[gentoo-hardened] Hardened meeting summary 2010-05-16

[gentoo-hardened] Hardened meeting summary 2010-05-16

[Magnus Granberg]

Hi

Here is the summary of the meeting 2010-05-16

1,0 Toolchain
 We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
 http://bugs.gentoo.org/show_bug.cgi?id=318171
 We are waiting for toolchain to approve the changes to toolchain.eclass and glibc that we need.
 Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support in the tree.
 Grub need to be bumped to the new patchset.
 We have no time line on it for we are waiting on toolchain.

2.0 Hardened-sources
 We have new team for hardened-sourcs, three of the members were on the meeting.
 Most of the discustion was about what needed to be done and change.
 They have started the work to make the needed changes for move it to the tree.
 Hope we can get something in the tree about 3-4 weeks but we don't have any time line.

3.0 Hardened Profile
 We are trying to move away from the hardened/linux/arch/10.0/* profiles
 to hardened/linux/arch/* profiles. We need more testing on that and all thing is not done.
 No time line.

4.0 Hardened docs
 Fist thing is to get the main and roadmap pages up to date.
 But we have alot of work on the old and the new docs.
 It would be good to have some help from users.
 No time line.

On the meeting
 Zorry Chainsaw quantumsummers bluenees xake

Hardened at gentoo.org
Magnus Granberg (Zorry)

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Javier Juan Martínez Cabezón]

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

I get realized of this question at the bad way, after seeing that the
binaries didn't have the canary inside. After that I compiled the system
with ssp in the unclean way, -fstack-protector-all in CFLAGS and CXXFLAGS in
make.conf with the exception of glibc that works only with
-fstack-protector. If someone need ssp with this versions it could be the
way to have it working until it gets solved.

¿Do you recommend this "workaround" until solution?

1,0 Toolchain
>  We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
>  http://bugs.gentoo.org/show_bug.cgi?id=318171
>  We are waiting for toolchain to approve the changes to toolchain.eclass
> and glibc that we need.
>  Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support
> in the tree.
>  Grub need to be bumped to the new patchset.
>  We have no time line on it for we are waiting on toolchain.
>
>

[-- Attachment #2: Type: text/html, Size: 1209 bytes --]

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Magnus Granberg]

måndag 17 maj 2010 10.34.05 skrev  Javier Juan Martínez Cabezón:
> I get realized of this question at the bad way, after seeing that the
> binaries didn't have the canary inside. After that I compiled the system
> with ssp in the unclean way, -fstack-protector-all in CFLAGS and CXXFLAGS
>  in make.conf with the exception of glibc that works only with
> -fstack-protector. If someone need ssp with this versions it could be the
> way to have it working until it gets solved.
> 
> ¿Do you recommend this "workaround" until solution?
> 
I do not recommend it but it is up to you.
For some packages may brake like glibc do.

Hardened at gentoo.org
Magnus Granberg (zorry)

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Ed W]

On 16/05/2010 21:20, Magnus Granberg wrote:
> Hi
>
> Here is the summary of the meeting 2010-05-16
>
> 1,0 Toolchain
>   We have an open bug #318171 for the merge of SSP and GCC>=4.4.3 support.
>   http://bugs.gentoo.org/show_bug.cgi?id=318171
>   We are waiting for toolchain to approve the changes to toolchain.eclass and glibc that we need.
>   Then we will have GCC 4.4.3 and 4.5.0 with full hardened (PIE/SSP) support in the tree.
>   Grub need to be bumped to the new patchset.
>   We have no time line on it for we are waiting on toolchain.
>    

I see a comment in there: "Cleaned some code and removed SSP support for 
gcc 4.3.X " - I think this might need some watching and perhaps a 
warning here?  Sounds like if you now update say a "stable" hardened 
amd64 machine pulling in stable gcc 4.3.X then you might be suddenly 
loosing your hardened compiler?

I understand this is avoided if using your overlay, but it seems like a 
potential pitfall for anyone using the "stable" hardened tree?

Can anyone comment if this is the case or I'm worrying over nothing?

Ta

Ed W

[gentoo-hardened] Re: Hardened meeting summary 2010-05-16

[Peter Hjalmarsson]

mån 2010-05-17 klockan 21:28 +0100 skrev Ed W:
> Can anyone comment if this is the case or I'm worrying over nothing?
> 
> Ta
> 
> Ed W
> 

I would say you're worrying too much.

The important part in the toolchain equation is really PIE (and of
course -z,now, relro and those other stuff people forgets about) to give
you ASLR, and it is there in hardened gcc-4.3 in tree. SSP is also there
to some extent because it is implemented in FORTIFY_SOURCE which is
enabled in all of gentoo by default.
So I would say that the extra part SSP from GCC is nice but not
necessary.

Regards
Peter

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Magnus Granberg]

måndag 17 maj 2010 22.28.05 skrev  Ed W:
> On 16/05/2010 21:20, Magnus Granberg wrote:
> > Hi
> >
> > Here is the summary of the meeting 2010-05-16
> >
> > 1,0 Toolchain
> >   We have an open bug #318171 for the merge of SSP and GCC>=4.4.3
> > support. http://bugs.gentoo.org/show_bug.cgi?id=318171
> >   We are waiting for toolchain to approve the changes to toolchain.eclass
> > and glibc that we need. Then we will have GCC 4.4.3 and 4.5.0 with full
> > hardened (PIE/SSP) support in the tree. Grub need to be bumped to the new
> > patchset.
> >   We have no time line on it for we are waiting on toolchain.
> 
> I see a comment in there: "Cleaned some code and removed SSP support for
> gcc 4.3.X " - I think this might need some watching and perhaps a
> warning here?  Sounds like if you now update say a "stable" hardened
> amd64 machine pulling in stable gcc 4.3.X then you might be suddenly
> loosing your hardened compiler?
> 
> I understand this is avoided if using your overlay, but it seems like a
> potential pitfall for anyone using the "stable" hardened tree?
> 
> Can anyone comment if this is the case or I'm worrying over nothing?
> 
> Ta
> 
> Ed W
> 
I only removed the code for default enable option for SSP. GCC 4.3.X still 
support SSP if you add -fstack-protector. The GCC 4.4.3 is on the way to get 
stable in 1-4 weeks i hope. Is up to the archs teams now to mark it stablel.

Hardened at gentoo.org
Magnus Granberg (Zorry)

Re: [gentoo-hardened] Re: Hardened meeting summary 2010-05-16

[Javier Juan Martínez Cabezón]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

AFAIK FORTIFY_SOURCE only works in fixed size buffers. To me ssp is a more
complete (and slightly different) approach, while FORTIFY_SOURCE checks the
existence of a buffer overflow directly, ssp does it by checking the
modification of the canary (indirect approach) but could get applied with
any kind of code since it's not limited to fixed size buffers. SSP to me is
really necessary

http://www.trl.ibm.com/projects/security/ssp/
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

2010/5/18 Peter Hjalmarsson <xake@rymdraket.net>

>
>
> I would say you're worrying too much.
>
> The important part in the toolchain equation is really PIE (and of
> course -z,now, relro and those other stuff people forgets about) to give
> you ASLR, and it is there in hardened gcc-4.3 in tree. SSP is also there
> to some extent because it is implemented in FORTIFY_SOURCE which is
> enabled in all of gentoo by default.
> So I would say that the extra part SSP from GCC is nice but not
> necessary.
>
> Regards
> Peter
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 1536 bytes --]

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Radoslaw Madej]

Hi Zorry (and rest of the Hardened Team :))

Thanks for the information&update. I think it's a great way to keep users & 
community aware of what's happening in the gentoo hardened world. It also 
shows to all non-believers that the project is alive and is making progress! 
:)

I'll be happy to help within realms of my capabilities with docs and testing 
and maybe more as I learn along...

Keep up with the good work Guys! :)
radegand

On Sunday 16 May 2010 21:20:17 you wrote:
> Hi
> 
> Here is the summary of the meeting 2010-05-16
> 
> 1,0 Toolchain
>  We have an open bug #318171 for the merge of SSP and GCC >=4.4.3 support.
>  http://bugs.gentoo.org/show_bug.cgi?id=318171
>  We are waiting for toolchain to approve the changes to toolchain.eclass
> and glibc that we need. Then we will have GCC 4.4.3 and 4.5.0 with full
> hardened (PIE/SSP) support in the tree. Grub need to be bumped to the new
> patchset.
>  We have no time line on it for we are waiting on toolchain.
> 
> 2.0 Hardened-sources
>  We have new team for hardened-sourcs, three of the members were on the
> meeting. Most of the discustion was about what needed to be done and
> change. They have started the work to make the needed changes for move it
> to the tree. Hope we can get something in the tree about 3-4 weeks but we
> don't have any time line.
> 
> 3.0 Hardened Profile
>  We are trying to move away from the hardened/linux/arch/10.0/* profiles
>  to hardened/linux/arch/* profiles. We need more testing on that and all
> thing is not done. No time line.
> 
> 4.0 Hardened docs
>  Fist thing is to get the main and roadmap pages up to date.
>  But we have alot of work on the old and the new docs.
>  It would be good to have some help from users.
>  No time line.
> 
> On the meeting
>  Zorry Chainsaw quantumsummers bluenees xake
> 
> Hardened at gentoo.org
> Magnus Granberg (Zorry)

Re: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Ed W]

On 16/05/2010 21:20, Magnus Granberg wrote:
> Hi
>
> Here is the summary of the meeting 2010-05-16
>    

Hi, is this the kind of meeting that you would like more "competent 
users" to get involved with?

I have too limited availability to volunteer for too much, but hardened 
gentoo is important to me and I run a few servers here and would be 
happy to donate some of my limited capacity to helping on any available 
smaller projects?

I guess there are a few other folks here that are time limited but might 
have some limited capacity to help out?  How should we best volunteer 
these poor services...?

Ed W

RE: [gentoo-hardened] Hardened meeting summary 2010-05-16

[Fredric Johansson]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]




> From: zorry@gentoo.org
>snip...
> 4.0 Hardened docs
>  Fist thing is to get the main and roadmap pages up to date.
>  But we have alot of work on the old and the new docs.
>  It would be good to have some help from users.
>  No time line.

Do you have a list of things that should be done on this part?
I might be able in the coming few weeks and I would  prefer
to have a list on what needs to be added, updated, rewritten...

//fredricj


 		 	   		  
_________________________________________________________________
Vårfina smileys till Messenger här!
http://springpack.msn.se

[-- Attachment #2: Type: text/html, Size: 862 bytes --]