the answer for me is no.

many thanks to our security team for ignoring critical SSP bugs. the answer for me is no.
many thanks to our QA lead for replacing his head with a tomato. the answer for me is still no.

and many thanks to our council for supporting names like vapier and halcy0n (and wolf*lotsofnumbers*, i never knew he was into that kind of business) with their aggressive, destructive and pervasive notions of how people should conform to their fascist little black and white one in the stink two in the pink world. i still think the answer is no.

at least you got all the rotten tomatoes in one boat now and it's slowly sinking.
I'll be happy to leave you here with what you have. There have been no innovations hosted by Gentoo Linux on the security sector of host-based systems hardening for 5 years now. You fight people leaving faster than you can hire noobs to fill redundant positions because you fuckups still keep all your puppets in the right positions to decide what the public opinion is and what the people using Gentoo should "think" about your little /usr/portage experiment there.

well fuck you then, bitches.

whatever.

as always i'll have my last curtain with a song i loved when i was young- and maybe still do.
and now i have to admit- the answer to the above question for Gentoo Linux is definitely yes.

CAKE - The Distance

Reluctantly crouched at the starting line,
Engines pumping and thumping in time.
The green light flashes, the flags go up.
Churning and burning, they yearn for the cup.
They deftly maneuver and muscle for rank,
Fuel burning fast on an empty tank.
Reckless and wild, they pour through the turns.
Their prowess is potent and secretly stearn.
As they speed through the finish, the flags go down.
The fans get up and they get out of town.
The arena is empty except for one man,
Still driving and striving as fast as he can.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's driving and striving and hugging the turns.
And thinking of someone for whom he still burns.

He's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse,
He's going the distance.

No trophy, no flowers, no flashbulbs, no wine,
He's haunted by something he cannot define.
Bowel-shaking earthquakes of doubt and remorse,
Assail him, impale him with monster-truck force.
In his mind, he's still driving, still making the grade.
She's hoping in time that her memories will fade.
Cause he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's striving and driving and hugging the turns.
And thinking of someone for whom he still burns.

Cause he's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's going the distance.
He's going for speed.
He's going the distance.

may the source be with you and your guards never fail at entropy.

Alex

PS: the next time you write bullshit about me in profiles/default/linux/package.use.mask, make sure you remove my name so i don't feel offended by your blatant ignorance of the problem itself.

Today one of my biggest dreams got shattered by technical deficiencies.

Phreak helped me to experiment with the virtuals in my new experimental toy profile on miranda chroots. I learned alot about catalyst and finally found out about my mistake that you need to roll up the portage tree (where you have added the created test profiles) into a portage-XXX.tar.bz2 and give this XXX name to the catalyst specs file before building the stages.

Otherwise it cannot find the profile in portage snapshot and print out an erroneous message about your profile being broken, simply because it cannot find it in the portage snapshot that was unpacked.

So, while experimenting with stage building and seeing to it that it works to create a masking of sys-libs/glibc and a virtual/libc mapping to my own testing version of sys-libs/hardened-glibc, for covering my future wanted changes for SSPx and AT_ENTROPY without touching the holy sys-libs/glibc grail of our toolchain team, it suddenly turns into a full fledged uphill battle that is impossible to win.

I am talking about reworking all affected packages in the tree to not depend on sys-devel/gcc any more but on virtual/cc or something like that- because we currently don't have a virtual for gcc. Good job, team.

Short spoken: our toolchain is currently maintained by a single person, happily monolithically aimed at glibc (and a bit of uclibc) and gcc.

Which in turn gives all the power of control over the base system, the standard lib and the compiler into the hands of one or two people without users or other devs being able to plug in or attach another modular approach to it.

Which basically means you don't have another choice but to use the glibc and gcc provided by our distribution. A distribution that was about choice, at least the last time i read it on our homepage.

I still remember the support and the backup of our gcc and glibc hackers when in 2002 and 2003 the hardened toolchain was still a young project compared to the other projects of Gentoo and how we were all working together on a shared vision... all gone.

Today it's about software quality and keeping your hands on your packages which in turn control the behaviour of a complete GNU/Linux distribution.

Thank you very much.

Alex

everybody who has a glibc-2.5-r3 please test the following program:


#include LESS_THAN_SIGN stdio.h GREATER_THAN_SIGN

extern unsigned long int __guard;

int main(void) {
printf("__guard: [[0x%x]]\n", __guard);
while(1) { ; }
return(0);
}


compiled with gcc -static and single stepped with gdb, it should show that the guard is randomly inizialized.

but compiled without -static, it shows for my tests that the __guard is always 0x0... bad bad cow.

but there is good news too: the AT_ENTROPY patch

this is a stub for 2.6.21 kernel source

falcon linux # grep -A2 -B2 -ri "deadbeef" fs/binfmt_elf.c
NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);

NEW_AUX_ENT(AT_ENTROPY, 0xdeadbeef);

NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);



the glibc patch is "done" (leave out the 0x0 problem)



diff -Nru glibc-2.5.ORIG/csu/libc-start.c glibc-2.5/csu/libc-start.c
--- glibc-2.5.ORIG/csu/libc-start.c 2007-06-16 15:23:50.000000000 +0200
+++ glibc-2.5/csu/libc-start.c 2007-06-16 16:01:19.000000000 +0200
@@ -165,8 +165,16 @@
#endif

# ifndef SHARED
- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/elf/dl-support.c glibc-2.5/elf/dl-support.c
--- glibc-2.5.ORIG/elf/dl-support.c 2005-05-11 19:27:22.000000000 +0200
+++ glibc-2.5/elf/dl-support.c 2007-06-16 16:13:33.000000000 +0200
@@ -155,6 +155,8 @@
#ifdef HAVE_AUX_VECTOR
int _dl_clktck;

+uintptr_t _dl_entropy;
+
void
internal_function
_dl_aux_init (ElfW(auxv_t) *av)
@@ -172,6 +174,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_PHDR:
GL(dl_phdr) = (void *) av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/dl-sysdep.c glibc-2.5/elf/dl-sysdep.c
--- glibc-2.5.ORIG/elf/dl-sysdep.c 2005-12-14 09:36:14.000000000 +0100
+++ glibc-2.5/elf/dl-sysdep.c 2007-06-16 16:12:38.000000000 +0200
@@ -160,6 +160,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_FPUCW:
GLRO(dl_fpu_control) = av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/elf.h glibc-2.5/elf/elf.h
--- glibc-2.5.ORIG/elf/elf.h 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/elf.h 2007-06-16 16:01:48.000000000 +0200
@@ -977,6 +977,8 @@

#define AT_SECURE 23 /* Boolean, was exec setuid-like? */

+#define AT_ENTROPY 24 /* kernel entropy */
+
/* Pointer to the global system page used for system calls and other
nice things. */
#define AT_SYSINFO 32
diff -Nru glibc-2.5.ORIG/elf/rtld.c glibc-2.5/elf/rtld.c
--- glibc-2.5.ORIG/elf/rtld.c 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/rtld.c 2007-06-16 16:01:28.000000000 +0200
@@ -1838,8 +1838,16 @@
tcbp = init_tls ();
#endif

- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h glibc-2.5/sysdeps/generic/ldsodefs.h
--- glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h 2006-08-24 22:27:05.000000000 +0200
+++ glibc-2.5/sysdeps/generic/ldsodefs.h 2007-06-16 16:04:02.000000000 +0200
@@ -558,6 +558,9 @@
/* CLK_TCK as reported by the kernel. */
EXTERN int _dl_clktck;

+ /* ENTROPY provided by kernel */
+ EXTERN uintptr_t _dl_entropy;
+
/* If nonzero print warnings messages. */
EXTERN int _dl_verbose;



cya,

Alex

So i'm giving it another try, this time i will only be playing with statically linked executables for now...

diff -Nru glibc-2.4.ORIG/csu/libc-start.c glibc-2.4/csu/libc-start.c
--- glibc-2.4.ORIG/csu/libc-start.c 2007-01-21 04:29:20.000000000 +0000
+++ glibc-2.4/csu/libc-start.c 2007-01-21 06:22:05.000000000 +0000
@@ -35,15 +35,6 @@
__attribute__ ((weak))
# endif
;
-# ifndef THREAD_SET_STACK_GUARD
-/* Only exported for architectures that don't store the stack guard canary
- in thread local area. */
-uintptr_t __stack_chk_guard attribute_relro;
-# endif
-#endif
-#ifdef ENABLE_OLD_SSP_COMPAT
-uintptr_t __guard_local attribute_relro attribute_hidden __attribute__ ((nocommon,weak));
-weak_alias (__guard_local, __guard);
#endif

#ifdef HAVE_PTR_NTHREADS
@@ -153,19 +144,6 @@
__pthread_initialize_minimal ();
#endif

-# ifndef SHARED
- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
-#ifdef ENABLE_OLD_SSP_COMPAT
- __guard_local = stack_chk_guard;
-#endif
-# ifdef THREAD_SET_STACK_GUARD
- THREAD_SET_STACK_GUARD (stack_chk_guard);
-# else
- __stack_chk_guard = stack_chk_guard;
-# endif
-#endif
-
/* Register the destructor of the dynamic linker if there is any. */
if (__builtin_expect (rtld_fini != NULL, 1))
__cxa_atexit ((void (*) (void *)) rtld_fini, NULL, NULL);

This piece above is basically removing the current SSP setup for statically linked executables.
Instead we moving it to the other function that's also setting up the aux vector data.

diff -Nru glibc-2.4.ORIG/elf/dl-support.c glibc-2.4/elf/dl-support.c
--- glibc-2.4.ORIG/elf/dl-support.c 2005-05-11 17:27:22.000000000 +0000
+++ glibc-2.4/elf/dl-support.c 2007-01-21 06:35:33.000000000 +0000
@@ -32,6 +32,27 @@
#include XXXunsecvars.hXXX
#include XXXhp-timing.hXXX

+#ifndef SHARED
+# include XXXdl-osinfo.hXXX
+/* in a statically linked executable
+ * this is the place for the definition
+ * of the non TLS SSP guard symbols */
+
+# ifndef THREAD_SET_STACK_GUARD
+/* Only exported for architectures that
+ * don't store the stack guard canary
+ * in thread local area. */
+uintptr_t __stack_chk_guard attribute_relro;
+# endif
+
+# ifdef ENABLE_OLD_SSP_COMPAT
+/* support for the old SSP symbols in the Gentoo glibc */
+uintptr_t __guard_local attribute_relro attribute_hidden __attribute__ ((nocommon,weak));
+weak_alias (__guard_local, __guard);
+# endif
+
+#endif
+
extern char *__progname;
char **_dl_argv = &__progname; /* This is checked for some error messages. */

@@ -163,9 +184,20 @@
uid_t uid = 0;
gid_t gid = 0;

+# ifndef SHARED
+ uintptr_t stack_chk_guard = 0;
+# endif
+
for (; av->a_type != AT_NULL; ++av)
switch (av->a_type)
{
+# ifndef SHARED
+ case AT_RANDOM32:
+ /* Initialize the stack checker's canary
+ * with kernel entropy */
+ stack_chk_guard = av->a_un.a_val;
+ break;
+# endif
case AT_PAGESZ:
GLRO(dl_pagesize) = av->a_un.a_val;
break;
@@ -213,6 +245,24 @@
__libc_enable_secure_decided = 1;
break;
}
+
+# ifndef SHARED
+ if (stack_chk_guard == 0)
+ {
+ /* Set up the stack checker's canary
+ * if it wasn't set up by retrieving
+ * kernel entropy via auxiliary vector */
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+# ifdef ENABLE_OLD_SSP_COMPAT
+ __guard_local = stack_chk_guard;
+# endif
+# ifdef THREAD_SET_STACK_GUARD
+ THREAD_SET_STACK_GUARD (stack_chk_guard);
+# else
+ __stack_chk_guard = stack_chk_guard;
+# endif
+# endif
if (seen == 0xf)
{
__libc_enable_secure = uid != 0 || gid != 0;

And last but not least we still need the right numeric constants in place:

diff -Nru glibc-2.4.ORIG/elf/elf.h glibc-2.4/elf/elf.h
--- glibc-2.4.ORIG/elf/elf.h 2007-01-21 04:29:21.000000000 +0000
+++ glibc-2.4/elf/elf.h 2007-01-21 06:28:53.000000000 +0000
@@ -981,6 +981,8 @@

#define AT_SECURE 23 /* Boolean, was exec setuid-like? */

+#define AT_RANDOM32 24 /* 32 bit kernel entropy */
+
/* Pointer to the global system page used for system calls and other
nice things. */
#define AT_SYSINFO 32

If you try to be a clever kid and nick the patch from this site, remember to reseat the greater and less signs that are currently represented by XXX.
Cya,

Alex

So it's 6am and i spent the last hours working on that patch.

Due to some deficiencies i wasn't able to get it going smooth.
Miranda is running with the kernel providing AT_RANDOM32 with the number 24, i still need to poke dsd or gregkh about filing that number upstream to avoid clashes and later talk the glibc folks into accepting the number too...

It looks like there is no need for THREAD_GET_STACK_GUARD in the glibc hence this macro does not exist by now.
Which means i cannot check for the already set up guard in the respective functions in either csu/libc-start.c or elf/rtld.c when TLS is used...

Looks like the glibc hacking is taking more of my precious time- the kernel patch will need some loving too, at the moment i'm using the pretty simplistic test value 0xdeadbeef. Hooray for boobies.

Alex

preliminary patch

look and evaluate, do not use or apply to live sources!
this blog serves mainly as a brain helper for my weak memory... it is not meant to be final quality gentoo stuff, but it reasonably sure shows the way we going...

Most of the patch try to defuse the original guard setup and use the aux vector AT_SSP_ENTROPY provided by kernel...

TODO: reentrant code that checks for already set up guard, hierarchy of setup:

ld.so: AT_SSP_ENTROPY
ld.so: _dl_setup_stack_chk...
ld.so: static canary if the _dl_setup failed (?)

TODO2: how do static executables get the AT_ aux vector from kernel if not via ld.so?

Alex

diff -Nru glibc-2.4.ORIG/csu/libc-start.c glibc-2.4/csu/libc-start.c
--- glibc-2.4.ORIG/csu/libc-start.c 2005-12-14 10:29:25.000000000 +0100
+++ glibc-2.4/csu/libc-start.c 2007-01-19 05:02:49.000000000 +0100
@@ -151,7 +151,8 @@

# ifndef SHARED
/* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ // XXX uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ uintptr_t stack_chk_guard = 0xfeedfeed;
# ifdef THREAD_SET_STACK_GUARD
THREAD_SET_STACK_GUARD (stack_chk_guard);
# else

diff -Nru glibc-2.4.ORIG/elf/dl-support.c glibc-2.4/elf/dl-support.c
--- glibc-2.4.ORIG/elf/dl-support.c 2005-05-11 19:27:22.000000000 +0200
+++ glibc-2.4/elf/dl-support.c 2007-01-19 05:10:50.000000000 +0100
@@ -151,6 +151,11 @@
At this time it is not anymore a problem to modify the tables. */
__rtld_lock_define_initialized_recursive (, _dl_load_lock)

+#ifndef THREAD_SET_STACK_GUARD
+/* Only exported for architectures that don't store the stack guard canary
+ * in thread local area. */
+uintptr_t __stack_chk_guard attribute_relro;
+#endif

#ifdef HAVE_AUX_VECTOR
int _dl_clktck;
@@ -166,6 +171,14 @@
for (; av->a_type != AT_NULL; ++av)
switch (av->a_type)
{
+ case AT_SSP_ENTROPY:
+ uintptr_t stack_chk_guard = av->a_un.a_val;
+#ifdef THREAD_SET_STACK_GUARD
+ THREAD_SET_STACK_GUARD (stack_chk_guard);
+#else
+ __stack_chk_guard = stack_chk_guard;
+#endif
+ break;
case AT_PAGESZ:
GLRO(dl_pagesize) = av->a_un.a_val;
break;
@@ -212,6 +225,7 @@
__libc_enable_secure = av->a_un.a_val;
__libc_enable_secure_decided = 1;
break;
+
}
if (seen == 0xf)
{

diff -Nru glibc-2.4.ORIG/elf/rtld.c glibc-2.4/elf/rtld.c
--- glibc-2.4.ORIG/elf/rtld.c 2005-12-30 08:22:27.000000000 +0100
+++ glibc-2.4/elf/rtld.c 2007-01-19 05:09:10.000000000 +0100
@@ -87,7 +87,7 @@
#ifndef THREAD_SET_STACK_GUARD
/* Only exported for architectures that don't store the stack guard canary
in thread local area. */
-uintptr_t __stack_chk_guard attribute_relro;
+// XXX uintptr_t __stack_chk_guard attribute_relro;
#endif

/* Only exported for architectures that don't store the pointer guard
@@ -1834,10 +1834,11 @@

/* Set up the stack checker's canary. */
uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+
#ifdef THREAD_SET_STACK_GUARD
- THREAD_SET_STACK_GUARD (stack_chk_guard);
+ // XXX THREAD_SET_STACK_GUARD (stack_chk_guard);
#else
- __stack_chk_guard = stack_chk_guard;
+ // XXX __stack_chk_guard = stack_chk_guard;
#endif

/* Set up the pointer guard as well, if necessary. */

PS: i think we should not use _dl_aux_init (ElfW(auxv_t) *av) but this function:

./elf/dl-sysdep.c

83 ElfW(Addr)
84 _dl_sysdep_start (void **start_argptr,
85 void (*dl_main) (const ElfW(Phdr) *phdr, ElfW(Word) phnum,
86 ElfW(Addr) *user_entry))
87 {

111 __libc_stack_end = DL_STACK_END (start_argptr);
112 DL_FIND_ARG_COMPONENTS (start_argptr, _dl_argc, INTUSE(_dl_argv), _environ,
113 _dl_auxv);
114
115 user_entry = (ElfW(Addr)) ENTRY_POINT;
116 GLRO(dl_platform) = NULL; /* Default to nothing known about the platform. */
117
118 for (av = _dl_auxv; av->a_type != AT_NULL; set_seen (av++))
119 switch (av->a_type)
120 {
121 case AT_PHDR:
122 phdr = (void *) av->a_un.a_val;
123 break;
124 case AT_PHNUM:
125 phnum = av->a_un.a_val;
126 break;
127 case AT_PAGESZ:
128 GLRO(dl_pagesize) = av->a_un.a_val;
129 break;

...

PPS: from what i hear from vapier, the dl-support.c parser is the way to go:
05:34 |@pappy-| i need dsd_ to clear me up on the size calculation of the AT_ vector
05:34 |@vapier| dl-sysdep.c is a rtld only file
05:35 |@pappy-| i have no idea how and what the value is composed of
05:35 |@vapier| you can tell by looking at elf/Makefile
05:35 |@vapier| if you modify the AT parser in dl-support.c, that'll be in both ldso and libc.a
05:35 |@pappy-| well dl-sysdep.c and dl-support.c seem to be the only AT_ switch statements that work
on the data
05:35 |@vapier| you can also cheat and do `ar t /usr/lib/libc.a`
05:35 |@pappy-| vapier: oh thanks
05:35 -!- yvasilev [n=yvasilev@189.140.153.243] has quit ["Leaving."]
05:35 |@pappy-| vapier: i will mock up dl-support.c then
05:35 |@pappy-| this is what i wanted to hear
05:36 |@pappy-| the parser in dl-support.c is in the function _dl_aux_init

Long time ago our friend pipacs brought us up to the idea that ld.so should receive the randomized values needed for setting up the guard symbol.

Tonight (and after reading up on AT_ stuff last night) i have did the first tests for my 2.6.18-hardened-r1 kernel here:

"include/asm/auxvec.h"
4 /*
5 * Architecture-neutral AT_ values in 0-18, leave some room
6 * for more of them, start the x86-specific ones at 32.
7 */

"include/linux/auxvec.h"

24 #define AT_HWCAP 16 /* arch dependent hints at CPU capabilities */
25 #define AT_CLKTCK 17 /* frequency at which times() increments */
26
27 #define AT_SSP_ENTROPY 18 /* kernel entropy for ld.so setting up Stack Smashing Protection */
28
29 #define AT_SECURE 23 /* secure mode boolean */
30
31 #define AT_VECTOR_SIZE 44 /* Size of auxiliary table. */

I hope the AT_VECTOR_SIZE is indeed the mere number of entries in the table, not the physical byte size of the data represented BY the table

The main piece is in "fs/binfmt_elf.c"

146 static int
147 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
148 int interp_aout, unsigned long load_addr,
149 unsigned long interp_load_addr)

...

202 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
203 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
204 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
205 NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);
206 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
207 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
208 NEW_AUX_ENT(AT_BASE, interp_load_addr);
209 NEW_AUX_ENT(AT_FLAGS, 0);
210 NEW_AUX_ENT(AT_ENTRY, exec->e_entry);
211 NEW_AUX_ENT(AT_UID, tsk->uid);
212 NEW_AUX_ENT(AT_EUID, tsk->euid);
213 NEW_AUX_ENT(AT_GID, tsk->gid);
214 NEW_AUX_ENT(AT_EGID, tsk->egid);
215
216 /* SSP entropy */
217 /*
218 * for testing purposes we are using a debugging canary
219 */
220 #ifndef AT_SSP_ENTROPY_DEBUG_BEACON
221 #define AT_SSP_ENTROPY_DEBUG_BEACON 0xdeadbeef
222 #endif
223
224 /*
225 * this definition is used for assigning a function
226 * that retrieves kernel entropy
227 *
228 * hwoever, for testing and developing the ld.so changes
229 * it is enough to use a fixed value debug item
230 */
231 #ifndef AT_SSP_ENTROPY_FUNCTION
232 #define AT_SSP_ENTROPY_FUNCTION AT_SSP_ENTROPY_DEBUG_BEACON
233 #endif
234
235 /*
236 * emit the AT_ data/value pair to the freshly created ELF process
237 * definitions in "include/linux/auxvec.h" and "include/asm/auxvec.h"
238 */
239 #ifdef AT_SSP_ENTROPY_FUNCTION
240 NEW_AUX_ENT(AT_SSP_ENTROPY, AT_SSP_ENTROPY_FUNCTION);
241 #endif
242
243 NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm));

As far as i know that's it... we'll see when i mock up the ld.so on apocalypse to try reading the AT_SSP_ENTROPY.

When things go up, they must come down

Cheers, Alex

Link: http://dev.gentoo.org/~pappy/ssxp/

It has been a long time since 2003 when i joined the Hardened project.
Matt Rickard (frogger) was introducing the SSP solution by Hiroaki Etoh of IBM Labs Japan to our toolchain, while projects like Debian and the already very commercial and upstream oriented Redhat hesitated to officially include this precious piece of security defense measures for the systems of our users. Today it's 2007 and you can see it in upstream.

Which means for us: time for Gentoo to take the lead again and bring something new: SSXP.

SSP is very mature, but it has it's deficiencies. It can stop linear stack attacks. But nothing more.

However, with a PaX randomizing the return address, the new SSXP will transparently encode the randomized return address in the stack frame on entering the function and change it back on returning from the function.

Got interested in it now? Here is the full story: The SSXP design and reference guide.

The whole idea came to me on a train ride from Saarbrucken to Trier, heading home from Munich.
It took me from 2005 to 2006 to think it over and i really have to say a big big thank you to Andrew Pinski and the Pax Team for the outstanding support during the technical implementation as gcc Register Transfer Language code. Also i would like to thank solar and GNi for the big test boxes i can use for free and my college, the Fachhochschule Trier for making this project possible!

Enjoy reading and make sure you leave a comment with feedback what i can improve and whether you would like to see this in Gentoo Hardened or not!

Thanks and cheers,

Alex