http://www.gentoo.org/proj/en/hardened/propolice.xml ProPolice Protected Gentoo Linux: GCC extension for protecting from stack-smashing attacks Contents: 1. What is ProPolice? ProPolice is a GCC extension for protecting from stack-smashing attacks. It is implemented as a patch to GCC which will automatically insert protection code into your programs at compile time. It is developed by Hiroaki Etoh at IBM. For more information visit the official ProPolice website. Overall this is an excellent security measure. We know that the applications we use have yet to be discovered bugs, and this protection helps minimize the possibility of an exploit due to these bugs. The flawed application may well still crash, but privileges will not be escalated, and your system will not be compromised. Best of all, we'll get some information on where in the program code the overflow occurred, which will allow us to quickly track down the problem and fix it. However, ProPolice does not catch all possible overflows, and there are still some cases that will get through the stack-smashing protection code. This is not an end all, be all solution to security, it is merely a step in the right direction. This patch was recently implemented in OpenBSD 3.3, and looks to be an excellent addition to proactive security. 2. How is it implemented in Gentoo? Warning I must warn you that this is still a new project, and there are still some pitfalls and bugs involved in running it. For now, I would not recommend this be run by the average user, or by anyone with a system in a mission critical position. However, anyone who would like to contribute to the development or testing/bug-fixing of this project, please go ahead and run it! Since this will eventually be targeted at secure systems, it needs all the testing it can get. GCC Patch ProPolice is implemented as a GCC patch. This patch includes a diff against the GCC code, as well as two additional files (a source file and a header file). There is also an optional diff that will cause stack protection to be enabled by default. I do not recommend this latter patch be applied, as it tends to cause problems with a number of things, including kernel compilation. The gcc-3.2.3-r1 ebuild in portage is now patched for propolice support. ProPolice adds two new CFLAGS to GCC. These are -fstack-protector to enable the stack protection, and -fno-stack-protector (default behavior) to explicitly disable the protection. If you would the protection on by default add -fstack-protector to your CFLAGS in /etc/make.conf. Results so far My tests so far have been quite successful. I have however ran into a few pitfalls related to ProPolice on Gentoo. Portage/glibc The first, and probably most significant problem stems from portage and glibc 2.3.1. If glibc 2.3.1 is built with stack protection, portage's sandbox will break, and you will no longer be able to emerge packages. When using a propolice built glibc 2.3.1, any program linked against libpthread will segfault when executed through the sandbox. Since tar is linked to libpthread, the emerge will fail while trying to unpack the package archive. I'm still working on tracking down the source of this bug. However, glibc 2.3.2 seems to be unaffected by this bug. I recommend that anyone using a propolice built system upgrade to glibc 2.3.2. This will allow you to use the sandbox feature of portage. If for some reason you are unable to move to glibc 2.3.2 at this time you will need to disable the sandbox. XFree86 XFree86 as of 4.3.0-r2 no longer strips the -fstack-protector flag. All of XFree86 can be built successfully with stack protection except the video modules. This allows us to protect the networking code in XFree86, the most vulnerable to attack. To build XFree86 with stack protection, a small patch is required. This patch causes some OpenBSD specific XFree86 code to be run to determine if we are using a ProPolice patched GCC. If it finds that we are, it will then explicitely add -fno-stack-protector to the module building, but keep -fstack-protector for the rest of the source. This patch is included in the 4.3.0-r2 XFree86 ebuild. Kernel By default the kernel is not able to be compiled with -fstack-protector. I have put together a patch that will allow this however. It is based on the patch by Hiroaki Etoh. This patch adds a propolice.c file to the kernel setting up the __guard and __stack_smash_handler functions required by propolice. Since we don't enable propolice by default in Gentoo, we need to add -fstack-protector to the kernel makefiles. For this I have added a configuration option under Processor Type and Features called ProPolice Stack Smashing Protection for all architectures supported by propolice. If you wish to build your kernel with this protection, enable this option to add -fstack-protector to your build. In my initial testing of this kernel, it showed no noticable performance decrease from a standard unprotected kernel. Benchmarking was done with lmbench. These results and more will be posted shortly. This patch is available in the Files section of this document, and will soon included by default in the hardened-sources kernel. Other Problems There are a few other programs that will not successfully build with stack protection enabled. This include grub, cracklib (part of the base system), tetex, and ocaml. These ebuilds have been updated in portage to filter out the stack protection for now, so you should not have any problems with them. If you run into any other packages that will not build due to ProPolice, please report them. Building an entire system with stack protection It is now possible to bootstrap and build an entire machine with ProPolice stack-smashing protection. All you need to do at this point is be sure to use the gcc-3.2.3-r1 ebuild (you will need to unmask it, also remember it is in the unstable branch), and add -fstack-protector to your CFLAGS in /etc/make.conf. Things should be quite stable at this point, but please report any problems you run into. What now? There are plans to merge this project into the base Gentoo system as an optional feature. This is now officially a part of the Hardened Gentoo effort, along with many other security enhancements. Before any of this is incorporated in the base system it needs more testing, especially on non x86 platforms. I will be be providing more info and more bug fixes as I continue my testing and development of this project. 3. Files This patch should apply cleanly to the 2.4.20 and 2.4.21-rc kernels (among others). It will add a ProPolice build option to your kernel config. 2.4.20-propolice-build.patch