Important: You are required to change your passwords used for Gentoo services and set an email address for your Wiki account if you haven't done so. See the full announcement and Wiki email policy change for more information.

Project:Hardened uClibc

From Gentoo Wiki
Revision as of 00:46, 18 December 2013 by Blueness (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Hardened uClibc
Description This subproject aims to port both tool chain and kernel hardening to uClibc based systems for a variety of architectures. The project treats uClibc as an alternative to glibc, and not necessarily as "embedded".
Email hardened@gentoo.org
IRC Channel #gentoo-hardened
Lead(s)
Members
Parent Project Gentoo Hardened
Subprojects (none)
Tags
Project listing

Project Description

All modern operating systems are comprised of a kernel and userland layer. While the kernel deals directly with hardware resources at the highest privilege level, userland deals with the end user and operates at the lowest level. The two layers communicate with one another via system calls (or "syscalls" for short), which userland issues to the kernel. While any userland application can issue syscalls directly (eg. in x86 ISA, via an INT 0x80), almost all userland syscalls on a typical UNIX system are channeled via one central library referred to as "the C standard library." Along with the compiler and other utilities to manipulate executable binaries (eg. binutils), it forms an integral part of the toolchain, and remains a runtime dependency of nearly every dynamically linking object in the system. By far, the most popular is "The GNU C library", or glibc for short; but, for embedded systems uClibc is the standard library of choice, although there are other competitors (see musl ). uClibc (where the "u" is sometimes written as the Greek µ for "micro") is much smaller than glibc, less bloated, much faster, and very configurable.

Continued developments in uClibc have made it increasingly suitable for fully featured systems, like Lilblue , our security-enhanced, fully featured XFCE4, amd64 desktop built on uClibc. The recent addition of the native POSIX thread library (see nptl ) meant that we could finally implement our complete complement of tool chain hardening from glibc:

  • stack smashing protection ( ssp ), which came with nptl
  • position independent execution ( pie)
  • bind now and relro, linker hardening to protect the global offset table

These are augmented by the kernel hardening, especially PaX 's enhanced address space layout randomization ( aslr ).

So, this subproject aims to port both tool chain and kernel hardening to uClibc based systems for a variety of architectures, treating uClibc more as a drop in alternative to glibc, and not necessarily as "embedded". Embedded systems aim to produce kernels and user lands with tiny footprints, and so tend to use busybox as their "Swiss Army Knife" of common UNIX utilities. While not excluding this possibility, we aim at making most (all?) of Gentoo's packages both hardened and uClibc compatible.

Project Goals

The project goals can be best summarized by the following chart:

Arch Subarchs Tool Chain Hardening Kernel Hardening Installation Media Downloads
amd64 Generic Yes Yes stage3 desktop [mirror]/experimental/amd64/uclibc
arm armv7a-softfp Yes No stage3 [mirror]/experimental/arm/uclibc
arm armv7a-hardfp Yes No stage3 [mirror]/experimental/arm/uclibc
mips mips32r2 Yes No stage3 [mirror]/experimental/mips/uclibc
mips mipsel3 Yes No stage3 [mirror]/experimental/mips/uclibc
ppc Not Yet Not Yet Not Yet Not Yet Not Yet
x86 i686 Yes Yes stage3 [mirror]/experimental/x86/uclibc
  • Yes = completed
  • Not Yet = in progress
  • No = no plans
  • NA = not applicable
  • stage3 = catalyst built stages 1, 2 and 3 available (ideal)
  • stage4 = manually built minimal system
  • livecd = minimal (installation) live CD
  • desktop = manually built full desktop system
  • [mirror] = any Gentoo mirror

Resources

The Hardened uClibc project provides the following resources:

  • Lilblue, a hardened uClibc XFCE desktop

I Want to Participate

To participate in the Hardened uClibc project join the mailing list at gentoo-hardened@gentoo.org and visit our online IRC channel at #gentoo-hardened on irc.freenode.net .