From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:29:16 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE36A16A419 for ; Sun, 30 Dec 2007 13:29:16 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.freebsd.org (Postfix) with ESMTP id 56E6213C455 for ; Sun, 30 Dec 2007 13:29:16 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 37D0A3F614F; Sun, 30 Dec 2007 14:29:15 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id EA8623F617E; Sun, 30 Dec 2007 14:29:14 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id DAAD19B497; Sun, 30 Dec 2007 13:26:11 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id CD5A2405B; Sun, 30 Dec 2007 14:26:11 +0100 (CET) Date: Sun, 30 Dec 2007 14:26:11 +0100 From: Jeremie Le Hen To: Mike Silbersack Message-ID: <20071230132611.GD10467@obiwan.tataz.chchile.org> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071228200428.J6052@odysseus.silby.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:29:16 -0000 Hi, On Fri, Dec 28, 2007 at 08:20:20PM -0600, Mike Silbersack wrote: > Since the subject came up, I just tried using it, and it's not giving me the > results I expected. Take the following program: > > #include > #include > #include > > void overrun(void); > > int main(void) > { > overrun(); > } > > void overrun(void) > { > int x; > char a[4]; > int y; > > strcpy(a, "ABCDE"); > printf("hi"); > } > > If I compile it like so: > > cc -g -fstack-protector-all overrun.c > > The overrun is detected and the program is aborted. > > ./a.out > Abort (core dumped) > > But if I compile it like so: > > cc -g -fstack-protector overrun.c > > The overrun is not caught. > > ./a.out > hi> > > Either I'm doing something wrong, or we have gcc misconfigured and it's not > detecting that strcpy is a function which needs to be watched closedly. Actually, you did nothing wrong. Except maybe not wasting time to look at GCC info page ;). % `-fstack-protector' % Emit extra code to check for buffer overflows, such as stack % smashing attacks. This is done by adding a guard variable to % functions with vulnerable objects. This includes functions that % call alloca, and functions with buffers larger than 8 bytes. The % guards are initialized when a function is entered and then checked % when the function exits. If a guard check fails, an error message % is printed and the program exits. I believed it was possible to customize this threshold (I'm pretty sure I've already seen such an option in some patch floating around GCC community) but a quick glance a the source shows it is not possible actually. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:33:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0434216A41B for ; Sun, 30 Dec 2007 13:33:04 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7E3CB13C458 for ; Sun, 30 Dec 2007 13:33:03 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 3C40F20BE8FB for ; Sun, 30 Dec 2007 14:03:59 +0100 (CET) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 0EA133F6198; Sun, 30 Dec 2007 14:03:57 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id D9C0E3F619F; Sun, 30 Dec 2007 14:03:56 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id B6B979B497; Sun, 30 Dec 2007 13:00:53 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id AEF27405B; Sun, 30 Dec 2007 14:00:53 +0100 (CET) Date: Sun, 30 Dec 2007 14:00:53 +0100 From: Jeremie Le Hen To: Gunther Mayer Message-ID: <20071230130053.GC10467@obiwan.tataz.chchile.org> References: <477115FE.2070705@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <477115FE.2070705@gmail.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:33:04 -0000 Hi Gunther, On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote: > Hi there, > > I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, > binary updates via freebsd-update etc.) but lots of ports (apache, > postgresql, diablo-jdk etc.) and would like to use stack smashing protection > in order to harden my boxes and avoid many potential exploits. > > I've known about ProPolice/SSP for a while now (from the Gentoo world) and > am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le > Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time > after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, > userland and ports while I'm at it. However, being an unsupported patchset > and all, I have some concerns which I'd like some feedback on well before I > embark on this project: > > 1. Will FreeBSD ever support SSP natively? > 2. How good is the kernel patch and how many people out there are > using it? I can't tell myself about the quality of kernel bits, but at least I can state that I'm sure in case of a stack-based buffer overflow, the kernel will crash instead of being exploited. > 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)? > 4. What's the story with libssp? Jeremy reckons that it's a lost > cause and causes more trouble than it's worth. Yet libssp seems to > be the only thing that actually fully integrated in 7.0 GNU libssp is provided in FreeBSD 7.0 but it is not used though because libc already provides the required symbols (lib/libc/sys/stack_protector.c). I think GNU libssp is useful only when compiling something without libc support (-nodefaultlibs). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:34:11 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B9F616A474 for ; Sun, 30 Dec 2007 13:34:11 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.freebsd.org (Postfix) with ESMTP id 5D53913C461 for ; Sun, 30 Dec 2007 13:34:11 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 7D84E3F618C; Sun, 30 Dec 2007 14:34:10 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 538693F6160; Sun, 30 Dec 2007 14:34:10 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 4E0B39B497; Sun, 30 Dec 2007 13:31:07 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 44122405B; Sun, 30 Dec 2007 14:31:07 +0100 (CET) Date: Sun, 30 Dec 2007 14:31:07 +0100 From: Jeremie Le Hen To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20071230133107.GE10467@obiwan.tataz.chchile.org> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86myrvhht9.fsf@ds4.des.no> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:34:11 -0000 Hi, On Thu, Dec 27, 2007 at 11:52:02PM +0100, Dag-Erling Smørgrav wrote: > Gunther Mayer writes: > > I've known about ProPolice/SSP for a while now (from the Gentoo world) > > and am aware that FreeBSD 7.0 doesn't yet support it though I know of > > Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). > > Wrong. FreeBSD 7 has had SSP support since May; the patch you mention > just turns it on by default. You can probably achieve the same effect > by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. This is mostly true. Given that stack protection requires extra symbols from either libc or GNU libssp, it is disabled to sys/boot/ stuff and could also be disabled for /rescue. In order to compile the kernel with SSP, it must contain the required symbols as well (the canary and the stack smash handler). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 13:50:36 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55CDD16A417 for ; Sun, 30 Dec 2007 13:50:36 +0000 (UTC) (envelope-from anders@rethink.no) Received: from smtp.getmail.no (smtp.getmail.no [84.208.20.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0CAC513C44B for ; Sun, 30 Dec 2007 13:50:36 +0000 (UTC) (envelope-from anders@rethink.no) Received: from pmxchannel-daemon.no-osl-m323-srv-009-z2.isp.get.no by no-osl-m323-srv-009-z2.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) id <0JTV001014ZPH100@no-osl-m323-srv-009-z2.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:13 +0100 (CET) Received: from smtp.getmail.no ([10.5.16.1]) by no-osl-m323-srv-009-z2.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JTV00HWR4ZNZL60@no-osl-m323-srv-009-z2.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:11 +0100 (CET) Received: from [84.208.203.204] by no-osl-m323-srv-004-z1.isp.get.no (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JTV004MW4ZMZ0E0@no-osl-m323-srv-004-z1.isp.get.no> for freebsd-security@freebsd.org; Sun, 30 Dec 2007 13:50:11 +0100 (CET) Date: Sun, 30 Dec 2007 13:50:10 +0100 From: Anders Hanssen In-reply-to: <20071228200428.J6052@odysseus.silby.com> To: Mike Silbersack Message-id: <47779402.7060105@rethink.no> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com> User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 13:50:36 -0000 Hi! Mike Silbersack wrote: > Since the subject came up, I just tried using it, and it's not giving > me the results I expected. > But if I compile it like so: >> cc -g -fstack-protector overrun.c > > The overrun is not caught. >> ./a.out > hi> > > Either I'm doing something wrong, or we have gcc misconfigured and > it's not detecting that strcpy is a function which needs to be > watched closedly. My first guess would be that gcc knew the length of "ABCDE" and decided it would fit in the stack buffer without overwriting anything used by the program (because of alignment and the ideal stack layout). But, anyway, I changed your program to strcpy() from argv instead, hoping it would turn on ssp for overrun(). Still no protection. # ./test AAAAAAAAAAAAAAAA Segmentation fault: 11 (core dumped) # gdb ./test test.core [...] #0 0x41414141 in ?? () A look at the generated code confirms it does not use ssp for overrun() void overrun(const char *str) { int x; char a[4]; int y; strcpy(a, str); printf("hi"); } # gcc -S -fstack-protector test.c overrun: pushl %ebp movl %esp, %ebp subl $24, %esp movl 8(%ebp), %eax movl %eax, 4(%esp) leal -8(%ebp), %eax movl %eax, (%esp) call strcpy movl $.LC1, (%esp) call printf leave ret # gcc -S -fstack-protector-all test.c overrun: pushl %ebp movl %esp, %ebp subl $40, %esp movl 8(%ebp), %eax movl %eax, -20(%ebp) movl __stack_chk_guard, %eax ; put stack cookie in eax movl %eax, -4(%ebp) ; store it on the stack xorl %eax, %eax movl -20(%ebp), %eax movl %eax, 4(%esp) leal -8(%ebp), %eax movl %eax, (%esp) call strcpy movl $.LC1, (%esp) call printf movl -4(%ebp), %eax ; read cookie xorl __stack_chk_guard, %eax ; if cookie is not changed, je .L8 ; return call __stack_chk_fail ; else abort .L8: leave ret Anyway, I don't know why gcc fail to see that overrun() needs protection. -- Anders From owner-freebsd-security@FreeBSD.ORG Sun Dec 30 14:54:23 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECBD316A417 for ; Sun, 30 Dec 2007 14:54:23 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id A5DC913C465 for ; Sun, 30 Dec 2007 14:54:23 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 7D90B20B9; Sun, 30 Dec 2007 15:54:15 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.1/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 006B92099; Sun, 30 Dec 2007 15:54:14 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 02005844A7; Sun, 30 Dec 2007 15:54:14 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Anders Hanssen References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com> <47779402.7060105@rethink.no> Date: Sun, 30 Dec 2007 15:54:14 +0100 In-Reply-To: <47779402.7060105@rethink.no> (Anders Hanssen's message of "Sun\, 30 Dec 2007 13\:50\:10 +0100") Message-ID: <86r6h4teqx.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 14:54:24 -0000 Anders Hanssen writes: > A look at the generated code confirms it does not use ssp for overrun() > > void > overrun(const char *str) > { > int x; > char a[4]; > int y; > > strcpy(a, str); > printf("hi"); > } > > # gcc -S -fstack-protector test.c Use -fstack-protector-all instead. > Anyway, I don't know why gcc fail to see that overrun() needs > protection. Because you didn't RTFM... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Dec 31 09:43:45 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 119E016A417 for ; Mon, 31 Dec 2007 09:43:45 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.freebsd.org (Postfix) with SMTP id B8AE913C457 for ; Mon, 31 Dec 2007 09:43:44 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 99551 invoked from network); 31 Dec 2007 09:43:42 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 31 Dec 2007 09:43:42 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 31 Dec 2007 03:43:41 -0600 (CST) From: Mike Silbersack To: Jeremie Le Hen In-Reply-To: <20071230132611.GD10467@obiwan.tataz.chchile.org> Message-ID: <20071231033402.F21115@odysseus.silby.com> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> <4774EB0F.90103@googlemail.com> <20071228200428.J6052@odysseus.silby.com> <20071230132611.GD10467@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Gunther Mayer , freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Dec 2007 09:43:45 -0000 On Sun, 30 Dec 2007, Jeremie Le Hen wrote: >> Either I'm doing something wrong, or we have gcc misconfigured and it's not >> detecting that strcpy is a function which needs to be watched closedly. > > Actually, you did nothing wrong. Except maybe not wasting time to look > at GCC info page ;). > > % `-fstack-protector' > % Emit extra code to check for buffer overflows, such as stack > % smashing attacks. This is done by adding a guard variable to > % functions with vulnerable objects. This includes functions that > % call alloca, and functions with buffers larger than 8 bytes. The > % guards are initialized when a function is entered and then checked > % when the function exits. If a guard check fails, an error message > % is printed and the program exits. > > I believed it was possible to customize this threshold (I'm pretty sure > I've already seen such an option in some patch floating around GCC > community) but a quick glance a the source shows it is not possible > actually. > > Regards, > -- > Jeremie Le Hen Ah, I went to the old propolice page and just read this description: ---- compiler option -fstack-protector-all, -fno-stack-protector-all enables and disables the protection of every function, not only the function with character array. ---- I apparently RTWrongFM. :) Seems to me that the 8 character limit is probably some performance tradeoff compromise... from a security perspective I can't see why 8 byte arrays would be less likely to be used incorrectly than 9 byte arrays. In any case, thanks for answering my question. Mike "Silby" Silbersack