Expanding the list of "Hardened Packages"
Richard W.M. Jones
rjones at redhat.com
Sat Apr 13 19:44:44 UTC 2013
On Sat, Apr 13, 2013 at 08:36:53PM +0200, Kevin Kofler wrote:
> Richard W.M. Jones wrote:
> > (1) -fstack-protector{,-all} doesn't implement full bounds checking
> > for every C object.
>
> But it prevents (with probability (256^n-1)/256^n, where n is the size of
> the canary in bytes, which for n=4 is approximately .99999999976717)
> exploiting the overflows to change the return address of any C function.
I said it "doesn't implement full bounds checking for every C object",
and I stand by that. I doesn't cover stack objects smaller than some
cut-off size, nor any objects in static data or on the heap at all. I
do know quite a lot about this, having written the very first bounds
checking extension to GCC back in 1994/5:
http://www.doc.ic.ac.uk/~phjk/BoundsChecking.html
> > (2) SELinux controls what labelled resources a process can access.
> > This covers far more than buffer overflows in C programs. It covers
> > other programming languages, design flaws and implementation 'thinko's
> > of all sorts. I would argue (separate from this) that it's good to
> > define precisely what resources a program can access, rather than the
> > default "access just about everything".
>
> And I would argue that this amounts to second-guessing/duplicating what the
> program tries to do in an unmaintainable morass of rules, which even for the
> targeted policy (which is not even close to covering all programs in Fedora
> other than as "unconfined") keeps having bugs which need to be fixed every
> day, even after YEARS of debugging. SELinux just does not scale, it's a
> centralized database which needs to essentially contain a variant of every
> program's source code, rewritten in a rule language only few people actually
> comprehend.
That's your opinion. I suggest you take a look at SELinux policies as
well as the many new policy management tools.
> Instead of duplicating the information already contained in the program's
> source code, the right approach is to ensure the program does not do
> anything that is NOT part of its source code, which means blocking arbitrary
> code execution exploits!
This would be excellent, and projects in this area could make a
significant contribution. I suspect that any general code-to-policy
translator will hit the Halting Problem, since it seems trivial to
write a program which would not be possible to translate, but that
doesn't mean it can't be solved for many useful real world cases.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the devel
mailing list