tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Improving security for pkgsrc



On Sat, Jul 18, 2015 at 07:14:36PM +0200, Pierre Pronchery wrote:
> On 07/18/15 18:56, Joerg Sonnenberger wrote:
> > On Sat, Jul 18, 2015 at 06:38:09PM +0200, Pierre Pronchery wrote:
> >> 1. Building with stack smashing protection: (SSP)
> >>
> >>   +_GCC_CFLAGS+=  -fstack-protector
> >>
> >> This one is already described in NetBSD's build process; for a minor
> >> performance penalty, the compiler will have a canary checked to be
> >> present unmodified on a the stack, thereby helping with the mitigation
> >> of stack-based buffer overflows.
> > 
> > It has been shown to be pretty weak in practise, so YMMV.
> 
> Maybe, but meanwhile:
> 
> 1997 First implementation for GCC
> 1998 First publication at USENIX
> 1998 By default in Immunix Linux
> 2001 IBM write ProPolice
> 2003 Ready for GCC 3.x
> 2005 RedHat improves further for GCC 4.1
> 2005 MSVC has it by default
> 2006 Fedora Core 5 enables it by default
> 2006 Ubuntu 6.10 enables it by default
> 2009 FreeBSD enables it by default in the base system
> 2011 ArchLinux uses enables it by default in packages
> 2012 Google improves some more
> 2013 Fedora Core 20 strenghtens the default
> 2014 ArchLinux strenghtens the default
> 
> ???? OpenBSD uses it
> ???? Hardened Gentoo also
> ???? DragonFlyBSD as well
> 
> I know that it does not mean it is a silver bullet, but it seems to be
> more than mature, and a significant number of community- and
> enterprise-driven projects have embraced it. And then, most are using
> more aggressive versions even. Personally, I consider it
> state-of-the-art, and we should at least provide the option.

I don't even remember WHEN OpenBSD indeed got it. It's got to be somewhere
in 2003.

It promptly started breaking things up badly, by finding lots of overflows
all over the place.  It's been rather invaluable in that way.


In any case, I wouldn't call any of these improvements "low-hanging fruits".

It's totally a lot of effort to make PIE work for instance.


Each time you add some level of protection, you're bound to run into lots
of programs that play wild & loose with the rules. And you have to fix things
correctly so that they keep working. Otherwise, people will start NOT using
your awesome security measures for actual work...


Home | Main Index | Thread Index | Old Index