| 1 |
On Sun, 2005-09-25 at 07:44 -0400, Albert Lash wrote: |
| 2 |
> I'm getting the feeling that even if you run SElinux, you do not have to |
| 3 |
> use the hardened gcc compiler. Can someone explain what this compiler is |
| 4 |
> used for and when to use it? |
| 5 |
|
| 6 |
The hardened compiler strengthens the integrity of a program, which |
| 7 |
means its harder to break the program and make it do unintended things, |
| 8 |
for example by exploiting a buffer overflow. The compiler uses stack |
| 9 |
smashing protection and address space layout randomization (ASLR) to |
| 10 |
accomplish this. To get the maximum effect, you also want to use PaX to |
| 11 |
make ASLR work, and also get non-executable pages enforcement. |
| 12 |
|
| 13 |
SELinux provides assurance, preventing programs from doing things |
| 14 |
unintended; anything that isn't explicitly allowed is denied. This is |
| 15 |
limited to accesses (not correctness of data), so if someone compromises |
| 16 |
a service, but doesn't do anything disallowed, SELinux (or any other |
| 17 |
access control system for that matter) won't stop it. For example, if |
| 18 |
someone were to compromise a mail server daemon with the intent of |
| 19 |
reading secret emails in the mail spool, SELinux won't stop it, since |
| 20 |
the daemon has to read and write the mail spool as part of its regular |
| 21 |
function. |
| 22 |
|
| 23 |
SELinux can also provide process integrity protections thanks to some |
| 24 |
enhancements merged in recent kernel releases, such as preventing |
| 25 |
execution of memory, stack, heap, etc. There is a technical argument on |
| 26 |
whether this is sufficient, (implementation-wise, in comparison to PaX), |
| 27 |
but I'm not going to get into it. |
| 28 |
|
| 29 |
When to use the hardened compiler? In general, it would be best to at |
| 30 |
least use it on whatever you're running which would seem prone to being |
| 31 |
attacked. For completeness, you should use it on all of your system, |
| 32 |
since that will cover libraries and anything else you wouldn't |
| 33 |
anticipate as an attack vector. |
| 34 |
|
| 35 |
The strongest solution would use both a hardened compiler, a mandatory |
| 36 |
access control system, and PaX. This is layered security, to try to get |
| 37 |
as complete protection as possible. |
| 38 |
|
| 39 |
-- |
| 40 |
Chris PeBenito |
| 41 |
<pebenito@g.o> |
| 42 |
Developer, |
| 43 |
Hardened Gentoo Linux |
| 44 |
Embedded Gentoo Linux |
| 45 |
|
| 46 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 47 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives