Porting Tool chain and Kernel Hardening to uClibc based systems
All modern operating systems are comprised of a kernel and userland layer. While
the kernel deals directly with hardware resources at the highest privilege level,
userland deals with the end user and operates at the lowest level. The two layers
communicate with one another via system calls (or "syscalls" for short), which
userland issues to the kernel. While any userland application can issue syscalls
directly (eg. in x86 ISA, via an INT 0x80), almost all userland syscalls on a typical
UNIX system are channeled via one central library referred to as "the C standard library."
Along with the compiler and other utilities to manipulate executable binaries (eg.
binutils), it forms an integral part of the toolchain, and remains a runtime dependency
of nearly every dynamically linking object in the system.
By far, the most popular is "The GNU C library", or glibc
for short; but, for embedded systems uClibc
is the standard library of choice, although there are other competitors (see
musl). uClibc (where the "u" is
sometimes written as the Greek µ for "micro") is much smaller than glibc, less
bloated, much faster, and very configurable.
Continued developments in uClibc have made it increasingly suitable for fully
featured systems, even desktops. The recent addition of the native POSIX thread
library (see nptl)
meant that we could finally implement our complete complement of tool chain
hardening from glibc:
- stack smashing protection (ssp),
which came with nptl
- position independent execution (pie)
- bind now and relro, linker hardening to protect the global offset table
These are augmented by the kernel hardening, especially
PaX's enhanced address space
layout randomization (aslr).
So, this subproject aims to port both tool chain and kernel hardening to uClibc
based systems for a variety of architectures, treating uClibc more as a
drop in alternative to glibc, and not necessarily as "embedded". Embedded
systems aim to produce kernels and user lands with tiny footprints, and so
tend to use busybox as their "Swiss Army Knife" of common UNIX utilities.
While not excluding this possibility, we aim at making most (all?) of Gentoo's
packages both hardened and uClibc compatible.
The project goals can be best summarized by the following chart:
||Tool Chain Hardening
||stage3 livecd desktop
- Yes = competed
- Not Yet = in progress
- No = no plans
- NA = not applicable
- stage3 = catalyst built stages 1, 2 and 3 available (ideal)
- stage4 = manually built minimal system
- livecd = minimal (installation) live CD
- desktop = manually built full desktop system
- [mirror] = any Gentoo mirror
|Anthony G. Basile
All developers can be reached by e-mail using firstname.lastname@example.org.
I Want to Participate
To participate in the Hardened uClibc project join the mailing list at
email@example.com and visit our online IRC channel at
#gentoo-hardened on irc.freenode.net.