[gentoo-dev] Not considering dropping the hardened toolchain

[gentoo-dev] Not considering dropping the hardened toolchain

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 4898 bytes --]

Good afternoon gentlemen. Thanks for your feedback to the other thread.
 
Now due to the overwhelming positive feedback from the thread I'm faced
with trying to find enough tasks for everybody to do.

I will list a few things that I see as needing to be done.

------------------------------------------------------------------------
1) Re review the existing packages which filter-flags -fPIC and find
more creative solutions to them.
------------------------------------------------------------------------
2) Re review the existing packages which filter-flags -fstack-protector
and find more creative solutions to them.
------------------------------------------------------------------------
3) Better documentation.
Adam Mondl has started in on this task. So far he has developed a quick
intro of what's up with xorg and a hardened toolchain.
http://hardened.gentoo.org/hardenedxorg.xml

He is also working on a Hardened FAQ which has not been published yet.
http://tocharian.ath.cx/hardened/hardenedfaq.html
------------------------------------------------------------------------
4) A Comparative analysis of security approaches taken by distributions.

This should be written by somebody who has a fair amount of time on
his/her hands and should include such things as benchmarks. 
Testing successful/unsuccessful exploitation rates.

(People like graphs and things they can visualize)
This would/should include why Gentoo has opted for PaX over RH's inhouse
Exec-Shield. 

Google has a fair bit of info on this subject if you search long and
hard which clearly proves why for security PaX is clearly a superior
solution. (But do try to be objective in this)

You will need more than one machine for this test.
Suggested installs would be a hardened stage3 and fedora core 3.

The focus should be strictly on memory protections and not access
control.

Target audience should be medium advanced.
This may/should be written from an educational security perspective
(hint hint dmonnier @ IU EDU)
-----------------------------------------------------------------------
5) Look for flaws in the design of the hardened toolchain. 
Are there any cases when using it may actually lower security? If so
when?
-----------------------------------------------------------------------
6) Review the existing method that the hardened toolchain uses. 
Consider code cleanups which could make getting it to go mainstream
easier.
Currently it's a patch for gcc with some rules which control object code
creation and linking scenario's.
-----------------------------------------------------------------------
7) Learn to understand the gcc.specs and what they are all about.
http://dev.gentoo.org/~solar/toolchain/gcc/The_Specs_Language.txt
-----------------------------------------------------------------------
8) Supporting new arches.

Currently only x86/amd64/sparc64 are supported by the hardened
toolchain. 

ppc/ppc64/s390 could be added easy enough. (need people with supporting
hardware)

mips/arm are having linking problems with crt files. (undefined
references to __csu_init/fini...)

As a rule of thumb here we want to support every arch that Gentoo does.
-----------------------------------------------------------------------
9) Embedded (SBC style) things. 
Currently only x86-uclibc and ppc-uclibc support PIE with x86 being the
only semi complete one. Need to support other arches here.
-----------------------------------------------------------------------
10) Take a proactive effort and think of something yourself that could
use improvements.

The ones of you that that take a proactive effort on your own will more
likely make the team vs the ones of you that need hand holding.

But all help is desired. Be that simple suggestions or the occasional
xml document.

http://bugs.gentoo.org/show_bug.cgi?id=51853 where Kevin Quinn is
already getting to work is an example of one of you thats taking a
proactive effort on his own to help solve a long standing bug.
In addition to what Adam Mondl is doing with docs. 

Those of you that feel intimidated don't be. You can always send
suggestions for the FAQ, proof read something, start a survey.

-----------------------------------------------------------------------
11) Hawk bugzilla! 
Become active on the mailing lists. (-hardened/-security/others) 
Not just 'hey XYZ does not compile', but try to help other users.
Do public relations. Do cover art. Do regression testing. Write
something with the aims of getting it published in a
book/magazine/other. Join the irc channel and offer help to users.

And mostly importantly try work with each other.

Thanks for your time and I look fwd to working with you guys (gals?).
-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Not considering dropping the hardened toolchain

[Ferris McCormick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Sep 2004, Ned Ludd wrote:

> Good afternoon gentlemen. Thanks for your feedback to the other thread.
>
> -----------------------------------------------------------------------
> 8) Supporting new arches.
>
> Currently only x86/amd64/sparc64 are supported by the hardened
> toolchain.
>

My hardened SS20 (sparc32) feels neglected... :)


> Thanks for your time and I look fwd to working with you guys (gals?).
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer
>

Regards,
- --
Ferris McCormick (P44646, MI) <fmccor@gentoo.org>
Developer, Gentoo Linux (Sparc)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBUHIqQa6M3+I///cRAqGNAJ4l+buPHXOxJfZ8l7Ue1gcLJ+8fawCfSPtN
R2SzM65x4Vr43qOmbSNwWrI=
=WL22
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: [gentoo-hardened] Not considering dropping the hardened toolchain

[Dave Monnier, IT Security Office, Indiana University]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll get started on 4. this weekend.  I'll also spend some time on 1.
and 2. as they've been issues that have directly affected our deployments.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier@iu.edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBUJrIBIf6jlONJjIRAkIoAJ4q+jrhSe9WqmVbkKdE9ovGofKZYgCfWQEi
ynAOBVe7Hm4FU3KHVYfTU2Q=
=1ZNt
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: Not considering dropping the hardened toolchain

[Duncan]

Ned Ludd posted <1095789660.8317.1590.camel@simple>, excerpted below,  on
Tue, 21 Sep 2004 14:01:00 -0400:

> ------------------------------------------------------------------------
> 1) Re review the existing packages which filter-flags -fPIC and find
> more creative solutions to them.
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
> 3) Better documentation.
> Adam Mondl has started in on this task. So far he has developed a quick
> intro of what's up with xorg and a hardened toolchain.
> http://hardened.gentoo.org/hardenedxorg.xml
> 
> He is also working on a Hardened FAQ which has not been published yet.
> http://tocharian.ath.cx/hardened/hardenedfaq.html

FWIW as a user that thought hardened look like a good idea and tried it,
then gave up (due to the xorg issue), a few months ago, when I was new at
Gentoo..

1) I use amd64, which is -fPIC by definition, so naturally anything that
makes that easier for the amd64 herd is definitely considered a good thing
here! <g>   They also likely already have a pretty good idea of what
packages are involved, as well. =:^)

3) Documentation of the normal Gentoo calibre would be /tremendously/
useful.  As I said, I'm interested, but have little enough idea what I'm
doing and indeed how it fits in with the already different amd64 arch,
that I eventually decided it wasn't worth screwing with ATM and put it off
for later, when I at least had normal Gentoo down and working as desired.

That said, I /definitely/ appreciate the possibility of it in Gentoo and
would have been sad to see it go, yet didn't contribute to the previous
discussion because at this point I'm little more than yet another
demanding user drawing on the precious resources of others, and if there
already weren't enough resources for it, I'd be sad it was going away, but
there'd be little I could do to help so any contributions I could make to
the earlier thread would be little more than noise.

Given something as solidly useful as the Gentoo handbook, however, but for
hardened, with enough of an information base to actually work with when
things didn't go quite right, I could easily see myself switching to
hardened, and running my dual opteron workstation with an amd64-hardened
profile.

(One of my frustrations so far has been that while I keep reading that
AMD64 was designed with some hardened features, like nx stack, implemented
in hardware, I don't even know how many of those features are enabled by
default on the platform, nor could I say whether there is even the
/option/ to not have them.  Is it like sse and therefore something I
/shouldn't/ specify because the platform includes it by definition?  Is it
a reversable toggle sort of thing so if it's on by default and I specify
it, it actually turns it /off/?  A Gentoo calibre document that answered
these sorts of questions definitively would be /immensely/ useful, here,
establishing a sort of knowledge base from which my "practical knowledge"
of the subject could grow.  Without that, I'm lost enough I really don't
know where to start.)

Anyway, your efforts are appreciated, and with Gentoo's efforts in the
area already recognized by others, it'd both be a shame to see it end, so
I'm glad its not, and even /more/ spectacular if Gentoo's well recognized
strength of documentation could be applied in this area as well, making
Gentoo the distrib of choice for the user wishing to become a power admin
in this area, much as it already is for the user with general power admin
designs, due to the "from source" meta-distribution aspects.

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: Not considering dropping the hardened toolchain

[Michael Tindal]

I apologize for the delay in response, been busy getting the apache
herd's overlay into a mergable state.  I'll go ahead and start working
on 5, 6, and probably 7.  If anyone else is currently working on those
points it'd be great if they contacted me so we could work something
out.

Mike


--
gentoo-dev@gentoo.org mailing list