Re: Building a distribution from source?
On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> On Fri, 5 Dec 2003 10:39, Steve Kemp <skx@debian.org> wrote:
> > ? I've been experimenting with producing a hardened Debian derivitive
> > ?as a small piece of paid work. ?This mostly means compiling things with
> > ?a stackguard compiler, using format guard, and enforcing policies, etc.
>
> Are you using any extra patches to GCC? Or just a GCC built with the
> propolice option?
Yes I am using slightly modified patches from http://www.immunix.org/.
The propolice is something that I shall be evaluating next.
> How difficult is it to bootstrap this? Can you compile glibc with these
> options without affecting anything else?
So far I have built glibc with this modified GCC, (only so that I
could apply the "FormatGuard" patches which are designed to combat
format string attacks. Recompiling glibc wasn't something that I
really wanted to try on the PII 233Mhz machine I have as my test box!
Bootstrapping was very simple just a matter of applying the patche to
GCC and rebuilding it, then having installed it I rebuilt several test
packages which were exploitable previously and failed to be exploitable
afterwards. (With the caveats that this patch doesnt protect against
all attacks).
I confess that I haven't rebuilt _all_ the interesting packages yet
the kernel and X11 being the most likely to fail - but the packages
that I did build, bash, perl, etc did compile with no observed side
effects thus far.
Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
Reply to: