Navigation

← Previous Changeset
Next Changeset →

Changeset 1081

Timestamp:

08/09/07 03:41:23 (1 year ago)

Author:

robert

Message:

Updated ssp hint

Files:

trunk/ssp.txt (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/ssp.txt

r936	r1081
1	1	AUTHOR: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
2	2
3		DATE: 200~~5-02-1~~8
	3	DATE: 2007-08-08
4	4
5	5	LICENSE: Public Domain
6	6
7		SYNOPSIS: Stack Smashing Protector ~~and Libsafe~~
	7	SYNOPSIS: Stack Smashing Protector, and _FORTIFY_SOURCE
8	8
9	9	PRIMARY URL: http://www.linuxfromscratch.org/hints/
10	10
11	11	DESCRIPTION:
12		Smashing Stack Protector is a C and C++ security extension for GCC.
13		Libsafe prevents format string attacks.
14
15		Based on StackGaurd, SSP was developed by IBM for protecting applications
16		from stack smashing attacks. This is the single largest class of attacks and
17		many security oriented vendors have added it to their default compiler. The
18		overhead lost to this type of guard is minimal. In practice if the entire
19		system is built with SSP users shouldn't notice any difference in performance.
20
21		The official homepage for ProPolice Smashing Stack Srotector is at:
22		http://www.trl.ibm.com/projects/security/ssp/
23
24		http://www.usenix.org/events/sec01/full_papers/frantzen/frantzen_html/\
25		node30.html
	12	Stack Smashing Protector (SSP) is a C, C++, Obj, and Obj++ debugging/security
	13	extension for GCC. SSP was originally developed by IBM for protecting
	14	applications from the single largest class of program attacks, and it has
	15	since been adopted by many security oriented operating systems. More recently
	16	SSP was officially added to GCC, Glibc, and uClibc. This recent addition
	17	modified the original SSP implementation to add SSP to Tread Local Storage,
	18	so that each thread can be guarded separately. The IBM homepage for SSP is
	19	here: http://www.trl.ibm.com/projects/security/ssp/
	20	Another nice description is here:
	21	http://www.usenix.org/events/sec01/full_papers/frantzen/frantzen_html/
	22	node30.html
26	23	"Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a
27	24	random canary between any stack allocated character buffers and the return
…	…
30	27	variables to protect local pointers from being overwritten in a buffer overflow.
31	28	"
32		Also see:
33		http://www.linuxfromscratch.org/hlfs/
34		http://www.linuxfromscratch.org/~robert/FreeBSD/freebsd-ssp.txt
35		http://www.linuxfromscratch.org/~robert/NetBSD/netbsd-ssp.txt
	29	_FORTIFY_SOURCE is a Glibc feature which adds memory and string function
	30	protection. There is no home site for this feature, but it is described well
	31	on this page: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
36	32
37	33	PREREQUISITES:
38		LFS-6.0
39		The basic version of SSP uses /dev/urandom directly. When a whole system is
40		built with SSP this tends to consume all the kernel entropy. This hint uses
41		~~arc4random() from the entropy.txt hint, which uses /dev/erandom. This stop~~s
42		the entropy starvation caused by the vanilla SSP. This hint will walk through
43		everything you need, but you can read more about entropy and arc4random here:
44		http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt
	34	GCC-4.1 (or newer) for SSP and _FORTIFY_SOURCE.
	35	Glibc-2.4 (or newer) for SSP and _FORTIFY_SOURCE.
	36
	37	The standard version of SSP uses /dev/urandom directly. When a whole system is
	38	built with SSP this tends to consume all the kernel entropy. /dev/erandom is
	39	reccomended for SSP to conserve kernel entropy. See the entropy.txt hint for
	40	this at: http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt
45	41
46	42	HINT:
47	43
48		=======
49		Context
50		=======
51
52		Introduction
53		Libsafe
54		Installation
55		Testing
56		Feedback
57		Acknowledgments
58
59		============
60		Introduction
61		============
62
63		Smashing Stack Protector
64
65		The GCC patch will add -fstack-protector-all, -fstack-protector, and
66		-fno-stack-protector to GCC extensions for C and C++; and
67		__guard_setup and __stack_smash_handler are defined in libgcc2.c. This code is
68		supplied by IBM, I have changed one definition to enable libc functions, and
69		added "ssp" to the version string.
	44	Context
	45	Stack Smashing Protector
	46	_FORTIFY_SOURCE
	47
	48	- Stack Smashing Protector
	49
	50	The GCC options for SSP are -fstack-protector, -fstack-protector-all, and
	51	-Wstack-protector. The -fstack-protector option only protects functions with
	52	character arrays, and is generally not recomended. The -fstack-protector-all
	53	option protects all functions. The -Wstack-protector option will produce a
	54	warning about any functions which are not protected. This warning can occure
	55	in functions with buffers smaller than 8 bytes.
	56
	57	The '--param=ssp-buffer-size=' GCC option controls the minimum buffer size
	58	protected by SSP.
70	59
71	60	There have been reports of problems with SSP and 'gcc -O3' with Python. It
72	61	may or may not cause problems in other packages with -O3.
73	62
74		If any of these links are broken look for a newer version.
75
76		*** All of these patches are in:
77		Note: The gcc-3.4 patch works on 3.4.0, 3.4.1, 3.4.2, and 3.4.3.
78
79		http://www.linuxfromscratch.org/patches/downloads/gcc/\
80		gcc-3.4-ssp-3.patch
81
82		The Glibc patch will define __guard_setup and __stack_smash_handler in libc.so
83		so the kill function can be kept in a shared library. /dev/log will also need
84		to be present in chroot for syslog to log stack overflows. It is recommended
85		intrusion detection systems monitor the system logs for these alerts.
86
87		http://www.linuxfromscratch.org/patches/downloads/glibc/\
88		glibc-2.3.4-ssp_arc4random-1.patch
89
90		This patch is for chapter 6.
91
92		http://www.linuxfromscratch.org/patches/downloads/glibc/\
93		glibc-2.3.4-fstack_protector-1.patch
94
95		The sspspecs patch is depreciated. Use the Perl commands.
96
97		http://www.linuxfromscratch.org/patches/downloads/\
98		linux-libc-headers-2.6.10.0-pseudo_random-1.patch
99
100		The Linux kernel patch for SSP is depreciated. The kernel has its own overflow
101		detection.
102
103		http://www.linuxfromscratch.org/patches/downloads/linux/\
104		linux-2.6.10-pseudo_random-1.patch
105
106		The XFree86 patch disables stack protection for some modules. This patch
107		works for Xorg and XFree86-4.4 too. (Also see note below).
108
109		http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
110		XFree86-4.3.0-ssp-1.patch
111
112		=======
113		Libsafe
114		=======
115		Official site:
116		http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
117
118		Note: Libsafe is obsolete, you can still use it if you wish.
119
120		Libsafe was developed by Avaya Labs to protect against format string
121		vulnerabilities. Though not widely used it has been widely tested. This
122		protection can be installed on an already running system, using ld.so.preload
123		to watch applications at runtime for functions which are known to be vulnerable.
124		This of course only protects dynamically linked applications. There should not
125		be a noticeable performance decrease, and it also logs to syslog.
126
127		We get some errors if we install Libsafe early in the build.
128		GCC
129		FAIL: g++.dg/expr/anew1.C execution test
130		FAIL: g++.dg/expr/anew2.C execution test
131		FAIL: g++.dg/expr/anew3.C execution test
132		FAIL: g++.dg/expr/anew4.C execution test
133
134		Binutils
135		FAIL: S-records
136		FAIL: S-records with constructors
137
138		To avoid these errors install Libsafe after GCC in chapter 6. Libsafe is
139		somewhat obsolete. Most modern software either doesn't use these strings, or
140		uses them properly. All of the example exploits in exploits/ will fail because
141		of SSP.
	63	The GCC manual page says to avoid using '-Wp' whenever possible, so use
	64	-D_FORTIFY_SOURCE=2 when using _FORTIFY_SOURCE.
142	65
143	66	=====================
…	…
145	68	=====================
146	69
147		---------
148		Chapter 5
149		---------
150		- GCC pass 1
151		No patches.
152
153		- Libc-linux-headers headers
154		patch --no-backup-if-mismatch \
155		-Np1 -i ../linux-libc-headers-2.6.10.0-pseudo_random-1.patch
156
157		- Glibc
158		patch -Np1 -i ../glibc-2.3.4-arc4random-1.patch &&
159		patch -Np1 -i ../glibc-2.3.4-ssp_arc4random-1.patch
160
161		- GCC pass 2
162		patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
163		sed -e 's@gcc.gnu.org/bugs.html@bugs.linuxfromscratch.org/@' \
164		-e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c
165
166		After make install do this. This will add -fstack-protector-all for C and C++:
167
168		cat > hardened-specs.sh << "EOF"
169		#!/bin/sh
170		perl -pi -e 's@\*cc1:\n@$_%(cc1_ssp) @;' \
171		$(gcc --print-file specs) &&
172		perl -pi -e 's@\*cc1plus:\n@$_%(cc1_ssp) @;' \
173		$(gcc --print-file specs) &&
174		echo '*cc1_ssp:
175		%{!fno-stack-protector*: -fstack-protector-all}
176		' >> $(gcc --print-file specs)
177		EOF
178		install hardened-specs.sh /tools/bin &&
179		/tools/bin/hardened-specs.sh
180
181		- Binutils pass 2
182		Just for the testsuite.
183		make CFLAGS="-fno-stack-protector" check
	70	# In chapter 5 of the LFS book, you don't need to do anything different.
184	71
185	72	---------
186	73	Chapter 6
187	74	---------
188		- Libc-linux-headers headers
189		patch --no-backup-if-mismatch \
190		-Np1 -i ../linux-libc-headers-2.6.10.0-pseudo_random-1.patch
191
192		- Glibc
193		patch -Np1 -i ../glibc-2.3.4-arc4random-1.patch &&
194		patch -Np1 -i ../glibc-2.3.4-ssp_arc4random-1.patch &&
195		patch -Np1 -i ../glibc-2.3.4-fstack_protector-1.patch
196
197		Then modify CC. This will let some parts get skipped, but the fstack_protector
198		patch above will add -fstack-protector-all on most of the utils and libs.
199
200		env CC="gcc -fno-stack-protector" ../glibc-2.3.4/configure...
201
202		- Binutils
203		make CFLAGS="-fno-stack-protector" check
204
205		- GCC
206		patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
207		sed -e 's@gcc.gnu.org/bugs.html@bugs.linuxfromscratch.org/@' \
208		-e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c
209
210		make CFLAGS="-fstack-protector-all -O2" CXXFLAGS="-fstack-protector-all -O2"
211
212		After make install run the script again to put -fstack-protector-all back in
213		the specs file:
214
215		/tools/bin/hardened-specs.sh
216
217		- Grub
218		env CC="gcc -fno-stack-protector" ./configure...
219
220		---------
221		Chapter 8
222		---------
223		Linux kernel
224		There are two options added by this patch. Sysctl urandom and frandom. They
225		are enabled by default. Be sure not to build frandom as a module or else
226		sysctl will not be able to work with it.
227
228		make mrproper &&
229		patch -Np1 -i ../linux-2.6.10-pseudo_random-1.patch
230
231		make menuconfig
232		...
233		make CC="gcc -fstack-protector"
234		...
235
236		-----
237		BLFS
238		-----
239		As of 6.8.0 Xorg added an option in the host.def file for propolice. When you
240		compile Xorg simply do this instead of using the patch (the patch still works
241		though):
242
243		echo "#define ProPoliceSupport YES" >> config/cf/host.def
244
245		mcopidl from Arts has issues with SSP. Use the following command to disable
246		propolice just for the mcopidl program.
	75
	76	# - Glibc
	77	#
	78	# Make SSP use /dev/erandom:
	79
	80	sed -i 's@/dev/urandom@/dev/erandom@' sysdeps/unix/sysv/linux/dl-osinfo.h
	81
	82	# The following does not work with Glibc-2.6.1... the build will go into an
	83	# infinite loop. This does work with Glibc-2.5.
	84
	85	# Glibc's libraries can not be built with SSP or _FORTIFY_SOURCE, but the
	86	# applications can. This is optional.
	87	#
	88	# The 'nscd' program is built with -fstack-protector by default. The following
	89	# command will make -fstack-protector-all be used instead, for better
	90	# protection:
	91
	92	sed -i 's/fstack-protector/&-all/' nscd/Makefile
	93
	94	# After running ./configure, the follwing command will tell Glibc to build
	95	# the libraries but not the application programs:
	96
	97	echo 'build-programs=no' > configparms
	98
	99	# Then run 'make' normally. Now the programs can be built with SSP and
	100	# _FORTIFY_SOURCE. You can build the applications with SSP and/or
	101	# _FORTIFY_SOURCE... both are optional and independent of eachother. To build
	102	# Glibc's applications with both SSP and _FORTIFY_SOURCE use the following
	103	# command after building the libraries:
	104
	105	echo 'CC = gcc -fstack-protector-all -D_FORTIFY_SOURCE=2
	106	CXX = g++ -fstack-protector-all -D_FORTIFY_SOURCE=2
	107	' > configparms
	108
	109	# Then run 'make' again.
	110
	111	# The CC and CXX variables are used instead of CFLAGS and CXXFLAGS because
	112	# CFLAGS and CXXFLAGS are sometimes ignored by the Glibc build system.
	113
	114	# The Glibc test suite should pass as if -fstack-protector-all and
	115	# -D_FORTIFY_SOURCE=2 were not used. Continue to test and install Glibc
	116	# normally.
	117
	118	# - GCC
	119	#
	120	# To make GCC use SSP by default get:
	121	# http://www.linuxfromscratch.org/patches/downloads/gcc/
	122	# gcc-4.1.2-fstack_protector-1.patch
	123	# or
	124	# http://www.linuxfromscratch.org/~robert/new/patches/
	125	# gcc-4.2.1-fstack_protector.patch
	126
	127	patch -Np1 -i gcc-4.1.2-fstack_protector-1.patch
	128
	129	# This SSP patch adds -fstack-protector-all as the default for C, C++, OBJC,
	130	# and OBJC++.
	131
	132	# To make GCC use -D_FORTIFY_SOURCE=2 by default get (this patch works for
	133	# gcc-4.2.1 too):
	134	# http://www.linuxfromscratch.org/patches/downloads/gcc/
	135	# gcc-4.1.2-fortify_source-1.patch
	136
	137	# If you want to build GCC itself with SSP and _FORTIFY_SOURCE, then use
	138	# 'make bootstrap'. If you want to build Binutils with SSP and _FORTIFY_SOURCE
	139	# then rebuild and reinstall it. Add --disable-werror to work around warnings
	140	# caused by _FORTIFY_SOURCE.
	141
	142	# - Grub
	143	env CC="gcc -fno-stack-protector -U_FORTIFY_SOURCE" ./configure...
	144
	145	# ---------
	146	# Chapter 8
	147	# ---------
	148
	149	# - Kernel
	150	# The recent 2.6 kernels will detect SSP and disable it. _FORTIFY_SOURCE can
	151	# be built into the kernel, or you can disable it with:
	152	# make CC="gcc -U_FORTIFY_SOURCE"
	153
	154	# -----
	155	# BLFS
	156	# -----
	157
	158	# - Arts
	159	# mcopidl from Arts has issues with SSP. Use the following command to disable
	160	# propolice just for the mcopidl program.
247	161
248	162	sed -e 's/^KDE_CXXFLAGS .*$/& -fno-stack-protector/' \
249	163	-i mcopidl/Makefile.in
250	164
251		========
252		Testing
253		========
254		There are a couple tests in this package which may also be usefull here.
255		http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
256		There are also tests in the libsafe source.
257
258		This will test -fstack-protector-all and will display the __guard value.
259
260		cat > test.c << "EOF"
261		#include <stdio.h>
262		#include <unistd.h>
263		extern long __guard[];
264		int overflow(char *test) {
265		char buffer[7];
266		sprintf(buffer, "12345678901234567890123456789012345678901234567890");
267		return(1234);
268		}
269		int main(int argc, char **argv) {
270		printf("__guard\t=\t0x%08x;\n", __guard[0]);
271		overflow("test");
272		printf("This line should never get printed.\n");
273		}
274		EOF
275
276		gcc -o fail fail.c &&
277		./fail &&
278		g++ -o fail++ fail.c &&
279		./fail++
280
281		This should display abort signals for each. The __guard value should change
282		for each runtime. The system syslog daemon should also log each of these.
283
284		Should a program on your system ever have a stack overflow you should get
285		similar messages in your logs and perhaps in the console controling the
286		program.
	165	# ========
	166	# Testing
	167	# ========
	168	#
	169	# The Glibc test suite includes tests for SSP and _FORTIFY_SOURCE.
	170	#
	171	# Additional regression tests can be found in NetBSD's regress/lib/libc/ssp/.
	172	#
	173	# There are a couple tests in the 'paxtest' package which may also be usefull.
	174	# http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
287	175
288	176	ACKNOWLEDGMENTS:
…	…
421	309	* Added note for "ProPoliceSupport YES" in Xorg.
422	310	* Added sed for Arts.
	311	[2007-08-08]
	312	* Finally updated for Glibc-2.4+ and GCC-4.1.
	313	* Added _FORTIFY_SOURCE
	314	* Removed Libsafe. It's own docs explain how to install it well.
	315

Navigation

Changeset 1081

Legend:

trunk/ssp.txt

Download in other formats: