[gentoo-hardened] Tin Hat 20091218 is out!

[gentoo-hardened] Tin Hat 20091218 is out!

[basile]

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

Hi everyone,

I'd like to announce that a new release of Tin Hat is out. Tin Hat is a
fully featured Linux desktop based on Hardened Gentoo which runs purely
in RAM. It aims to be very secure, stable, and fast.

This is a maintenance release with some minor bug fixes and lots of
updates. The kernel was held steady at 2.6.28-r9, the tool chain was
upgraded to gcc-4.4.2-r1, glibc-2.11-r1and binutils-2.20, and over 300
other packages were also upgraded.  On the desktop, gnome was upgraded
to 2.26.3 from 2.24.1 and firefox was upgraded to 3.5.4 from 3.0.14.

Tobias Klein from trapkit.de was kind enough to allow us to bundle his
checksec.sh script which tests system binaries or running processes for
relro, ssp, nx, pie and aslr.  Every binary shows these hardening
features enabled except X and evolution which have only partial relro. 
A comparison of a running Tin Hat system and a running Ubuntu system can
be see at

    http://opensource.dyc.edu/sites/default/files/karmic-checksec.txt
    http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt


Thanks to all the hardened-dev people.


Home page: http://opensource.dyc.edu/tinhat
Downloads: http://opensource.dyc.edu/tinhat-downloads


-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] Tin Hat 20091218 is out!

[pageexec]

On 21 Dec 2009 at 9:38, basile wrote:

> Tobias Klein from trapkit.de was kind enough to allow us to bundle his
> checksec.sh script which tests system binaries or running processes for
> relro, ssp, nx, pie and aslr.  Every binary shows these hardening
> features enabled except X and evolution which have only partial relro. 
> A comparison of a running Tin Hat system and a running Ubuntu system can
> be see at
> 
>     http://opensource.dyc.edu/sites/default/files/karmic-checksec.txt
>     http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt

what are the causes for the partial RELRO results?

Re: [gentoo-hardened] Tin Hat 20091218 is out!

[basile]

[-- Attachment #1: Type: text/plain, Size: 1208 bytes --]

pageexec@freemail.hu wrote:
> On 21 Dec 2009 at 9:38, basile wrote:
>
>   
>> Tobias Klein from trapkit.de was kind enough to allow us to bundle his
>> checksec.sh script which tests system binaries or running processes for
>> relro, ssp, nx, pie and aslr.  Every binary shows these hardening
>> features enabled except X and evolution which have only partial relro. 
>> A comparison of a running Tin Hat system and a running Ubuntu system can
>> be see at
>>
>>     http://opensource.dyc.edu/sites/default/files/karmic-checksec.txt
>>     http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt
>>     
>
> what are the causes for the partial RELRO results?
>   
Because of some circular dependencies in its libraries, evolution has to
be linked with -z,lazy.  If you use -z,now, the resulting binaries don't
work.  Its a known problem which upstream promises will be fixed in
evolution-3.x

I don't know the story why X fails with -z,now, but Magnus (aka Zorry)
told me of a patch on one of the overlays which fixes this.  I will test.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]