From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OUQ2M-0003bq-Tc for garchives@archives.gentoo.org; Thu, 01 Jul 2010 20:07:07 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 52F941C07A; Thu, 1 Jul 2010 20:05:29 +0000 (UTC) Received: from rekin23.go2.pl (rekin23.go2.pl [193.17.41.16]) by pigeon.gentoo.org (Postfix) with ESMTP id 252081C06A for ; Thu, 1 Jul 2010 20:05:29 +0000 (UTC) Received: from rekin23.go2.pl (rekin23 [127.0.0.1]) by rekin23.go2.pl (Postfix) with ESMTP id 704631288C6 for ; Thu, 1 Jul 2010 22:05:27 +0200 (CEST) Received: from unknown (unknown [10.0.0.42]) by rekin23.go2.pl (Postfix) with SMTP for ; Thu, 1 Jul 2010 22:05:27 +0200 (CEST) Received: from cpc5-rdng22-2-0-cust539.know.cable.virginmedia.com [82.0.214.28] by poczta.o2.pl with ESMTP id jGCvYd; Thu, 01 Jul 2010 22:05:27 +0200 From: Radoslaw Madej To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] binary protection mechanisms in different Linux distros Date: Thu, 1 Jul 2010 22:05:22 +0100 User-Agent: KMail/1.13.3 (Linux/2.6.33-hardened; KDE/4.4.3; x86_64; ; ) References: <201007010846.11482.radegand@o2.pl> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201007012205.22967.radegand@o2.pl> X-O2-Trust: 2, 61 X-O2-SPF: neutral X-Archives-Salt: 5c35fa97-ec1e-4a41-a8cc-f78839652bf1 X-Archives-Hash: 420f3bd0b6122f32ac69935c877dc75e On Thursday 01 July 2010 09:16:17 you wrote: > Hi, I think it's a bad day to make comparisons with hardened gentoo. > > Hardened gentoo traditionally doesn't use only -fstack-protector as > ubuntu does and some others, it use -fstack-protector-all in > everywhere it could. It's an important difference. I think that the > actually ssp bug in the last version isn't representative of what > hardened gentoo does (it's a bug, an exception). It has always shipped > -fstack-protector-all everywhere. Hi, Thanks for all the feedback :) Javier: good point, I haven't really considered the differences between the use of fstack-protector and fstack-protector-all - maybe something to do in the future. Would there be a way to find out which option was used on a given binary 'post mortem'? (read: after compilation? ;)) Regards, Radek Madej > > 2010/7/1 Radoslaw Madej > > > Hi guys, > > > > I convinced the company I work for to allow me to spend some time on > > reviewing different security aspects of Linux OS and different distros. > > As it also involves Gentoo Hardened (which I also happily use on a daily > > basis), I thought I'd share. :) > > > > http://labs.mwrinfosecurity.com/projectdetail.php?project=13&view=news > > > > There should be more to come in a near future. Any feedback appreciated > > :) > > > > Thanks to all hardened-dev for making the Hardened Gentoo happen! :) > > Regards, > > Radek Madej