|
Home > Archive > Debian Developers > June 2004 > SSP status / progress report.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSP status / progress report.
|
|
| Steve Kemp 2004-06-16, 5:56 pm |
|
After the recent message discussing the SELinux status I thought now
would be a good time to give an update on the status of the SSP
experiments I've been making.
Recently a new release of GCC, v3.3.4-1, hit unstable so I had to
restart my work.
The SSP patches are still distributed with the source and enabling
them is a trivial matter, for interested users I've placed
rebuilt packages online here:
http://people.debian.org/~skx/ssp.html
This compiler has two new command line flags:
-fstack-protector <- Enable SSP protection.
-fno-stack-protector <- Disable SSP protection.
Using diversions I've created a tiny package called 'wrap-gcc' which
will _unconditionally_ insert '-fstack-protector' into the command line
of the compiler as it is used. This forces all new binaries upon a
system to be built with the protection with no effort.
wrap-gcc can be had from the same apt source as listed above.
Finally I wrote a very simple rebuilder for Debian which will rebuild
a given package from source, correctly handling dependencies in 98% of
cases. And a wrapper which handles scheduling and suchlike.
Using these I've successfully rebuilt the Kernel 2.4.26-k7 package,
X, perl, mozilla, bind, apache, and openssh. All of these packages
work without problem to the best of my knowlege and ability to test!
Due to the shortage of identical test machines I've not been
able to benchmark performance changes. Ideally I should have done
a clean install of unstable and tested things there, then replaced
the packages with new ones - but until I have a more reliable setup
here I'm going to be unable to do that.
Post-sarge I would like to see the SSP patches applied to GCC possibly
(Although disabled by default) on at least the x86 arch. I suspect
that the GCC team will wish to wait until it's enabled upstream, but
that's not going to happen until more testing is availabe, a catch 22
situation..
Finally I'm on the hunt for an old clamshell ibook which will let me
play with this stuff on a non-intel machine, (and also because I want
a laptop!). So far that's not going so well but hopefully I'll find
one locally soon.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
| |
| Branden Robinson 2004-06-29, 5:59 pm |
| On Wed, Jun 16, 2004 at 11:30:31AM +0100, Steve Kemp wrote:
> After the recent message discussing the SELinux status I thought now
> would be a good time to give an update on the status of the SSP
> experiments I've been making.
Outstanding. I hope to become an SELinux bigot one day.
> Using these I've successfully rebuilt the Kernel 2.4.26-k7 package,
> X, perl, mozilla, bind, apache, and openssh. All of these packages
> work without problem to the best of my knowlege and ability to test!
I like the sound of that "X"...
> Finally I'm on the hunt for an old clamshell ibook which will let me
> play with this stuff on a non-intel machine, (and also because I want
> a laptop!). So far that's not going so well but hopefully I'll find
> one locally soon.
If you're a U.S. person, you might try <URL: http://www.powermax.com >.
I see a few available now:
http://www.powermax.com/cgi-global/....cgi?p=c-u56001
http://www.powermax.com/cgi-global/....cgi?p=c-u56002
http://www.powermax.com/cgi-global/....cgi?p=c-u56019
http://www.powermax.com/cgi-global/....cgi?p=c-u56004
http://www.powermax.com/cgi-global/....cgi?p=c-u55399
--
G. Branden Robinson | The first thing the communists do
Debian GNU/Linux | when they take over a country is to
branden@debian.org | outlaw cockfighting.
http://people.debian.org/~branden/ | -- Oklahoma State Senator John Monks
| |
| Steve Kemp 2004-06-29, 5:59 pm |
| On Tue, Jun 29, 2004 at 02:21:12PM -0500, Branden Robinson wrote:
>
> I like the sound of that "X"...
It took hours to build, sadly I've only managed it once as I've
since run out of disk space!
I'm going to try another build at the weekend.
> If you're a U.S. person, you might try <URL: http://www.powermax.com >.
I'm in Scotland, so that's not really so appropriate. Thanks anyway.
Since this last mail I've released the rebuilding tool for others
to use if they wish to do similar things:
http://www.steve.org.uk/Software/debian-builder/
Along with some brief instructions on the necessary setup:
http://shellcode.org/pipermail/debi...une/000028.html
Maybe they will allow some non-x86 user to play along without
me ..
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|