Gentoo Archives: gentoo-dev

From: Ned Ludd <solar@g.o>
To: gentoo-hardened@l.g.o
Cc: gentoo-dev@l.g.o, anthony@××××××××××.com, dmonnier@××.edu, markusle@×××××.com, mtindal@××××××××××××.com, webkiller71@××××.be, ps.m@×××.net, bgb@×××××.com, co@××××××××.com, tocharian@××××××.org
Subject: [gentoo-dev] Not considering dropping the hardened toolchain
Date: Tue, 21 Sep 2004 18:02:51
Message-Id: 1095789660.8317.1590.camel@simple
1 Good afternoon gentlemen. Thanks for your feedback to the other thread.
3 Now due to the overwhelming positive feedback from the thread I'm faced
4 with trying to find enough tasks for everybody to do.
6 I will list a few things that I see as needing to be done.
8 ------------------------------------------------------------------------
9 1) Re review the existing packages which filter-flags -fPIC and find
10 more creative solutions to them.
11 ------------------------------------------------------------------------
12 2) Re review the existing packages which filter-flags -fstack-protector
13 and find more creative solutions to them.
14 ------------------------------------------------------------------------
15 3) Better documentation.
16 Adam Mondl has started in on this task. So far he has developed a quick
17 intro of what's up with xorg and a hardened toolchain.
20 He is also working on a Hardened FAQ which has not been published yet.
22 ------------------------------------------------------------------------
23 4) A Comparative analysis of security approaches taken by distributions.
25 This should be written by somebody who has a fair amount of time on
26 his/her hands and should include such things as benchmarks.
27 Testing successful/unsuccessful exploitation rates.
29 (People like graphs and things they can visualize)
30 This would/should include why Gentoo has opted for PaX over RH's inhouse
31 Exec-Shield.
33 Google has a fair bit of info on this subject if you search long and
34 hard which clearly proves why for security PaX is clearly a superior
35 solution. (But do try to be objective in this)
37 You will need more than one machine for this test.
38 Suggested installs would be a hardened stage3 and fedora core 3.
40 The focus should be strictly on memory protections and not access
41 control.
43 Target audience should be medium advanced.
44 This may/should be written from an educational security perspective
45 (hint hint dmonnier @ IU EDU)
46 -----------------------------------------------------------------------
47 5) Look for flaws in the design of the hardened toolchain.
48 Are there any cases when using it may actually lower security? If so
49 when?
50 -----------------------------------------------------------------------
51 6) Review the existing method that the hardened toolchain uses.
52 Consider code cleanups which could make getting it to go mainstream
53 easier.
54 Currently it's a patch for gcc with some rules which control object code
55 creation and linking scenario's.
56 -----------------------------------------------------------------------
57 7) Learn to understand the gcc.specs and what they are all about.
59 -----------------------------------------------------------------------
60 8) Supporting new arches.
62 Currently only x86/amd64/sparc64 are supported by the hardened
63 toolchain.
65 ppc/ppc64/s390 could be added easy enough. (need people with supporting
66 hardware)
68 mips/arm are having linking problems with crt files. (undefined
69 references to __csu_init/fini...)
71 As a rule of thumb here we want to support every arch that Gentoo does.
72 -----------------------------------------------------------------------
73 9) Embedded (SBC style) things.
74 Currently only x86-uclibc and ppc-uclibc support PIE with x86 being the
75 only semi complete one. Need to support other arches here.
76 -----------------------------------------------------------------------
77 10) Take a proactive effort and think of something yourself that could
78 use improvements.
80 The ones of you that that take a proactive effort on your own will more
81 likely make the team vs the ones of you that need hand holding.
83 But all help is desired. Be that simple suggestions or the occasional
84 xml document.
86 where Kevin Quinn is
87 already getting to work is an example of one of you thats taking a
88 proactive effort on his own to help solve a long standing bug.
89 In addition to what Adam Mondl is doing with docs.
91 Those of you that feel intimidated don't be. You can always send
92 suggestions for the FAQ, proof read something, start a survey.
94 -----------------------------------------------------------------------
95 11) Hawk bugzilla!
96 Become active on the mailing lists. (-hardened/-security/others)
97 Not just 'hey XYZ does not compile', but try to help other users.
98 Do public relations. Do cover art. Do regression testing. Write
99 something with the aims of getting it published in a
100 book/magazine/other. Join the irc channel and offer help to users.
102 And mostly importantly try work with each other.
104 Thanks for your time and I look fwd to working with you guys (gals?).
105 --
106 Ned Ludd <solar@g.o>
107 Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer


File name MIME type
signature.asc application/pgp-signature