| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Jason Wever wrote: |
| 7 |
| On Sat, 25 Sep 2004 19:26:26 +0200 |
| 8 |
| Bart Lauwers <blauwers@g.o> wrote: |
| 9 |
| |
| 10 |
| |
| 11 |
|
| 12 |
[...] |
| 13 |
|
| 14 |
|>2) The risk is real and errors against this seem common. |
| 15 |
| |
| 16 |
| |
| 17 |
| Sure, there is risk in almost everything too. However just because |
| 18 |
| driving an automobile can be dangerous doesn't mean I'll buy a tank or |
| 19 |
| stay inside just to feel safe. |
| 20 |
|
| 21 |
No, but you'll get one with strong bars in the doors so taht side |
| 22 |
impacts don't crush you to death, but rather push your car (crack open a |
| 23 |
fiberglass car door once, you'll see 'em). Also, rollbars on cars with |
| 24 |
no hard-top, etc. |
| 25 |
|
| 26 |
[...] |
| 27 |
|
| 28 |
|
| 29 |
| |
| 30 |
| |
| 31 |
| Doesn't this exist already? if people didn't trust Gentoo then why are |
| 32 |
| they using it? We can't be held ultimately responsible for software we |
| 33 |
| didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
| 34 |
| are you can knock it over on another Linux or possibly any other platform |
| 35 |
| it runs on either. |
| 36 |
|
| 37 |
I trust Gentoo in the security sense as much as I trust Mandrake, or |
| 38 |
Debian, or SuSE. The difference is that after taking notice of the |
| 39 |
hardened project, I learned about all kinds of neat stuff like |
| 40 |
- -fstack-protector and PaX, and now don't really trust anything else. |
| 41 |
|
| 42 |
You can't be held responsible for others' security holes, but you can |
| 43 |
take simple steps to mitigate the damages. |
| 44 |
|
| 45 |
| |
| 46 |
| |
| 47 |
|
| 48 |
[...] |
| 49 |
|
| 50 |
| |
| 51 |
| |
| 52 |
|>What I propose to do (pick the low hanging fruit): |
| 53 |
|>1) Add stack protector and and any similar 'features' stable in hardened |
| 54 |
|>to the default CLFAGS of the gentoo install/profiles. By stable I mean |
| 55 |
|>things which do not break the majority of functionality. |
| 56 |
| |
| 57 |
| |
| 58 |
| Feel free to take on the ownership of making this work on every arch's |
| 59 |
| toolchain then. Also feel free to deal with all upstream authors who |
| 60 |
| start instantly dismissing any bugs from Gentoo due to the fact that the |
| 61 |
| toolchain is quite modified to accomplish this task. Take the current |
| 62 |
| stance the GAIM team has with us as an example of what would be to come. |
| 63 |
|
| 64 |
SSP works on all architectures. |
| 65 |
|
| 66 |
As for upstream authors, guess what? |
| 67 |
|
| 68 |
|
| 69 |
usr/lib/python2.3/site-packages/mx/TextTools/Examples/pytag.py:47: |
| 70 |
SyntaxWarning: name 'debugging' is used prior to global declaration |
| 71 |
|
| 72 |
python: stack smashing attack in function symtable_node() |
| 73 |
|
| 74 |
error: command '/usr/bin/python' terminated by signal 6 |
| 75 |
|
| 76 |
|
| 77 |
Well SHIT! Looks like I've got some MEANINGFUL information about a bug! |
| 78 |
~ I mean damn, I can tell you right in what function the CHARACTER ARRAY |
| 79 |
that got overflowed was created, and that it was created on the stack |
| 80 |
(char a[n]); this leads you of course to the fact that it had to be |
| 81 |
overflowed by some function that got called from this function AND |
| 82 |
passed a character array, or somewhere along the line where that |
| 83 |
character array was passed. |
| 84 |
|
| 85 |
This is much more useful than "OMFG PYTHON R CRASH N STUFF WHEN I DO |
| 86 |
STFUF!!!1@!2151!" |
| 87 |
|
| 88 |
| |
| 89 |
| |
| 90 |
|>2) broken ebuilds can filter-flags until fixed (better approach since |
| 91 |
|>you are only fixing up ebuilds for broken stuff and may also prompt the |
| 92 |
|>devs to try and make the protection work). |
| 93 |
| |
| 94 |
| |
| 95 |
| The protection itself is a work-around to the original problem. You want |
| 96 |
| to continue to work around the problem even more? |
| 97 |
| |
| 98 |
|
| 99 |
SSP is a work-around for buffer overflows that may or may not lead to |
| 100 |
security exploits. |
| 101 |
|
| 102 |
Filtering in ebuilds is a work-around for bad software which gets killed |
| 103 |
because it's self-overflowing; or for software that triggers potential |
| 104 |
bugs in SSP (yes, SSP is software, written by humans, geniouses yes but |
| 105 |
humans, and can have bugs). In the first case, of course, SSP tells you |
| 106 |
almost exactly where to start looking. |
| 107 |
|
| 108 |
| |
| 109 |
|>3) People who prefer not to be protected can remove the settings from |
| 110 |
|>their CFLAGS |
| 111 |
| |
| 112 |
| |
| 113 |
| Personally, I don't think opting out is the way to do this. Having CFLAGS |
| 114 |
| that are in by default that may or may not work across all architectures |
| 115 |
| is not a good thing. |
| 116 |
|
| 117 |
Opting out of a feature which in usage you're normally not going to |
| 118 |
really notice is there is no the way to do things? Dude, that's like |
| 119 |
saying you should make locks on windows optional. They can be unlocked. |
| 120 |
|
| 121 |
And ssp is supposed to be portable. Etoh and Yoda's paper[1] says that |
| 122 |
The IBM stack smash protection method (ProPolice) is CPU and OS |
| 123 |
independent[2]. I think that you'd be within reason to complain to them |
| 124 |
if it didn't work accross all archs. |
| 125 |
|
| 126 |
[1] http://www.trl.ibm.com/projects/security/ssp/main.html |
| 127 |
[2] |
| 128 |
http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00045000000000000000 |
| 129 |
|
| 130 |
| |
| 131 |
| |
| 132 |
|>4) get stuff virus, spam, etc protection functional and leveraged into |
| 133 |
|>the defaults in other words turn on those USE flags in the standard |
| 134 |
|>profiles |
| 135 |
| |
| 136 |
| |
| 137 |
| No thanks. I don't want to have to spend the first 24 hours or so of |
| 138 |
| using my new"trusted" operating system opting out of all of the overly |
| 139 |
| paranoid defaults. If I'm looking for a high level of security out of the |
| 140 |
| box, I'll use hardened or OpenBSD. |
| 141 |
| |
| 142 |
| |
| 143 |
|>A personal opinion: |
| 144 |
|>Anyone who thinks that a speed tradeoff is too much for better |
| 145 |
|>protection is crazy. Do us all a favor and play a go night of russian |
| 146 |
|>roulette by yourself to get your thrills. |
| 147 |
| |
| 148 |
|
| 149 |
1. Within reason |
| 150 |
2. It has to actually affect speed. Overhead != speed |
| 151 |
|
| 152 |
| |
| 153 |
| OK seriously, this kind of comment isn't needed. I'm not sure what you |
| 154 |
| hoped to have accomplished by it, but I'm fairly sure it didn't work. |
| 155 |
| |
| 156 |
| As anyone who has spent 5 minutes in the security world knows, there's a |
| 157 |
| fine line between good security and paranoia. You can lock your system |
| 158 |
| down to high heaven and be sure that people won't get into it, but then |
| 159 |
| you won't be able to do a damn thing either. What good is that? |
| 160 |
| |
| 161 |
|
| 162 |
Yes, exactly. -fstack-protector is one of those things you put there |
| 163 |
and never notice, but it does its job. |
| 164 |
|
| 165 |
| Right now I have a choice to use these features if I want to. I don't |
| 166 |
| have to "opt-out" and I would rather keep it that way. The support |
| 167 |
| nightmare this will create is not worth the potential advantages. |
| 168 |
|
| 169 |
Yes and about 99.9999999% of your user base is probably going to say |
| 170 |
"wha? SSP? Wassat?" if you ask them if they use SSP. |
| 171 |
|
| 172 |
| |
| 173 |
| |
| 174 |
|>There's more to be said on security but I feel too lazy right now to |
| 175 |
|>type it so if this isn't convinving you let us know. |
| 176 |
| |
| 177 |
| |
| 178 |
| And as this list has shown historically, we can all argue security to high |
| 179 |
| heaven with each party feeling they have the right answer and never |
| 180 |
| accomplish anything. |
| 181 |
| |
| 182 |
| Now please don't get me wrong. As someone who's day job is in the |
| 183 |
| security field, I very much like and appreciate the efforts that have gone |
| 184 |
| into making secure toolchains and hardened systems a reality in Gentoo. |
| 185 |
| In some cases I do use them as well. |
| 186 |
| |
| 187 |
|
| 188 |
As someone who is passively absorbing this information, I find your |
| 189 |
ignorance combined with your claim of being a security expert to |
| 190 |
indicate that you're full of shit. |
| 191 |
|
| 192 |
You've repetedly referred to the issue of cross-platform portability |
| 193 |
with SSP in here, for example; and I've pointed out once a link that |
| 194 |
shows that SSP is OS and CPU independent. Do your research, read what's |
| 195 |
out there. |
| 196 |
|
| 197 |
I also pointed out how SSP helps you find AND fix the problems, where |
| 198 |
you just said it's a work-around and that upstream maintainers will use |
| 199 |
it as an excuse to fix bugs. Instead of whining to them that shit |
| 200 |
breaks and that they need to now find some way to reproduce the problem |
| 201 |
OR just go audit their entire codebase over and over until they find it, |
| 202 |
we can tell them EXACTLY where to start looking. We can ALMOST tell |
| 203 |
them where the bug is. Doesn't this make life easier for all of us? |
| 204 |
|
| 205 |
This tells me you haven't done your research, haven't tested the system |
| 206 |
and triggered it intentionally to see what happens, have only a rough |
| 207 |
idea if any what you're dealing with, and thus have no place commenting. |
| 208 |
|
| 209 |
I'm no security expert, I don't claim to be; but I at least know the |
| 210 |
subjet matter here better than you, for some strange and unknown reason. |
| 211 |
|
| 212 |
| However, I do not believe it is our place nor our job to make that choice |
| 213 |
| for our users. You cannot protect people from themselves, regardless of |
| 214 |
| the perceived benefits. |
| 215 |
| |
| 216 |
|
| 217 |
I can say that faster. "General security is a lost cause; only security |
| 218 |
experts have any business having security, even if it's transparent to |
| 219 |
them." |
| 220 |
|
| 221 |
| Regards, |
| 222 |
|
| 223 |
- -- |
| 224 |
All content of all messages exchanged herein are left in the |
| 225 |
Public Domain, unless otherwise explicitly stated. |
| 226 |
|
| 227 |
-----BEGIN PGP SIGNATURE----- |
| 228 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 229 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 230 |
|
| 231 |
iD8DBQFBVl5KhDd4aOud5P8RArPxAKCPd1Y8uX9MH6UyVTSIsWGrwEedvwCeOecc |
| 232 |
ewEb0aO0NZngjEfn5aOJ6eA= |
| 233 |
=1ZJd |
| 234 |
-----END PGP SIGNATURE----- |
| 235 |
|
| 236 |
-- |
| 237 |
gentoo-dev@g.o mailing list |
Archives