Date: Wed, 15 Oct 2014 10:31:41 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: David Carlier <david.carlier@hardenedbsd.org> Cc: Baptiste Daroussin <bapt@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: PIE/PIC support on base Message-ID: <CAPjTQNE21_qsamCo-SFu1z%2BRWLKG4dytSKUKGs0gy3vUO1X8LQ@mail.gmail.com> In-Reply-To: <CAMe1fxZtKNqUCGqxq6V1bD6hbanWFtmrdS4U9s2xo%2BMECpgeEw@mail.gmail.com> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> <20141015061029.GO48641@ivaldir.etoilebsd.net> <CAMe1fxZtKNqUCGqxq6V1bD6hbanWFtmrdS4U9s2xo%2BMECpgeEw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/15/14, David Carlier <david.carlier@hardenedbsd.org> wrote: > In first place, we might consider the usual attack targets : > > /bin/(c)sh > /sbin/sendmail > /bin/ntp > /sbin/dhclient > /secure/usr.sbin/sshd .... sendmail, ntp, sshd etc ... are quite sensitive > and popular services, hence applying PIE (+ ASLR) will prevent attacks by > this bias. > /sbin/casperd (hence lib/libcapsicum|libcasper with pic ...) ... as FreeBSD > is getting more popularity, such specific FreeBSD's security components > might become an appealing target attack. > > I may have other suggestions in mind (like /sbin/(jail|jexec ... etc) but > these are the first step stones. > > Kind regards. I think this list should include audit related tools too and all of the setuid programs. > > On Wed, Oct 15, 2014 at 7:10 AM, Baptiste Daroussin <bapt@freebsd.org> > wrote: > >> On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: >> > Hi all, >> > >> > HardenedBSD plans to add PIE support on base in various place. >> > >> > These are B. Drewery suggestions : >> > >> > The _pic ones are not needed. The main lib file just needs >> > INSTALL_PIC_ARCHIVE=yes. >> > >> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or >> > something to pull in common logic from share/mk. >> > >> > Also I know that, at least for a start, it wished to be applied in some >> few >> > places, like tcpdump/traceroute, sendmail ... shells ... I thought >> > about >> > also casper/capsicum ... ntp ... jail >> > >> What would probably be interesting is to list binary by binary on which >> one you >> do want to add the USE_PIE, and with rational explaining why. >> >> On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. >> I >> think cherry-picking what should be PIE is the right >> >> regards, >> Bapt >> > _______________________________________________ > freebsd-arch@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNE21_qsamCo-SFu1z%2BRWLKG4dytSKUKGs0gy3vUO1X8LQ>