Re: PaX on Debian

To: russell@coker.com.au
Cc: debian-devel@lists.debian.org, debian-security@lists.debian.org
Subject: Re: PaX on Debian
From: John Richard Moser <nigelenki@comcast.net>
Date: Sun, 25 Jul 2004 23:48:11 -0400
Message-id: <[🔎] 41047EFB.4050405@comcast.net>
In-reply-to: <[🔎] 200407261329.57210.russell@coker.com.au>
References: <[🔎] 4103E679.2050402@comcast.net> <[🔎] 200407261329.57210.russell@coker.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Russell Coker wrote:
| On Mon, 26 Jul 2004 02:57, John Richard Moser <nigelenki@comcast.net>
wrote:
|
|>I'm interested in discussing the viability of PaX on Debian.  I'd like
|>to discuss the changes to the base system that would be made, the costs
|>in terms of overhead and compatibility, the gains in terms of security,
|>and the mutability (elimination) of the costs.
|
|
| Before we can even start thinking about PaX on Debian we need to find a
| maintainer for the kernel patch who will package new versions of the
patch
| which apply to the Debian kernel source tree.  We have had a few
flame-wars
| about this in the past which have had no positive result because
no-one has
| volunteered to do the kernel coding work.
|
|

Are you talking PaX or grsecurity?  PaX is significantly less invasive
than grsecurity.  There will still be issues, of course.

Where would I see debian's 2.6.7 source tree?  I'm not a deb user,
remember, so I'll need a tarball or something.

|>A PaX protected base system would be best compiled ET_DYN, which can be
|>done by using modified spec files or a specially patched gcc to make
|>pies-by-default binaries.  Certain things don't compile this way; and
|>thus would need this functionality disabled (modified spec, -fno-pic
|>-nopie).  This will be discussed in greater detail later.
|
|
| Debian does not use spec files, spec files are for RPM based
distributions.
| It would have to be a modification to debian/rules in all the
packages, or a
| modification to gcc and/or dpkg-buildpackage.
|

No, gcc spec files, that tell gcc how to behave.  This was used on
gentoo to mess with gcc's default behavior for a while.

try the command:

gcc -dumpspecs


Also try looking at:

/usr/lib/gcc-lib/<Target>/<version>/specs

You'd need to fudge that file I believe to alter gcc's default behavior.
~ This was done by the Hardened Gentoo project, but was dropped in favor
of a gcc patch.  Either way, it's been done before.

|
|>A PaX protected base would also benefit from Stack Smash Protection,
|>which can be done via the gcc patch ProPolice.  This imposes minimal
|>overhead, which will be discussed in greater detail later.  It overlaps
|>and extends many of the protections PaX offers, but catches earlier on;
|>and is thus a good system to pair with PaX.
|
|
| We have recently discussed this on at least one of the lists you
posted to.
| The end result of the discussion is that GCC is getting another SSP type
| technology known as "mudflap".  Mudflap depends on some major new
features of
| GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the
| Debian GCC people don't want to merge in other patches which have no
apparent
| chance of being included upstream.
|

Then don't use ProPolice/SSP for now.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBH75hDd4aOud5P8RAvATAJ4p+Kfut/en14Dwenv7UDez86O2KgCeIJcG
kP7jnKii7eDGHwiO39MpJjI=
=P617
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: PaX on Debian
  - From: Russell Coker <russell@coker.com.au>

References:
- PaX on Debian
  - From: John Richard Moser <nigelenki@comcast.net>
- Re: PaX on Debian
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: PaX on Debian
Next by Date: Re: PaX on Debian
Previous by thread: Re: PaX on Debian
Next by thread: Re: PaX on Debian
Index(es):
- Date
- Thread