AUTHOR: Robert Connolly (ashes) DATE: 2007-08-09 LICENSE: Public Domain SYNOPSIS: Stack Smashing Protector, and _FORTIFY_SOURCE PRIMARY URL: http://www.linuxfromscratch.org/hints/ DESCRIPTION: Stack Smashing Protector (SSP) is a C, C++, Obj, and Obj++ debugging/security extension for GCC. SSP was originally developed by IBM for protecting applications from the single largest class of program attacks, and it has since been adopted by many security oriented operating systems. More recently SSP was officially added to GCC, Glibc, and uClibc. This recent addition modified the original SSP implementation to add SSP to Tread Local Storage, so that each thread can be guarded separately. The IBM homepage for SSP is here: http://www.trl.ibm.com/projects/security/ssp/ Another nice description is here: http://www.usenix.org/events/sec01/full_papers/frantzen/frantzen_html/ node30.html "Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a random canary between any stack allocated character buffers and the return pointer [5]. It then validates that the canary has not been dirtied by an overflowed buffer before the function returns. ProPolice can also reorder local variables to protect local pointers from being overwritten in a buffer overflow. " _FORTIFY_SOURCE is a Glibc feature which adds memory and string function protection. There is no home site for this feature, but it is described well on this page: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html PREREQUISITES: GCC-4.1 (or newer) for SSP and _FORTIFY_SOURCE. Glibc-2.4 (or newer) for SSP and _FORTIFY_SOURCE. The standard version of SSP uses /dev/urandom directly. When a whole system is built with SSP this tends to consume all the kernel entropy. /dev/erandom is reccomended for SSP to conserve kernel entropy. See the entropy.txt hint for this at: http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt HINT: Context Stack Smashing Protector _FORTIFY_SOURCE - Stack Smashing Protector The GCC options for SSP are -fstack-protector, -fstack-protector-all, and -Wstack-protector. The -fstack-protector option only protects functions with character arrays, and is generally not recomended. The -fstack-protector-all option protects all functions. The -Wstack-protector option will produce a warning about any functions which are not protected. This warning can occure in functions with buffers smaller than 8 bytes. The '--param=ssp-buffer-size=' GCC option controls the minimum buffer size protected by SSP. There have been reports of problems with SSP and 'gcc -O3' with Python. It may or may not cause problems in other packages with -O3. The GCC manual page says to avoid using '-Wp' whenever possible, so use -D_FORTIFY_SOURCE=2 when using _FORTIFY_SOURCE. ===================== Installation ===================== # In chapter 5 of the LFS book, you don't need to do anything different. --------- Chapter 6 --------- # - Glibc # # Make SSP use /dev/erandom: sed -i 's@/dev/urandom@/dev/erandom@' sysdeps/unix/sysv/linux/dl-osinfo.h # The following does not work with Glibc-2.6.1... the build will go into an # infinite loop. This does work with Glibc-2.5. # Glibc's libraries can not be built with SSP or _FORTIFY_SOURCE, but the # applications can. This is optional. # # The 'nscd' program is built with -fstack-protector by default. The following # command will make -fstack-protector-all be used instead, for better # protection: sed -i 's/fstack-protector/&-all/' nscd/Makefile # After running ./configure, the follwing command will tell Glibc to build # the libraries but not the application programs: echo 'build-programs=no' > configparms # Then run 'make' normally. Now the programs can be built with SSP and # _FORTIFY_SOURCE. You can build the applications with SSP and/or # _FORTIFY_SOURCE... both are optional and independent of eachother. To build # Glibc's applications with both SSP and _FORTIFY_SOURCE use the following # command after building the libraries: echo 'CC = gcc -fstack-protector-all -D_FORTIFY_SOURCE=2 CXX = g++ -fstack-protector-all -D_FORTIFY_SOURCE=2 ' > configparms # Then run 'make' again. # The CC and CXX variables are used instead of CFLAGS and CXXFLAGS because # CFLAGS and CXXFLAGS are sometimes ignored by the Glibc build system. # The Glibc test suite should pass as if -fstack-protector-all and # -D_FORTIFY_SOURCE=2 were not used. Continue to test and install Glibc # normally. # - GCC # # To make GCC use SSP by default get: # http://www.linuxfromscratch.org/patches/downloads/gcc/ # gcc-4.1.2-fstack_protector-1.patch # or # http://www.linuxfromscratch.org/~robert/new/patches/ # gcc-4.2.1-fstack_protector.patch patch -Np1 -i gcc-4.1.2-fstack_protector-1.patch # This SSP patch adds -fstack-protector-all as the default for C, C++, OBJC, # and OBJC++. # To make GCC use -D_FORTIFY_SOURCE=2 by default get (this patch works for # gcc-4.2.1 too): # http://www.linuxfromscratch.org/patches/downloads/gcc/ # gcc-4.1.2-fortify_source-1.patch # If you want to build GCC itself with SSP and _FORTIFY_SOURCE, then use # 'make bootstrap'. If you want to build Binutils with SSP and _FORTIFY_SOURCE # then rebuild and reinstall it. Add --disable-werror to work around warnings # caused by _FORTIFY_SOURCE. # - Grub env CC="gcc -fno-stack-protector -U_FORTIFY_SOURCE" ./configure... # --------- # Chapter 8 # --------- # - Kernel # The recent 2.6 kernels will detect SSP and disable it. _FORTIFY_SOURCE can # be built into the kernel, or you can disable it with: # make CC="gcc -U_FORTIFY_SOURCE" # ----- # BLFS # ----- # There have been problems reported with Python built with SSP and -O3. Use # -O2 to build Python with SSP. # ======== # Testing # ======== # # The Glibc test suite includes tests for SSP and _FORTIFY_SOURCE. # # Additional regression tests can be found in NetBSD's regress/lib/libc/ssp/. # # There are a couple tests in the 'paxtest' package which may also be usefull. # http://pax.grsecurity.net/paxtest-0.9.5.tar.gz ACKNOWLEDGMENTS: * Thanks to Hiroaki Etoh for providing the SSP patch to IBM * Thanks to IBM for providing the SSP patch at http://www.research.ibm.com/trl/projects/security/ssp/ * Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/ * Thanks to netsys.com for this http://www.netsys.com/cgi-bin/display_article.cgi?1266 * Thanks to securityfocus.com and immunix.com for this http://www.securityfocus.com/archive/1/333986/2003-08-17/2003-08-23/2 * Thanks to adamantix.org for kernel patches. http://www.adamantix.org/ * Thanks to Avaya Labs for Libsafe http://www.research.avayalabs.com/project/libsafe/ * Thanks to Teemu Tervo for nptl hint http://www.linuxfromscratch.org/hints/downloads/files/nptl.txt * Thanks to cross compiling hint http://www.linuxfromscratch.org/hints/downloads/files/ \ crosscompiling-x86.txt * Thanks to http://www.isecurelabs.com/news/64 for proof of concept tests. * Thanks to Eli Billauer for the Frandom suite http://frandom.sourceforge.net/ http://www.billauer.co.il/ CHANGELOG: [2003-10-18] * Debut * Reformat hint [2003-10-22] * Reformatted the patches so they're much easier to apply. * Edit/rewrite hint & synopsis. [2003-10-24] * Added caveat. * Fixed URLS. * Lite edit [2003-10-25] * New bugs found. [2003-10-26] * GCC 2.95.3 patches made. [2003-10-27] * XFree86-4.3.0 patch made. * Hint is now Beta - Need more feedback. [2003-11-03] * Edit * Reformatted patches. [2003-11-12] * Reformat patches. * Update/edit hint. * Add new example tests. [2003-11-21] * Reformat patches. * Add homepage/mirror url. * Small edit. [2003-12-01] * Added Glibc and kernel patches. * Rewrote install procedure. [2003-12-20] * Try to be more informative. * Removed Gentoo property. * Added Libsafe. * Added Pax. * Added new versions of binutils and glibc. * Added GCC PIE. * Rename filename to winter.txt. [2003-12-21] * Do not use "Enforce non-executable pages" * Spell check. * Fixed URL. [2003-12-22] * Added LOPTS to Net-tools. * Added LDFLAGS to Perl. [2003-12-25] * More cflags. * New tests. [2003-12-30] * Renamed hint back to propolice.txt. * Added back Gentoo property as optional. [2004-01-01] * Added HCC [2004-01-17] * Cleanup [2004-02-08] * Update urls * Convert propolice to ssp [2004-02-15] * Update gcc-3.3.3 and linux-2.6.2 ssp patches [2004-02-19] * Update linux-2.6.3 patch and hgcc url [2004-03-27] * Add sspspecs patch. Update. [2004-04-18] * Added entropy.txt link for erandom. [2004-04-25] * Fix more/again for erandom. * Update some patches. [2004-10-01] * New patches. * Added guard-test.c [2004-10-28] * New patches [2004-10-30] * Do not use -O3 or -O4 * Use CFLAGS="-O2" for Perl chapter 6. [2004-11-04] * Remove frandom mktemp patch. * Add note about arc4random. * Update patches, new define for SYSCTL_ERANDOM. [2004-11-12] * Fix typos [2004-11-21] * Add new Glibc patches with stderr overflow messages. * Fixed sspspecs patches so they actually work with g++. [2004-12-02] * New glibc patches. * Added note about using 2.6.7 frandom patch for older kernels. [2004-12-06] * XFree86 patch works with Xorg too. * -O3 optimizations are fine. * Added -O2 to Grub's CFLAGS. [2005-01-16] * Updated for LFS-6.0. * Removed sspspecs patches, replaced with Perl command/script. * Removed obsolete kernel patch. * Added sed command for version.c. * Added fstack_protector patch to Glibc in chapter 6. * Add note for -O3 and Python. [2005-01-17] * Fixed misspellings. [2005-01-27] * Added --no-backup-if-mismatch to patch command. [2005-02-12] * Fix commands for LFS-6.0. * Added arc4random. [2005-02-18] * Added note for "ProPoliceSupport YES" in Xorg. * Added sed for Arts. [2007-08-08] * Finally updated for Glibc-2.4+ and GCC-4.1. * Added _FORTIFY_SOURCE * Removed Libsafe. It's own docs explain how to install it well. [2007-08-09] * Arts can compile with -fstack-protector-all now.