Steve Kemp <[EMAIL PROTECTED]> writes:
> On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> > On Fri, 5 Dec 2003 10:39, Steve Kemp <[EMAIL PROTECTED]> wrote:
> > > ? I've been experimenting with producing a hardened Debian derivitive
> > > ?as a small piece of paid work. ?This mostly means compiling things with
> > > ?a stackguard compiler, using format guard, and enforcing policies, etc.
> >
> > Are you using any extra patches to GCC? Or just a GCC built with the
> > propolice option?
>
> Yes I am using slightly modified patches from http://www.immunix.org/.
>
> The propolice is something that I shall be evaluating next.
>
> > How difficult is it to bootstrap this? Can you compile glibc with these
> > options without affecting anything else?
>
> So far I have built glibc with this modified GCC, (only so that I
> could apply the "FormatGuard" patches which are designed to combat
> format string attacks. Recompiling glibc wasn't something that I
> really wanted to try on the PII 233Mhz machine I have as my test box!
>
> Bootstrapping was very simple just a matter of applying the patche to
> GCC and rebuilding it, then having installed it I rebuilt several test
> packages which were exploitable previously and failed to be exploitable
> afterwards. (With the caveats that this patch doesnt protect against
> all attacks).
>
> I confess that I haven't rebuilt _all_ the interesting packages yet
> the kernel and X11 being the most likely to fail - but the packages
> that I did build, bash, perl, etc did compile with no observed side
> effects thus far.
If the ABI of libraries stays the same, sounds that way, bootstraping
is realy easy.
You can setup a normal system with wanna-build and a buildd and an
empty archive. You should patch the buildd to add a -0.0.1 or .0.1
debian version to each build. That way you can have the normal and
your hardened repository in the apt/sources.lists, install
normaly/security updates imediatly and update to hardened versions as
they are available.
MfG
Goswin
