From: Jerome B. <gur...@or...> - 2004-10-27 01:41:05
|
>>I am running Gentoo Linux with GCC 3.4.2 and glibc 2.3.4.20040808 >>compiled with NPTL only (no LinuxThreads) and both a 2.6.9 and a 2.6.8.1 >>kernel. >> >>Any thoughts or suggestions are greatly appreciated. I will try with GCC >>3.3.3 to see if that helps. > > It's probably a gcc version issue. We try to get stuff working > with most gcc versions, but no-one round here uses 3.4 by default > -- it's way too bleeding edge. Compiled the xenU fine with gcc 3.3.3 - must be a gcc issue. I'm testing on a box at the moment, so have installed all the new toys to play with :) Might try with SSP and PIE again ... >>The GCC has ssp-3.4.1 and pie-8.7.6.5 compiled in, but they are >>disabled for the compilation as Xen will not compile with them enabled >>(Are there plans to allow this?). > > What are ssp and pie? SSP is Stack Smashing Protection - formerly ProPolice (see http://www.trl.ibm.com/projects/security/ssp/ for more info) and PIE is Position Independent Executable i.e. PIC for binaries. SSP modifies the C compiler to insert initialization code into functions that create a buffer in memory. At run time, when a buffer is created, SSP adds a secret random value, the canary, to the end of the buffer. When the function returns, SSP makes sure that the canary is still intact. If an attacker were to perform a buffer overflow, he would overwrite this value and trigger that stack smashing handler. Currently this kills the target process. (Descriptions borrowed from Gentoo Hardened Project http://www.gentoo.org/proj/en/hardened/) They provide an extra layer of security from attack on a server open to the world. |