 |
> paranoid defaults. If I'm looking for a high level of security out of the |
| 144 |
> box, I'll use hardened or OpenBSD. |
| 145 |
> |
| 146 |
see the comment above. |
| 147 |
> > A personal opinion: |
| 148 |
> > Anyone who thinks that a speed tradeoff is too much for better |
| 149 |
> > protection is crazy. Do us all a favor and play a go night of russian |
| 150 |
> > roulette by yourself to get your thrills. |
| 151 |
> |
| 152 |
> OK seriously, this kind of comment isn't needed. I'm not sure what you |
| 153 |
> hoped to have accomplished by it, but I'm fairly sure it didn't work. |
| 154 |
> |
| 155 |
> As anyone who has spent 5 minutes in the security world knows, there's a |
| 156 |
> fine line between good security and paranoia. You can lock your system |
| 157 |
> down to high heaven and be sure that people won't get into it, but then |
| 158 |
> you won't be able to do a damn thing either. What good is that? |
| 159 |
> |
| 160 |
True but there is a middle area (95% security vs 5% usability loss or |
| 161 |
90%-10% and not 50-50). |
| 162 |
> Right now I have a choice to use these features if I want to. I don't |
| 163 |
> have to "opt-out" and I would rather keep it that way. The support |
| 164 |
> nightmare this will create is not worth the potential advantages. |
| 165 |
> |
| 166 |
> > There's more to be said on security but I feel too lazy right now to |
| 167 |
> > type it so if this isn't convinving you let us know. |
| 168 |
> |
| 169 |
> And as this list has shown historically, we can all argue security to high |
| 170 |
> heaven with each party feeling they have the right answer and never |
| 171 |
> accomplish anything. |
| 172 |
> |
| 173 |
> Now please don't get me wrong. As someone who's day job is in the |
| 174 |
> security field, I very much like and appreciate the efforts that have gone |
| 175 |
> into making secure toolchains and hardened systems a reality in Gentoo. |
| 176 |
> In some cases I do use them as well. |
| 177 |
> |
| 178 |
> However, I do not believe it is our place nor our job to make that choice |
| 179 |
> for our users. You cannot protect people from themselves, regardless of |
| 180 |
> the perceived benefits. |
| 181 |
> |
| 182 |
> Regards, |
| 183 |
You all see that hardened project is really working (there are people |
| 184 |
using it for months/years - interested to know just how many). Do you |
| 185 |
think they quite all the time search for solutions and file bugs or |
| 186 |
google for using it? |
| 187 |
PS:There are some other things to consider. There will be more work for |
| 188 |
hardened herd if this is accepted and there are problems u know. |
| 189 |
Also the issue with upstream - again. |
| 190 |
Just my opinion. Thanks |
| 191 |
Rumen |
Archives