Gentoo Archives: gentoo-security

From: Ned Ludd <solar@g.o>
To: trelane@××××××××××.net
Cc: John Chronister <chron@××××××.cz>, gentoo-security@l.g.o, gentoo-amd64@l.g.o
Subject: Re: [gentoo-security] propolice on amd64
Date: Tue, 20 Jan 2004 12:41:35
Message-Id: 1074602129.6798.8677.camel@simple
In Reply to: Re: [gentoo-security] propolice on amd64 by Joseph Pingenot
On Mon, 2004-01-19 at 10:21, Joseph Pingenot wrote:
> From John Chronister on Monday, 19 January, 2004: > >how do i get stack smashing protection on amd64? i am using the latest > >experimental amd64 live cd. > >-chron
> You don't. IIRC, linux sets the stack noexec on amd64, and amd64 processors > honor it. Remember the hullaballoo about Microsoft doing the same thing?
Simply trying to take advantage of the NX bit on the 64 bit arch won't do the job alone of preventing arbitrary code execution whihc I assume is the goal here. He in fact will want to enable ssp on the amd64 as well as have a kernel that can take advantage of it. As far as I'm aware of PaX is the only kernel patch that will let you take advantage of the NX bit on any of the 64 bit arches. solar@amd64 solar $ cat vuln.c #include <string.h> int main(int argc, char **argv) { char buf[10]; strcpy(buf, argv[1]); return 0; } solar@amd64 solar $ make vuln gcc vuln.c -o vuln solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901 Segmentation fault solar@amd64 solar $ gcc vuln.c -o vuln -fstack-protector solar@amd64 solar $ ./vuln 12345678901234567890123456789012345678901 vuln: stack smashing attack in function main Aborted Here is my suggestion for a secure set of CFLAGS for the amd64 after getting and applying the PaX patch for amd64 and enabling Address Space Layout Randomizations. CFLAGS="${CFLAGS} -fomit-frame-pointer -fstack-protector -fPIC -pie -fforce-addr" This will build you a position independent executable without debugging frames as well as force memory address constants to be copied into registers before any arithmetic is preformed on them them. The hardened project at gentoo is planning on releasing stages which have this same set of flags enabled after gcc-3.3.x goes stable. [snip]
> Many thanks to the amd64 kernel hackers! > > -Joseph
-- Ned Ludd <solar@g.o> Gentoo Linux Developer


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] propolice on amd64 John Chronister <chron@××××××.cz>
Re: [gentoo-security] propolice on amd64 Joseph Pingenot <trelane@××××××××××.net>