Porting Tool chain and Kernel Hardening to uClibc based systems

1. Project Description

All modern operating systems are comprised of a kernel and userland layer. While the kernel deals directly with hardware resources at the highest privilege level, userland deals with the end user and operates at the lowest level. The two layers communicate with one another via system calls (or "syscalls" for short), which userland issues to the kernel. While any userland application can issue syscalls directly (eg. in x86 ISA, via an INT 0x80), almost all userland syscalls on a typical UNIX system are channeled via one central library referred to as "the C standard library." Along with the compiler and other utilities to manipulate executable binaries (eg. binutils), it forms an integral part of the toolchain, and remains a runtime dependency of nearly every dynamically linking object in the system. By far, the most popular is "The GNU C library", or glibc for short; but, for embedded systems uClibc is the standard library of choice, although there are other competitors (see musl). uClibc (where the "u" is sometimes written as the Greek µ for "micro") is much smaller than glibc, less bloated, much faster, and very configurable.

Continued developments in uClibc have made it increasingly suitable for fully featured systems, even desktops. The recent addition of the native POSIX thread library (see nptl) meant that we could finally implement our complete complement of tool chain hardening from glibc:

stack smashing protection (ssp), which came with nptl
position independent execution (pie)
bind now and relro, linker hardening to protect the global offset table

These are augmented by the kernel hardening, especially PaX's enhanced address space layout randomization (aslr).

So, this subproject aims to port both tool chain and kernel hardening to uClibc based systems for a variety of architectures, treating uClibc more as a drop in alternative to glibc, and not necessarily as "embedded". Embedded systems aim to produce kernels and user lands with tiny footprints, and so tend to use busybox as their "Swiss Army Knife" of common UNIX utilities. While not excluding this possibility, we aim at making most (all?) of Gentoo's packages both hardened and uClibc compatible.

2. Project Goals

The project goals can be best summarized by the following chart:

Arch	Subarchs	Tool Chain Hardening	Kernel Hardening	Installation Media	Downloads
amd64	Generic	Yes	Yes	stage3 livecd desktop	[mirror]/experimental/amd64/uclibc
arm	armv7a-softfp	Yes	No	stage3	[mirror]/experimental/arm/uclibc
mips	mips32r2	Yes	No	stage3	[mirror]/experimental/mips/uclibc
mips	mipsel3	Yes	No	stage4	[mirror]/experimental/mips/uclibc
ppc	Not Yet	Not Yet	Not Yet	Not Yet	Not Yet
x86	i686	Yes	Yes	stage3	[mirror]/experimental/x86/uclibc

Yes = competed
Not Yet = in progress
No = no plans
NA = not applicable
stage3 = catalyst built stages 1, 2 and 3 available (ideal)
stage4 = manually built minimal system
livecd = minimal (installation) live CD
desktop = manually built full desktop system
[mirror] = any Gentoo mirror

3. Developers

Developer	Nickname	Role
Anthony G. Basile	blueness	Lead
Magnus Granberg	zorry	Member

All developers can be reached by e-mail using nickname@gentoo.org.

4. I Want to Participate

To participate in the Hardened uClibc project join the mailing list at gentoo-hardened@gentoo.org and visit our online IRC channel at #gentoo-hardened on irc.freenode.net.

Summary: This subproject aims to port both tool chain and kernel hardening to uClibc based systems for a variety of architectures. The project treats uClibc as an alternative to glibc, and not necessarily as "embedded". The aim is a fully featured system, and not one based primarily on busybox.

Gentoo Project
script generated

Donate to support our development efforts.