HPUX kernel compile???

> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed. The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)? If not, then
> what type of kernel code is being compiled by the C compiler? The
> sysadmin mentioned that this it is a stripped down compiler.

It's a basic K&R C compiler and it is indeed needed to build a kernel.

I don't know if it compiles anything or not. But I'll bet the linker is
used to add new library modules.

--
Who needs a life when you've got Unix? :-)
Email: john@unixnerd.demon.co.uk, John G.Burns B.Eng, Bonny Scotland
Web : http://www.unixnerd.demon.co.uk - The Ultimate BMW Homepage!
Need Sun or HP Unix kit? http://www.unixnerd.demon.co.uk/unix.html
www.Strathspey.co.uk - Quality Binoculars at a Sensible price

On 2006-07-23, Neil Jones wrote:

> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed. The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise.

Unless you control all the HP systems in the world removing a compiler
from this one gets you a very limited security benefit. And then there
are all the cross-compilers on other platforms.

You could reasonably ask how often they expect to compile a kernel.

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/
One of my other 11 computers runs Minix.

Neil Jones wrote:
> Hello,
>
> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed. The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)?

No.

> If not, then
> what type of kernel code is being compiled by the C compiler?

Very little. HPUX does not "re-compile" a kernel in the same sense
you're used to in Linux. It compiles conf.c (containing driver and
tunable parameter information) and links existing libraries to create a
new kernel. Similar to SCO and other proprietary System V variants.
Patches may contain new libraries which are then linked into a new
kernel during the patch-installation/build process.

See: http://docs.hp.com/en/1219/tuningwp.html

> The
> sysadmin mentioned that this it is a stripped down compiler.

He is correct.

See: http://www.faqs.org/faqs/hp/hpux-faq/

Subject: 6.2.1 Why is the default C compiler brain-dead?
Updated: 04/13/01

The C compiler shipped with HP-UX is intended only to rebuild the kernel
with, not for program development. To get a "real" C compiler, you have
two options:

o buy HP's ANSI C product
o use the GNU C Compiler (gcc), downloadable in binary form from the
Liverpool archive

>
> Thank you in advance for any information.

Out of curiosity, why do you believe that removing a C-compiler from a
UNIX system will make it more secure?

andrew@lod.com

In article ,
Neil Jones wrote:

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise.

I haven't used HPUX, but the situation is similar on SGI IRIX:
a stripped-down compiler is squirreled away for kernel building.


Answering the poster who asked how often they expect to rebuild
the kernel: the answer to that on SGI IRIX is "Every time a kernel
patch is released, or a kernel driver package is installed or uninstalled,
or a change is made to one of the kernel device driver tables (e.g.,
forcing a particular speed on a scsi bus), or a change is made to
one of the fundamental system tunables that affect kernel table
memory allocation."

In SGI IRIX, the compiler -could- be removed, but you'd have to put it
back before installing most any of the security upgrades. SGI IRIX
is not open source, but the fundamental parts of it are provided as
object files that are linked together to form the kernel. There are
also important configuration tables in SGI IRIX; see below:



Extracting from SGI IRIX /var/sysgen/master/* :


* Any object which is to be included in a kernel by the self
* configuration boot program must have a corresponding master file which
* contains configuration specifications. The master file name is the
* basename of the object it describes.
*

* There are three sections in a master file: a tabulated ordering of
* flags, phrases and values interpreted by the configuration program and
* used to build device tables and the like, a list of stub routines, and
* a section of (mostly) C code. The first non-blank, non-comment line
* is interpreted for flags, phrases and values. Any other (non-comment)
* lines, up to a line that begins with a dollar sign ('$'), specify stubs.
* All phrases uttered after the line beginning with a dollar sign is
* processed to interpret special characters, then compiled (by the C
* compiler) into the kernel.

Andrew wrote:
> Neil Jones wrote:
> > Hello,
> >
> > I have been assigned to perform a security review for a HPUX system
> > which is in production. One thing I have noticed is that the system has
> > a C compiler on the system. Since this is not a development system I
> > suggested that it be removed. The sysadmin mentioned that it is
> > required to perform kernel compilation, which caught me by surprise. I
> > come from the Linux camp. (I do love all flavors of Unix). My
> > understanding is that HPUX is a closed source operating system. Has HP
> > opened it's source code to open source (like Solaris)?
>
> No.
>
> > If not, then
> > what type of kernel code is being compiled by the C compiler?
>
> Very little. HPUX does not "re-compile" a kernel in the same sense
> you're used to in Linux. It compiles conf.c (containing driver and
> tunable parameter information) and links existing libraries to create a
> new kernel. Similar to SCO and other proprietary System V variants.
> Patches may contain new libraries which are then linked into a new
> kernel during the patch-installation/build process.
>
> See: http://docs.hp.com/en/1219/tuningwp.html
>
> > The
> > sysadmin mentioned that this it is a stripped down compiler.
>
> He is correct.
>
> See: http://www.faqs.org/faqs/hp/hpux-faq/
>
> Subject: 6.2.1 Why is the default C compiler brain-dead?
> Updated: 04/13/01
>
> The C compiler shipped with HP-UX is intended only to rebuild the kernel
> with, not for program development. To get a "real" C compiler, you have
> two options:
>
> o buy HP's ANSI C product
> o use the GNU C Compiler (gcc), downloadable in binary form from the
> Liverpool archive
>
> >
> > Thank you in advance for any information.
>
> Out of curiosity, why do you believe that removing a C-compiler from a
> UNIX system will make it more secure?
>
> andrew@lod.com

I also have to wonder why removing the C compiler would be a help
security-wise.

HP does have a program that was called "Security Patch Check" (don't
remember the product number) that can be used to hit HP, download a
catalog, and compare patches on your system against those HP says are
required for the "most secure" system. Later versions also make other
recommendations, for example, upgrade Java 2 RTE to version your version> and things of that nature. The product is free, and you
may get a bit more out of this method than ripping out things like the
C compiler.

If you're that interested, doesn't HP-UX still include a easy setup for
C2 security?

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

In article <1153703574.099535.266800@h48g2000cwc.googlegroups.com>,
Chuck Whealton wrote:

>Andrew wrote:

>> Out of curiosity, why do you believe that removing a C-compiler from a
>> UNIX system will make it more secure?

>I also have to wonder why removing the C compiler would be a help
>security-wise.

Well, it does make it more secure against rootkits that build their
exploits from C source, as has happened in the past on some Unix systems.
But of course it doesn't make the system any more secure against
rootkits that bother to check the OS version and copy in a prebuild
binary.


There is a narrow range in which the difference makes a difference.
Imagine a server that had a stack vulnerability in its web server
that could be usefully exploited to load in a relatively small file
but not a big file. Further imagine that the network firewall doesn't
permit outbound traffic to be initiated to useful places from which
to copy in additional files. In that combination of circumstances,
a C source exploit might be feasible where bringing in a binary
might not be.

(Caution: wet straw may spontaneously combust.)

Neil Jones writes:

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise. I
>come from the Linux camp. (I do love all flavors of Unix). My
>understanding is that HPUX is a closed source operating system. Has HP
>opened it's source code to open source (like Solaris)? If not, then
>what type of kernel code is being compiled by the C compiler? The
>sysadmin mentioned that this it is a stripped down compiler.


Traditional Unix systems were configured by defining the size of
certain tables in C code and them compiling and linking them.

Only a small part of the actual code was shipped with the OS; the
rest was shipped in binary form.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

In comp.security.misc Neil Jones wrote:
> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed.

Why?

> The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)?

No. But kernel compiling is still used.

> If not, then
> what type of kernel code is being compiled by the C compiler?

Modules.

> The
> sysadmin mentioned that this it is a stripped down compiler.

Usually, it's just an ANSI compiler.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

In comp.security.misc John Burns wrote:
> It's a basic K&R C compiler and it is indeed needed to build a kernel.

Oops? I think, the newer HP-UX versions have the aCC with them:

http://devrsrc1.external.hp.com/STK/impacts/i480.html

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de