After the recent message discussing the SELinux status I thought now would be a good time to give an update on the status of the SSP experiments I've been making. Recently a new release of GCC, v3.3.4-1, hit unstable so I had to restart my work. The SSP patches are still distributed with the source and enabling them is a trivial matter, for interested users I've placed rebuilt packages online here: http://people.debian.org/~skx/ssp.html This compiler has two new command line flags: -fstack-protector <- Enable SSP protection. -fno-stack-protector <- Disable SSP protection. Using diversions I've created a tiny package called 'wrap-gcc' which will _unconditionally_ insert '-fstack-protector' into the command line of the compiler as it is used. This forces all new binaries upon a system to be built with the protection with no effort. wrap-gcc can be had from the same apt source as listed above. Finally I wrote a very simple rebuilder for Debian which will rebuild a given package from source, correctly handling dependencies in 98% of cases. And a wrapper which handles scheduling and suchlike. Using these I've successfully rebuilt the Kernel 2.4.26-k7 package, X, perl, mozilla, bind, apache, and openssh. All of these packages work without problem to the best of my knowlege and ability to test! Due to the shortage of identical test machines I've not been able to benchmark performance changes. Ideally I should have done a clean install of unstable and tested things there, then replaced the packages with new ones - but until I have a more reliable setup here I'm going to be unable to do that. Post-sarge I would like to see the SSP patches applied to GCC possibly (Although disabled by default) on at least the x86 arch. I suspect that the GCC team will wish to wait until it's enabled upstream, but that's not going to happen until more testing is availabe, a catch 22 situation.. Finally I'm on the hunt for an old clamshell ibook which will let me play with this stuff on a non-intel machine, (and also because I want a laptop!). So far that's not going so well but hopefully I'll find one locally soon. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit
Attachment:
pgpFYWYj9Y9u_.pgp
Description: PGP signature