[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building a distribution from source?

On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> On Fri, 5 Dec 2003 10:39, Steve Kemp <skx@debian.org> wrote:
> > ? I've been experimenting with producing a hardened Debian derivitive
> > ?as a small piece of paid work. ?This mostly means compiling things with
> > ?a stackguard compiler, using format guard, and enforcing policies, etc.
> 
> Are you using any extra patches to GCC?  Or just a GCC built with the 
> propolice option?

  Yes I am using slightly modified patches from http://www.immunix.org/.

  The propolice is something that I shall be evaluating next.

> How difficult is it to bootstrap this?  Can you compile glibc with these 
> options without affecting anything else?

  So far I have built glibc with this modified GCC, (only so that I
 could apply the "FormatGuard" patches which are designed to combat
 format string attacks.  Recompiling glibc wasn't something that I
 really wanted to try on the PII 233Mhz machine I have as my test box!

  Bootstrapping was very simple just a matter of applying the patche to
 GCC and rebuilding it, then having installed it I rebuilt several test
 packages which were exploitable previously and failed to be exploitable
 afterwards.  (With the caveats that this patch doesnt protect against
 all attacks).

  I confess that I haven't rebuilt _all_ the interesting packages yet
 the kernel and X11 being the most likely to fail - but the packages
 that I did build, bash, perl, etc did compile with no observed side
 effects thus far.

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
Reply to: