| 1 |
Good afternoon gentlemen. Thanks for your feedback to the other thread. |
| 2 |
|
| 3 |
Now due to the overwhelming positive feedback from the thread I'm faced |
| 4 |
with trying to find enough tasks for everybody to do. |
| 5 |
|
| 6 |
I will list a few things that I see as needing to be done. |
| 7 |
|
| 8 |
------------------------------------------------------------------------ |
| 9 |
1) Re review the existing packages which filter-flags -fPIC and find |
| 10 |
more creative solutions to them. |
| 11 |
------------------------------------------------------------------------ |
| 12 |
2) Re review the existing packages which filter-flags -fstack-protector |
| 13 |
and find more creative solutions to them. |
| 14 |
------------------------------------------------------------------------ |
| 15 |
3) Better documentation. |
| 16 |
Adam Mondl has started in on this task. So far he has developed a quick |
| 17 |
intro of what's up with xorg and a hardened toolchain. |
| 18 |
http://hardened.gentoo.org/hardenedxorg.xml |
| 19 |
|
| 20 |
He is also working on a Hardened FAQ which has not been published yet. |
| 21 |
http://tocharian.ath.cx/hardened/hardenedfaq.html |
| 22 |
------------------------------------------------------------------------ |
| 23 |
4) A Comparative analysis of security approaches taken by distributions. |
| 24 |
|
| 25 |
This should be written by somebody who has a fair amount of time on |
| 26 |
his/her hands and should include such things as benchmarks. |
| 27 |
Testing successful/unsuccessful exploitation rates. |
| 28 |
|
| 29 |
(People like graphs and things they can visualize) |
| 30 |
This would/should include why Gentoo has opted for PaX over RH's inhouse |
| 31 |
Exec-Shield. |
| 32 |
|
| 33 |
Google has a fair bit of info on this subject if you search long and |
| 34 |
hard which clearly proves why for security PaX is clearly a superior |
| 35 |
solution. (But do try to be objective in this) |
| 36 |
|
| 37 |
You will need more than one machine for this test. |
| 38 |
Suggested installs would be a hardened stage3 and fedora core 3. |
| 39 |
|
| 40 |
The focus should be strictly on memory protections and not access |
| 41 |
control. |
| 42 |
|
| 43 |
Target audience should be medium advanced. |
| 44 |
This may/should be written from an educational security perspective |
| 45 |
(hint hint dmonnier @ IU EDU) |
| 46 |
----------------------------------------------------------------------- |
| 47 |
5) Look for flaws in the design of the hardened toolchain. |
| 48 |
Are there any cases when using it may actually lower security? If so |
| 49 |
when? |
| 50 |
----------------------------------------------------------------------- |
| 51 |
6) Review the existing method that the hardened toolchain uses. |
| 52 |
Consider code cleanups which could make getting it to go mainstream |
| 53 |
easier. |
| 54 |
Currently it's a patch for gcc with some rules which control object code |
| 55 |
creation and linking scenario's. |
| 56 |
----------------------------------------------------------------------- |
| 57 |
7) Learn to understand the gcc.specs and what they are all about. |
| 58 |
http://dev.gentoo.org/~solar/toolchain/gcc/The_Specs_Language.txt |
| 59 |
----------------------------------------------------------------------- |
| 60 |
8) Supporting new arches. |
| 61 |
|
| 62 |
Currently only x86/amd64/sparc64 are supported by the hardened |
| 63 |
toolchain. |
| 64 |
|
| 65 |
ppc/ppc64/s390 could be added easy enough. (need people with supporting |
| 66 |
hardware) |
| 67 |
|
| 68 |
mips/arm are having linking problems with crt files. (undefined |
| 69 |
references to __csu_init/fini...) |
| 70 |
|
| 71 |
As a rule of thumb here we want to support every arch that Gentoo does. |
| 72 |
----------------------------------------------------------------------- |
| 73 |
9) Embedded (SBC style) things. |
| 74 |
Currently only x86-uclibc and ppc-uclibc support PIE with x86 being the |
| 75 |
only semi complete one. Need to support other arches here. |
| 76 |
----------------------------------------------------------------------- |
| 77 |
10) Take a proactive effort and think of something yourself that could |
| 78 |
use improvements. |
| 79 |
|
| 80 |
The ones of you that that take a proactive effort on your own will more |
| 81 |
likely make the team vs the ones of you that need hand holding. |
| 82 |
|
| 83 |
But all help is desired. Be that simple suggestions or the occasional |
| 84 |
xml document. |
| 85 |
|
| 86 |
http://bugs.gentoo.org/show_bug.cgi?id=51853 where Kevin Quinn is |
| 87 |
already getting to work is an example of one of you thats taking a |
| 88 |
proactive effort on his own to help solve a long standing bug. |
| 89 |
In addition to what Adam Mondl is doing with docs. |
| 90 |
|
| 91 |
Those of you that feel intimidated don't be. You can always send |
| 92 |
suggestions for the FAQ, proof read something, start a survey. |
| 93 |
|
| 94 |
----------------------------------------------------------------------- |
| 95 |
11) Hawk bugzilla! |
| 96 |
Become active on the mailing lists. (-hardened/-security/others) |
| 97 |
Not just 'hey XYZ does not compile', but try to help other users. |
| 98 |
Do public relations. Do cover art. Do regression testing. Write |
| 99 |
something with the aims of getting it published in a |
| 100 |
book/magazine/other. Join the irc channel and offer help to users. |
| 101 |
|
| 102 |
And mostly importantly try work with each other. |
| 103 |
|
| 104 |
Thanks for your time and I look fwd to working with you guys (gals?). |
| 105 |
-- |
| 106 |
Ned Ludd <solar@g.o> |
| 107 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
Archives