Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Tóth Attila" <atoth@××××××××××.hu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Tool for eliminating non used code or symbols?
Date: Tue, 26 Mar 2013 15:12:08
Message-Id: a3e6fb1ccfdcf04378cb83747c421e85.squirrel@atoth.sote.hu
In Reply to: Re: [gentoo-hardened] Tool for eliminating non used code or symbols? by "Javier Juan Martínez Cabezón"
1 I'm just thinking aloud here...
2 So as long as hardened gcc is used to compile the code, it makes the
3 exploitation harder compared to distros not pushing PIE as much. I think
4 other distros also acknowledged the importance of PIE, as well in the mean
5 time:
6 https://wiki.ubuntu.com/Security/Features#Built_as_PIE
7 http://wiki.debian.org/Hardening#gcc_-pie_-fPIE
8 For a userland like that, binaries compiled without the hardened toolchain
9 are the easiest to exploit. Binary packages, third-party binaries,
10 closed-source binaries. These software are usually important executables
11 way over 20k.
12
13 I wonder how these ROP techniques can theoretically perform in a java
14 virtual machine? What are the possbile target vectors for Python or Ruby?
15 What about JIT code?
16 --
17 dr Tóth Attila, Radiológus, 06-20-825-8057
18 Attila Toth MD, Radiologist, +36-20-825-8057
19
20 2013.Március 26.(K) 10:18 időpontban Javier Juan Martínez Cabezón ezt írta:
21 > PIE is used in hardened gentoo, If PIE can't protect you against this,
22 > ssp at least could try to do it, this is the reason because
23 > -fstack-protector-all and -D_FORTIFY_SOURCE=2 are needed, and at least
24 > -fstack-protector-all is really extended in hardened gentoo.. as
25 > another security layer. .
26 >
27 > 2013/3/25, "Tóth Attila" <atoth@××××××××××.hu>:
28 >> Is gentoo-hardened better regarding the amount of unrandomized code
29 >> compared to other distros?
30 >> --
31 >> dr Tóth Attila, Radiológus, 06-20-825-8057
32 >> Attila Toth MD, Radiologist, +36-20-825-8057
33 >>
34 >> 2013.Március 25.(H) 13:52 időpontban PaX Team ezt írta:
35 >>> On 25 Mar 2013 at 9:01, Kfir Lavi wrote:
36 >>>
37 >>>> Hi,
38 >>>> I'm looking for a way to reduce glibc code size.
39 >>>> It can be a way to make system smaller and minimize the impact
40 >>>> of attack vectors in glibc, as in return-to-libc attack.
41 >>>
42 >>> study this and draw your conclusions whether the whole exercise is
43 >>> worth it or not:
44 >>>
45 >>> https://www.usenix.org/conference/usenix-security-11/q-exploit-hardening-made-easy
46 >>>
47 >>>
48 >>
49 >>
50 >>
51 >>
52 >
53 >

Replies

Subject Author
Re: [gentoo-hardened] Tool for eliminating non used code or symbols? "Javier Juan Martínez Cabezón" <tazok.id0@×××××.com>
Report Message
Find on MARC Find on Google Groups