[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SSP status / progress report.

  After the recent message discussing the SELinux status I thought now
 would be a good time to give an update on the status of the SSP  
 experiments I've been making.

  Recently a new release of GCC, v3.3.4-1, hit unstable so I had to
 restart my work.

  The SSP patches are still distributed with the source and enabling
 them is a trivial matter, for interested users I've placed 
 rebuilt packages online here:


  This compiler has two new command line flags:

	-fstack-protector      <-  Enable SSP protection.
	-fno-stack-protector   <-  Disable SSP protection.

  Using diversions I've created a tiny package called 'wrap-gcc' which
 will _unconditionally_ insert '-fstack-protector' into the command line
 of the compiler as it is used.  This forces all new binaries upon a 
 system to be built with the protection with no effort.

  wrap-gcc can be had from the same apt source as listed above.

  Finally I wrote a very simple rebuilder for Debian which will rebuild
 a given package from source, correctly handling dependencies in 98% of
 cases.  And a wrapper which handles scheduling and suchlike.

  Using these I've successfully rebuilt the Kernel 2.4.26-k7 package,
 X, perl, mozilla, bind, apache, and openssh.  All of these packages
 work without problem to the best of my knowlege and ability to test!

  Due to the shortage of identical test machines I've not been
 able to benchmark performance changes.  Ideally I should have done
 a clean install of unstable and tested things there, then replaced
 the packages with new ones - but until I have a more reliable setup
 here I'm going to be unable to do that.

  Post-sarge I would like to see the SSP patches applied to GCC possibly
 (Although disabled by default) on at least the x86 arch.  I suspect
 that the GCC team will wish to wait until it's enabled upstream, but
 that's not going to happen until more testing is availabe, a catch 22

  Finally I'm on the hunt for an old clamshell ibook which will let me
 play with this stuff on a non-intel machine, (and also because I want
 a laptop!).  So far that's not going so well but hopefully I'll find 
 one locally soon.

# The Debian Security Audit Project.

Attachment: pgpFYWYj9Y9u_.pgp
Description: PGP signature

Reply to: