On Mon, Jun 28, 2004 at 05:05:16PM +0200, Max Vozeler wrote:
> > I have a similar problem, I tried to rebuild X last week with the
> > SSP compiler, only to have it die because of lack of disk space. 9
> > hours into the compile.
>
> Uh, painful :)
Very!
> How are the packages doing when compiled with SSP? Did you encounter
> any significant problems? I'd love to see SSP enabled in the main gcc
> package.
It's been suprisingly painless actually. There were some early
problems with kernels panicing upon boot, but they seem to have
vanished now with no change from myself. (I think it was a combination
of a recent GCC being used to compile an early 2.6.x kernel, since
fixed by the kernel people).
I want the SSP stuff enabled generally too, but it's not going to
happen until after the release of Sarge, if ever.
I will put together a small writeup of how it's done if there's
any interest. All the tools are now available as Debian packages
so it's very simple to get started. For me the hard part is
getting a well connected host to do the builds upon, and then
share them. Right now the best I can do is share the scripts and
then let interested parties build them themselves which is clearly
a duplication of effort.
(There was an offer of hosting from somebody connected with the
Gentoo effort, but that seems to have fallen through).
> If the script runs multiple vulnerability scanners, it could correlate
> the results and give "weight" to sections of code flagged by more than
> one scanner. That could help filter the false-positives somewhat.
Right now the best I could do is include two reports. Due to
differening output formats it's hard to reconcile two scans of
the same code by different tools.
> Interesting idea. I remember DWN missing some of my new packages though,
> so it may not be reliable enough. Checking the NEW queue directly would
> probably be best. I do hope to get there eventually :)
:)
> What about wanna-build? I seem to remember another not-yet-DD (Goswin)
> using this information, so maybe it's publicly available somewhere? I
> think I'll next look into using that if it's possible.
I've avoided all the current building tools, after a painful
experience of trying to install them on my home machine. I found
them painful to use and woefully underdocumented.
> Hmm.. now that you say it, couldn't there also be code that shows
> vulnerabilites only after some automatic code generation during the
> build? There is also the issue of macro expansion that could "hide"
> some vulnerable code until it's been pre-processed.
Macro expansion is a tricky thing, I can see the pros and cons
of scanning after the preprocessor and I am still undecided.
Especially given the number of archs that Debian supports..
> This actually seems like a bit of a tricky problem. Maybe a solution
> would be to create some kind of filter in or around gcc to check the
> code just as it would normally be compiled.
I would do it the other way, invoke cpp as part of the scanning
process. I guess it's one of those arbitary decisions.
Waiting for GCC to rebuild is something I've done too much of today!
Steve
-- # The Debian Security Audit Project. http://www.debian.org/security/auditReceived on Mon Jun 28 2004 - 18:08:40 BST