Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Ned Ludd <solar@g.o>
To: trelane@××××××××××.net
Cc: John Chronister <chron@××××××.cz>, gentoo-security@l.g.o, gentoo-amd64@l.g.o
Subject: Re: [gentoo-security] propolice on amd64
Date: Tue, 20 Jan 2004 12:41:35
Message-Id: 1074602129.6798.8677.camel@simple
In Reply to: Re: [gentoo-security] propolice on amd64 by Joseph Pingenot
1 On Mon, 2004-01-19 at 10:21, Joseph Pingenot wrote:
2 > From John Chronister on Monday, 19 January, 2004:
3 > >how do i get stack smashing protection on amd64? i am using the latest
4 > >experimental amd64 live cd.
5 > >-chron
6
7 > You don't. IIRC, linux sets the stack noexec on amd64, and amd64 processors
8 > honor it. Remember the hullaballoo about Microsoft doing the same thing?
9
10 Simply trying to take advantage of the NX bit on the 64 bit arch won't
11 do the job alone of preventing arbitrary code execution whihc I assume
12 is the goal here.
13 He in fact will want to enable ssp on the amd64 as well as have a kernel
14 that can take advantage of it. As far as I'm aware of PaX
15 http://pax.grsecurity.net/ is the only kernel patch that will let you
16 take advantage of the NX bit on any of the 64 bit arches.
17
18 solar@amd64 solar $ cat vuln.c
19 #include <string.h>
20 int main(int argc, char **argv) {
21 char buf[10];
22 strcpy(buf, argv[1]);
23 return 0;
24 }
25 solar@amd64 solar $ make vuln
26 gcc vuln.c -o vuln
27 solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901
28 Segmentation fault
29 solar@amd64 solar $ gcc vuln.c -o vuln -fstack-protector
30 solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901
31 vuln: stack smashing attack in function main
32 Aborted
33
34 Here is my suggestion for a secure set of CFLAGS for the amd64 after
35 getting and applying the PaX patch for amd64 and enabling Address Space
36 Layout Randomizations.
37
38 CFLAGS="${CFLAGS} -fomit-frame-pointer -fstack-protector -fPIC -pie
39 -fforce-addr"
40
41 This will build you a position independent executable without debugging
42 frames as well as force memory address constants to be copied into
43 registers before any arithmetic is preformed on them them.
44
45 The hardened project at gentoo is planning on releasing stages which
46 have this same set of flags enabled after gcc-3.3.x goes stable.
47
48 [snip]
49
50 > Many thanks to the amd64 kernel hackers!
51 >
52 > -Joseph
53 --
54 Ned Ludd <solar@g.o>
55 Gentoo Linux Developer

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] propolice on amd64 John Chronister <chron@××××××.cz>
Re: [gentoo-security] propolice on amd64 Joseph Pingenot <trelane@××××××××××.net>
Report Message
Find on MARC Find on Google Groups