mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-23 18:14:56 +01:00
5608fd23c2
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other build-only utility libraries. 2. Another 40% is fixed by generating _pic.a variants of various libraries. 3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR) where it never would work anyhow, such as csu or loader. This suggests there may be better ways of adding support to the tree. Many of these cases can be fixed such that -fPIE will work but there is really no reason to have it in those cases. 4. Some of the uses are working around hacks done to some Makefiles that are really building libraries but have been using bsd.prog.mk because the code is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have been needed. We likely do want to enable PIE by default (opt-out) for non-tree consumers (such as ports). For in-tree though we probably want to only enable PIE (opt-in) for common attack targets such as remote service daemons and setuid utilities. This is also a great performance compromise since ASLR is expected to reduce performance. As such it does not make sense to enable it in all utilities such as ls(1) that have little benefit to having it enabled. Reported by: kib |
||
---|---|---|
.. | ||
crunchgen | ||
crunchide | ||
examples | ||
COPYRIGHT | ||
Makefile | ||
Makefile.inc | ||
README |
CRUNCH 0.2 README 6/14/94 Crunch is available via anonymous ftp to ftp.cs.umd.edu in pub/bsd/crunch-0.2.tar.gz WHAT'S NEW IN 0.2 * The prototype awk script has been replaced by a more capable and hopefully more robust C program. * No fragile template makefiles or dependencies on the details of the bsd build environment. * You can build crunched binaries even with no sources on-line, you just need the .o files. Crunchgen still will try to figure out as much as possible on its own, but you can override its guessing by specifying the list of .o files explicitly. * Crunch itself has been bmake'd and some man pages written, so it should be ready to install. INTRODUCTION Crunch is a little package that helps create "crunched" binaries for use on boot, install, and fixit floppies. A crunched binary in this case is one where many programs have been linked together into one a.out file. The different programs are run depending on the value of argv[0], so hard links to the crunched binary suffice to simulate a perfectly normal system. As an example, I have created an 980K crunched "fixit" binary containing the following programs in their entirety: cat chmod cp date dd df echo ed expr hostname kill ln ls mkdir mt mv pwd rcp rm rmdir sh sleep stty sync test [ badsect chown clri disklabel dump rdump dmesg fdisk fsck halt ifconfig init mknod mount newfs ping reboot restore rrestore swapon umount ftp rsh sed telnet rlogin vi cpio gzip gunzip gzcat Note carefully: vi, cpio, gzip, ed, sed, dump/restore, some networking utilities, and the disk management utilities, all in a binary small enough to fit on a 1.2 MB root filesystem floppy (albeit with the kernel on its own boot floppy). A more reasonable subset can be made to fit easily with a kernel for a decent one-disk fixit filesystem. The linking together of different programs by hand is an old space-saving technique. Crunch automates the process by building the necessary stub files and makefile for you (via the crunchgen program), and by doctoring the symbol tables of the component .o files to allow them to link without "symbol multiply defined" conflicts (via the crunchide program). BUILDING CRUNCH Just type make, then make install. Crunch was written and tested under NetBSD/i386, but should work under other PC BSD systems that use GNU ld. The crunchgen(1) and crunchide(1) man pages have more details on using crunch, and the examples subdirectory contains some working .conf files and a sample Makefile. CREDITS Thanks to the NetBSD team for a consistently high quality effort in bringing together a solid, state of the art development environment. Thanks to the FreeBSD guys; Rod Grimes, Nate Williams and Jordan Hubbard; and to Bruce Evans, for immediate and detailed feedback on crunch 0.1, and for pressing me to make the prototype more useable. Crunch was written for the Maruti Hard Real-Time Operating System project at the University of Maryland, to help make for better install and recovery procedures for our NetBSD-based development environment. It is copyright (c) 1994 by the University of Maryland under a UCB-style freely- redistributable notice. See the file COPYRIGHT for details. Please let me know of any problems or of enhancements you make to this package. I'm particularly interested in the details of what you found was good to put on your fixit or install disks. Thanks! Share and Enjoy, Jaime ............................................................................ : Stand on my shoulders, : jds@cs.umd.edu : James da Silva : not on my toes. : uunet!mimsy!jds : http://www.cs.umd.edu/users/jds