Hi Aaron, 2014-04-16 13:49 GMT+02:00 Aaron Zauner <a...@azet.org>: > Hi Balint, > > Balint Reczey wrote: >> Hi, >> >> I have posted the following idea on my blog [7] to get comments from >> people not on this list, but obviously this is the mailing list where >> the proposal should be discussed. :-) > I generally agree with your concerns. But I have to concur that > hardening the default should be the way to go. Besides, this does not > only concern compiler flags, you'll need kernel hardening and active > auditing (package source code, userland utitities and so forth). The > thing is the OpenSSL vulnerability probably wouldn't have been resolved > using those flags. Another example: stack canaries are a nice idea but > have since been circumvented as new exploit techniques are constantly > emerging. Another example: the new Kernel ASLR feature has recently been > curvumvented by spender of GRSEC. Simply running valgrind on your system > might flag a lot of false-positives and figuring out what the right > approach for a given package is will be - again - active auditing and > thus extremely time consuming. The best way to do this is upstream not > in a specific distribution from my experience. I agree that it would be unrealistic to solve all security related problems with a new architecture, but I think it would be a good way of improving what we can.
The upstream project I'm most involved in is Wireshark where we try to employ most of the state of the art techniques for improving code quality but I think the Wireshark project is in much better position than most other projects. Thanks to dedicated team and community we can build on 3 different static analyzers, CI buildbots on 6 different platforms and tests fuzzing with Valgrind all day long. For the projects lacking this infrastructure Debian can provide build tests for many platforms and could also be the project where additional hardening flags could catch security problems. Expecting all upstreams to be able to keep up with latest security best practices is not realistic to me. A trivial example is the case of dead upstreams. It is true that stack canaries can't catch everything, but it detects a fair share of attacks. Note that -fstack-protector is used by default for all packages in Ubuntu, Fedora, ArchLinux, OpenBSD and others: http://en.wikipedia.org/wiki/Buffer_overflow_protection > > A hardened distribution is a lot of effort, I've seen the Gentoo guys > try it but it seems to be largely unmaintained nowadays. Hence - > currently - the burden falls on security and systems engineers that > deploy systems on a given Linux distribution. The new architecture would target hardening the toolchain as the first goal and I consider this is doable with reasonable effort. Other parts like SELinux and Grsecurity-enabled kernel can be done (and are already being developed) for all architectures independently from the porting effort. https://wiki.gentoo.org/wiki/Project:Hardened Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpyndqwfd_wu_raqxldgpqebjeg0yeqkc2lrsxp-jbq...@mail.gmail.com
