1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Jason Wever wrote: |
7 |
| On Sat, 25 Sep 2004 19:26:26 +0200 |
8 |
| Bart Lauwers <blauwers@g.o> wrote: |
9 |
| |
10 |
| |
11 |
|
12 |
[...] |
13 |
|
14 |
|>2) The risk is real and errors against this seem common. |
15 |
| |
16 |
| |
17 |
| Sure, there is risk in almost everything too. However just because |
18 |
| driving an automobile can be dangerous doesn't mean I'll buy a tank or |
19 |
| stay inside just to feel safe. |
20 |
|
21 |
No, but you'll get one with strong bars in the doors so taht side |
22 |
impacts don't crush you to death, but rather push your car (crack open a |
23 |
fiberglass car door once, you'll see 'em). Also, rollbars on cars with |
24 |
no hard-top, etc. |
25 |
|
26 |
[...] |
27 |
|
28 |
|
29 |
| |
30 |
| |
31 |
| Doesn't this exist already? if people didn't trust Gentoo then why are |
32 |
| they using it? We can't be held ultimately responsible for software we |
33 |
| didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
34 |
| are you can knock it over on another Linux or possibly any other platform |
35 |
| it runs on either. |
36 |
|
37 |
I trust Gentoo in the security sense as much as I trust Mandrake, or |
38 |
Debian, or SuSE. The difference is that after taking notice of the |
39 |
hardened project, I learned about all kinds of neat stuff like |
40 |
- -fstack-protector and PaX, and now don't really trust anything else. |
41 |
|
42 |
You can't be held responsible for others' security holes, but you can |
43 |
take simple steps to mitigate the damages. |
44 |
|
45 |
| |
46 |
| |
47 |
|
48 |
[...] |
49 |
|
50 |
| |
51 |
| |
52 |
|>What I propose to do (pick the low hanging fruit): |
53 |
|>1) Add stack protector and and any similar 'features' stable in hardened |
54 |
|>to the default CLFAGS of the gentoo install/profiles. By stable I mean |
55 |
|>things which do not break the majority of functionality. |
56 |
| |
57 |
| |
58 |
| Feel free to take on the ownership of making this work on every arch's |
59 |
| toolchain then. Also feel free to deal with all upstream authors who |
60 |
| start instantly dismissing any bugs from Gentoo due to the fact that the |
61 |
| toolchain is quite modified to accomplish this task. Take the current |
62 |
| stance the GAIM team has with us as an example of what would be to come. |
63 |
|
64 |
SSP works on all architectures. |
65 |
|
66 |
As for upstream authors, guess what? |
67 |
|
68 |
|
69 |
usr/lib/python2.3/site-packages/mx/TextTools/Examples/pytag.py:47: |
70 |
SyntaxWarning: name 'debugging' is used prior to global declaration |
71 |
|
72 |
python: stack smashing attack in function symtable_node() |
73 |
|
74 |
error: command '/usr/bin/python' terminated by signal 6 |
75 |
|
76 |
|
77 |
Well SHIT! Looks like I've got some MEANINGFUL information about a bug! |
78 |
~ I mean damn, I can tell you right in what function the CHARACTER ARRAY |
79 |
that got overflowed was created, and that it was created on the stack |
80 |
(char a[n]); this leads you of course to the fact that it had to be |
81 |
overflowed by some function that got called from this function AND |
82 |
passed a character array, or somewhere along the line where that |
83 |
character array was passed. |
84 |
|
85 |
This is much more useful than "OMFG PYTHON R CRASH N STUFF WHEN I DO |
86 |
STFUF!!!1@!2151!" |
87 |
|
88 |
| |
89 |
| |
90 |
|>2) broken ebuilds can filter-flags until fixed (better approach since |
91 |
|>you are only fixing up ebuilds for broken stuff and may also prompt the |
92 |
|>devs to try and make the protection work). |
93 |
| |
94 |
| |
95 |
| The protection itself is a work-around to the original problem. You want |
96 |
| to continue to work around the problem even more? |
97 |
| |
98 |
|
99 |
SSP is a work-around for buffer overflows that may or may not lead to |
100 |
security exploits. |
101 |
|
102 |
Filtering in ebuilds is a work-around for bad software which gets killed |
103 |
because it's self-overflowing; or for software that triggers potential |
104 |
bugs in SSP (yes, SSP is software, written by humans, geniouses yes but |
105 |
humans, and can have bugs). In the first case, of course, SSP tells you |
106 |
almost exactly where to start looking. |
107 |
|
108 |
| |
109 |
|>3) People who prefer not to be protected can remove the settings from |
110 |
|>their CFLAGS |
111 |
| |
112 |
| |
113 |
| Personally, I don't think opting out is the way to do this. Having CFLAGS |
114 |
| that are in by default that may or may not work across all architectures |
115 |
| is not a good thing. |
116 |
|
117 |
Opting out of a feature which in usage you're normally not going to |
118 |
really notice is there is no the way to do things? Dude, that's like |
119 |
saying you should make locks on windows optional. They can be unlocked. |
120 |
|
121 |
And ssp is supposed to be portable. Etoh and Yoda's paper[1] says that |
122 |
The IBM stack smash protection method (ProPolice) is CPU and OS |
123 |
independent[2]. I think that you'd be within reason to complain to them |
124 |
if it didn't work accross all archs. |
125 |
|
126 |
[1] http://www.trl.ibm.com/projects/security/ssp/main.html |
127 |
[2] |
128 |
http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00045000000000000000 |
129 |
|
130 |
| |
131 |
| |
132 |
|>4) get stuff virus, spam, etc protection functional and leveraged into |
133 |
|>the defaults in other words turn on those USE flags in the standard |
134 |
|>profiles |
135 |
| |
136 |
| |
137 |
| No thanks. I don't want to have to spend the first 24 hours or so of |
138 |
| using my new"trusted" operating system opting out of all of the overly |
139 |
| paranoid defaults. If I'm looking for a high level of security out of the |
140 |
| box, I'll use hardened or OpenBSD. |
141 |
| |
142 |
| |
143 |
|>A personal opinion: |
144 |
|>Anyone who thinks that a speed tradeoff is too much for better |
145 |
|>protection is crazy. Do us all a favor and play a go night of russian |
146 |
|>roulette by yourself to get your thrills. |
147 |
| |
148 |
|
149 |
1. Within reason |
150 |
2. It has to actually affect speed. Overhead != speed |
151 |
|
152 |
| |
153 |
| OK seriously, this kind of comment isn't needed. I'm not sure what you |
154 |
| hoped to have accomplished by it, but I'm fairly sure it didn't work. |
155 |
| |
156 |
| As anyone who has spent 5 minutes in the security world knows, there's a |
157 |
| fine line between good security and paranoia. You can lock your system |
158 |
| down to high heaven and be sure that people won't get into it, but then |
159 |
| you won't be able to do a damn thing either. What good is that? |
160 |
| |
161 |
|
162 |
Yes, exactly. -fstack-protector is one of those things you put there |
163 |
and never notice, but it does its job. |
164 |
|
165 |
| Right now I have a choice to use these features if I want to. I don't |
166 |
| have to "opt-out" and I would rather keep it that way. The support |
167 |
| nightmare this will create is not worth the potential advantages. |
168 |
|
169 |
Yes and about 99.9999999% of your user base is probably going to say |
170 |
"wha? SSP? Wassat?" if you ask them if they use SSP. |
171 |
|
172 |
| |
173 |
| |
174 |
|>There's more to be said on security but I feel too lazy right now to |
175 |
|>type it so if this isn't convinving you let us know. |
176 |
| |
177 |
| |
178 |
| And as this list has shown historically, we can all argue security to high |
179 |
| heaven with each party feeling they have the right answer and never |
180 |
| accomplish anything. |
181 |
| |
182 |
| Now please don't get me wrong. As someone who's day job is in the |
183 |
| security field, I very much like and appreciate the efforts that have gone |
184 |
| into making secure toolchains and hardened systems a reality in Gentoo. |
185 |
| In some cases I do use them as well. |
186 |
| |
187 |
|
188 |
As someone who is passively absorbing this information, I find your |
189 |
ignorance combined with your claim of being a security expert to |
190 |
indicate that you're full of shit. |
191 |
|
192 |
You've repetedly referred to the issue of cross-platform portability |
193 |
with SSP in here, for example; and I've pointed out once a link that |
194 |
shows that SSP is OS and CPU independent. Do your research, read what's |
195 |
out there. |
196 |
|
197 |
I also pointed out how SSP helps you find AND fix the problems, where |
198 |
you just said it's a work-around and that upstream maintainers will use |
199 |
it as an excuse to fix bugs. Instead of whining to them that shit |
200 |
breaks and that they need to now find some way to reproduce the problem |
201 |
OR just go audit their entire codebase over and over until they find it, |
202 |
we can tell them EXACTLY where to start looking. We can ALMOST tell |
203 |
them where the bug is. Doesn't this make life easier for all of us? |
204 |
|
205 |
This tells me you haven't done your research, haven't tested the system |
206 |
and triggered it intentionally to see what happens, have only a rough |
207 |
idea if any what you're dealing with, and thus have no place commenting. |
208 |
|
209 |
I'm no security expert, I don't claim to be; but I at least know the |
210 |
subjet matter here better than you, for some strange and unknown reason. |
211 |
|
212 |
| However, I do not believe it is our place nor our job to make that choice |
213 |
| for our users. You cannot protect people from themselves, regardless of |
214 |
| the perceived benefits. |
215 |
| |
216 |
|
217 |
I can say that faster. "General security is a lost cause; only security |
218 |
experts have any business having security, even if it's transparent to |
219 |
them." |
220 |
|
221 |
| Regards, |
222 |
|
223 |
- -- |
224 |
All content of all messages exchanged herein are left in the |
225 |
Public Domain, unless otherwise explicitly stated. |
226 |
|
227 |
-----BEGIN PGP SIGNATURE----- |
228 |
Version: GnuPG v1.2.6 (GNU/Linux) |
229 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
230 |
|
231 |
iD8DBQFBVl5KhDd4aOud5P8RArPxAKCPd1Y8uX9MH6UyVTSIsWGrwEedvwCeOecc |
232 |
ewEb0aO0NZngjEfn5aOJ6eA= |
233 |
=1ZJd |
234 |
-----END PGP SIGNATURE----- |
235 |
|
236 |
-- |
237 |
gentoo-dev@g.o mailing list |