PIE/PIC support on base
Oliver Pinter
oliver.pntr at gmail.com
Wed Oct 15 08:31:42 UTC 2014
On 10/15/14, David Carlier <david.carlier at hardenedbsd.org> wrote:
> In first place, we might consider the usual attack targets :
>
> /bin/(c)sh
> /sbin/sendmail
> /bin/ntp
> /sbin/dhclient
> /secure/usr.sbin/sshd .... sendmail, ntp, sshd etc ... are quite sensitive
> and popular services, hence applying PIE (+ ASLR) will prevent attacks by
> this bias.
> /sbin/casperd (hence lib/libcapsicum|libcasper with pic ...) ... as FreeBSD
> is getting more popularity, such specific FreeBSD's security components
> might become an appealing target attack.
>
> I may have other suggestions in mind (like /sbin/(jail|jexec ... etc) but
> these are the first step stones.
>
> Kind regards.
I think this list should include audit related tools too and all of
the setuid programs.
>
> On Wed, Oct 15, 2014 at 7:10 AM, Baptiste Daroussin <bapt at freebsd.org>
> wrote:
>
>> On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote:
>> > Hi all,
>> >
>> > HardenedBSD plans to add PIE support on base in various place.
>> >
>> > These are B. Drewery suggestions :
>> >
>> > The _pic ones are not needed. The main lib file just needs
>> > INSTALL_PIC_ARCHIVE=yes.
>> >
>> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or
>> > something to pull in common logic from share/mk.
>> >
>> > Also I know that, at least for a start, it wished to be applied in some
>> few
>> > places, like tcpdump/traceroute, sendmail ... shells ... I thought
>> > about
>> > also casper/capsicum ... ntp ... jail
>> >
>> What would probably be interesting is to list binary by binary on which
>> one you
>> do want to add the USE_PIE, and with rational explaining why.
>>
>> On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE.
>> I
>> think cherry-picking what should be PIE is the right
>>
>> regards,
>> Bapt
>>
> _______________________________________________
> freebsd-arch at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "freebsd-arch-unsubscribe at freebsd.org"
>
More information about the freebsd-arch
mailing list