| 1 |
On Friday 05 September 2003 18:02, Alexander Gabert wrote: |
| 2 |
> yeah, |
| 3 |
> |
| 4 |
> we should think about source-parsing function pointer bounds checkers |
| 5 |
> and formatstring checkers to round up our efforts in respect to the |
| 6 |
> linear overflow protection provided by the propolice support (SSP) and |
| 7 |
> the process randomization of dynamic PIC binaries by PaX. |
| 8 |
> |
| 9 |
> if you want we can discuss it in the channel #gentoo-hardened on |
| 10 |
I prefer discussion here, because it is searchable/grepable afterwards. |
| 11 |
|
| 12 |
> freenode what solutions are available currently and how hard it would be |
| 13 |
> to update portage (similar approach like the antivirus scanning prep'd |
| 14 |
> by solar some time ago) |
| 15 |
|
| 16 |
So far i came to the conclusion that this should be a portage FEATURE, |
| 17 |
with configuration option in make.conf, like which scans do i want, how deep |
| 18 |
or so, break ebuild or not, scanner options. |
| 19 |
Like that: |
| 20 |
|
| 21 |
after src_unpack(), if feature is set, portage scans the source code, informs |
| 22 |
the user and at the users will, depending on the scan-results, breaks the |
| 23 |
ebuild or continues. |
| 24 |
|
| 25 |
than src_compile |
| 26 |
|
| 27 |
after src_install the files in the image which is to transfer to the real |
| 28 |
filesystem, is, before the transfer scanned for other things, (viri, trojans, |
| 29 |
suids, whatever), reports the results and at the users will, depending on the |
| 30 |
scan-results, breaks the ebuild or continues. |
| 31 |
|
| 32 |
I know about the following source code scanners, almost restricted to c and |
| 33 |
c++: |
| 34 |
flawfinder, http://www.dwheeler.com/flawfinder/ |
| 35 |
splint, http://www.splint.org/ |
| 36 |
its4, http://www.cigital.com/its4/ |
| 37 |
rats, http://www.securesw.com/download_form_rats.htm |
| 38 |
|
| 39 |
Anyway, is there a policy like http://www.openbsd.org/porting.html#Security? |
| 40 |
|
| 41 |
Jan |
| 42 |
|
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-hardened@g.o mailing list |
Archives