From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21441 invoked from network); 21 Sep 2004 18:02:51 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 21 Sep 2004 18:02:51 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1C9oyZ-0001CB-Am for arch-gentoo-dev@lists.gentoo.org; Tue, 21 Sep 2004 18:02:51 +0000 Received: (qmail 19775 invoked by uid 89); 21 Sep 2004 18:01:50 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 27323 invoked from network); 21 Sep 2004 18:01:48 +0000 From: Ned Ludd Reply-To: solar@gentoo.org To: gentoo-hardened@lists.gentoo.org Cc: gentoo-dev@lists.gentoo.org, anthony@ectrolinux.com, dmonnier@iu.edu, markusle@gmail.com, mtindal@paradoxpoint.com, webkiller71@trsn.be, ps.m@gmx.net, bgb@itcnv.com, co@kevquinn.com, tocharian@trilug.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-BN4EY2VEyWn0d4lloHht" Organization: Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer Message-Id: <1095789660.8317.1590.camel@simple> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 21 Sep 2004 14:01:00 -0400 Subject: [gentoo-dev] Not considering dropping the hardened toolchain X-Archives-Salt: b2642d64-2a4a-44d0-aa7a-b578a2054072 X-Archives-Hash: 5e8561dbdf7197b8f5c27b549614e913 --=-BN4EY2VEyWn0d4lloHht Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Good afternoon gentlemen. Thanks for your feedback to the other thread. =20 Now due to the overwhelming positive feedback from the thread I'm faced with trying to find enough tasks for everybody to do. I will list a few things that I see as needing to be done. ------------------------------------------------------------------------ 1) Re review the existing packages which filter-flags -fPIC and find more creative solutions to them. ------------------------------------------------------------------------ 2) Re review the existing packages which filter-flags -fstack-protector and find more creative solutions to them. ------------------------------------------------------------------------ 3) Better documentation. Adam Mondl has started in on this task. So far he has developed a quick intro of what's up with xorg and a hardened toolchain. http://hardened.gentoo.org/hardenedxorg.xml He is also working on a Hardened FAQ which has not been published yet. http://tocharian.ath.cx/hardened/hardenedfaq.html ------------------------------------------------------------------------ 4) A Comparative analysis of security approaches taken by distributions. This should be written by somebody who has a fair amount of time on his/her hands and should include such things as benchmarks.=20 Testing successful/unsuccessful exploitation rates. (People like graphs and things they can visualize) This would/should include why Gentoo has opted for PaX over RH's inhouse Exec-Shield.=20 Google has a fair bit of info on this subject if you search long and hard which clearly proves why for security PaX is clearly a superior solution. (But do try to be objective in this) You will need more than one machine for this test. Suggested installs would be a hardened stage3 and fedora core 3. The focus should be strictly on memory protections and not access control. Target audience should be medium advanced. This may/should be written from an educational security perspective (hint hint dmonnier @ IU EDU) ----------------------------------------------------------------------- 5) Look for flaws in the design of the hardened toolchain.=20 Are there any cases when using it may actually lower security? If so when? ----------------------------------------------------------------------- 6) Review the existing method that the hardened toolchain uses.=20 Consider code cleanups which could make getting it to go mainstream easier. Currently it's a patch for gcc with some rules which control object code creation and linking scenario's. ----------------------------------------------------------------------- 7) Learn to understand the gcc.specs and what they are all about. http://dev.gentoo.org/~solar/toolchain/gcc/The_Specs_Language.txt ----------------------------------------------------------------------- 8) Supporting new arches. Currently only x86/amd64/sparc64 are supported by the hardened toolchain.=20 ppc/ppc64/s390 could be added easy enough. (need people with supporting hardware) mips/arm are having linking problems with crt files. (undefined references to __csu_init/fini...) As a rule of thumb here we want to support every arch that Gentoo does. ----------------------------------------------------------------------- 9) Embedded (SBC style) things.=20 Currently only x86-uclibc and ppc-uclibc support PIE with x86 being the only semi complete one. Need to support other arches here. ----------------------------------------------------------------------- 10) Take a proactive effort and think of something yourself that could use improvements. The ones of you that that take a proactive effort on your own will more likely make the team vs the ones of you that need hand holding. But all help is desired. Be that simple suggestions or the occasional xml document. http://bugs.gentoo.org/show_bug.cgi?id=3D51853 where Kevin Quinn is already getting to work is an example of one of you thats taking a proactive effort on his own to help solve a long standing bug. In addition to what Adam Mondl is doing with docs.=20 Those of you that feel intimidated don't be. You can always send suggestions for the FAQ, proof read something, start a survey. ----------------------------------------------------------------------- 11) Hawk bugzilla!=20 Become active on the mailing lists. (-hardened/-security/others)=20 Not just 'hey XYZ does not compile', but try to help other users. Do public relations. Do cover art. Do regression testing. Write something with the aims of getting it published in a book/magazine/other. Join the irc channel and offer help to users. And mostly importantly try work with each other. Thanks for your time and I look fwd to working with you guys (gals?). --=20 Ned Ludd Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer --=-BN4EY2VEyWn0d4lloHht Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBBUGxc94CCfB4KcwwRAoYiAKCInyUsBGb2W0xskcjxYU1IbQKEBACfSW9s OXSnJzVmCRpEftTVS0eTd7c= =kpej -----END PGP SIGNATURE----- --=-BN4EY2VEyWn0d4lloHht--