Gentoo Archives: gentoo-security

From: John Chronister <chron@××××××.cz>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] propolice on amd64
Date: Tue, 20 Jan 2004 16:21:38
In Reply to: Re: [gentoo-security] propolice on amd64 by Ned Ludd
Ned Ludd wrote:

>On Mon, 2004-01-19 at 10:21, Joseph Pingenot wrote: > > >>From John Chronister on Monday, 19 January, 2004: >> >> >>>how do i get stack smashing protection on amd64? i am using the latest >>>experimental amd64 live cd. >>>-chron >>> >>> > > > >>You don't. IIRC, linux sets the stack noexec on amd64, and amd64 processors >> honor it. Remember the hullaballoo about Microsoft doing the same thing? >> >> > >Simply trying to take advantage of the NX bit on the 64 bit arch won't >do the job alone of preventing arbitrary code execution whihc I assume >is the goal here. >He in fact will want to enable ssp on the amd64 as well as have a kernel >that can take advantage of it. As far as I'm aware of PaX > is the only kernel patch that will let you >take advantage of the NX bit on any of the 64 bit arches. > >solar@amd64 solar $ cat vuln.c >#include <string.h> >int main(int argc, char **argv) { > char buf[10]; > strcpy(buf, argv[1]); > return 0; >} >solar@amd64 solar $ make vuln >gcc vuln.c -o vuln >solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901 >Segmentation fault >solar@amd64 solar $ gcc vuln.c -o vuln -fstack-protector >solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901 >vuln: stack smashing attack in function main >Aborted > >Here is my suggestion for a secure set of CFLAGS for the amd64 after >getting and applying the PaX patch for amd64 and enabling Address Space >Layout Randomizations. > >CFLAGS="${CFLAGS} -fomit-frame-pointer -fstack-protector -fPIC -pie >-fforce-addr" > >This will build you a position independent executable without debugging >frames as well as force memory address constants to be copied into >registers before any arithmetic is preformed on them them. > >The hardened project at gentoo is planning on releasing stages which >have this same set of flags enabled after gcc-3.3.x goes stable. > >[snip] > > > >>Many thanks to the amd64 kernel hackers! >> >>-Joseph >> >>
First let me say thank you for your response. I did a build normally for now. I will look into this later. Thank You Again, -chron -- gentoo-security@g.o mailing list