From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EJeEa-0007wo-QV for garchives@archives.gentoo.org; Sun, 25 Sep 2005 21:40:33 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j8PLVAs3028643; Sun, 25 Sep 2005 21:31:10 GMT Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [63.240.76.49]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j8PLVAhk032121 for ; Sun, 25 Sep 2005 21:31:10 GMT Received: from gorn.pebenito.dhs.org ([69.243.88.17]) by comcast.net (sccrmhc14) with SMTP id <2005092521375301400jruame>; Sun, 25 Sep 2005 21:37:53 +0000 Received: by gorn.pebenito.dhs.org (sSMTP sendmail emulation); Sun, 25 Sep 2005 17:37:52 -0400 Subject: Re: [gentoo-hardened] gcc-hardened From: Chris PeBenito To: gentoo-hardened@lists.gentoo.org In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-/vuCqP60N+bVazsOVenN" Date: Sun, 25 Sep 2005 17:37:51 -0400 Message-Id: <1127684271.24023.101.camel@gorn.pebenito.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 X-Archives-Salt: 5e0089bb-2188-421c-be31-ea2a87dec366 X-Archives-Hash: 10309dc0ad06e8098193b0d12cd63780 --=-/vuCqP60N+bVazsOVenN Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, 2005-09-25 at 07:44 -0400, Albert Lash wrote: > I'm getting the feeling that even if you run SElinux, you do not have to > use the hardened gcc compiler. Can someone explain what this compiler is > used for and when to use it? The hardened compiler strengthens the integrity of a program, which means its harder to break the program and make it do unintended things, for example by exploiting a buffer overflow. The compiler uses stack smashing protection and address space layout randomization (ASLR) to accomplish this. To get the maximum effect, you also want to use PaX to make ASLR work, and also get non-executable pages enforcement. SELinux provides assurance, preventing programs from doing things unintended; anything that isn't explicitly allowed is denied. This is limited to accesses (not correctness of data), so if someone compromises a service, but doesn't do anything disallowed, SELinux (or any other access control system for that matter) won't stop it. For example, if someone were to compromise a mail server daemon with the intent of reading secret emails in the mail spool, SELinux won't stop it, since the daemon has to read and write the mail spool as part of its regular function. SELinux can also provide process integrity protections thanks to some enhancements merged in recent kernel releases, such as preventing execution of memory, stack, heap, etc. There is a technical argument on whether this is sufficient, (implementation-wise, in comparison to PaX), but I'm not going to get into it. When to use the hardened compiler? In general, it would be best to at least use it on whatever you're running which would seem prone to being attacked. For completeness, you should use it on all of your system, since that will cover libraries and anything else you wouldn't anticipate as an attack vector. The strongest solution would use both a hardened compiler, a mandatory access control system, and PaX. This is layered security, to try to get as complete protection as possible. --=20 Chris PeBenito Developer, Hardened Gentoo Linux Embedded Gentoo Linux =20 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xE6AF924= 3 Key fingerprint =3D B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 --=-/vuCqP60N+bVazsOVenN Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQBDNxivvI7kLeavkkMRAo4GAKCku9WKhDrqPLLHyW0WQpygjpVkSACgpK2Y xmCeRRsHG+Diet4QVCPMHlk= =CXt9 -----END PGP SIGNATURE----- --=-/vuCqP60N+bVazsOVenN-- -- gentoo-hardened@gentoo.org mailing list