hardening: gcc/ld wrapper for compile-time options
kees at ubuntu.com
Thu Oct 11 23:34:41 BST 2007
While I don't expect this to get a lot of attention while we're
working towards release, I'd like to bring it up again as reference for
discussions during UDS.
Using "pentium-builder" as a base, I've written "override-builder",
which implements many of the compile-time hardening options that have
been discussed in the past.
I've started a brain-dump of some of this while talking to a few of
the folks on the Debian security team, so I'm hoping to get some kind
of consensus about this approach.
Since some logic is need especially when dealing with the -pie options,
there is a good bit of argument scanning done. Beyond modifying the
gcc spec files (as Gentoo does), this appears to be the easiest
The only thing not yet implemented is the "-z now" linking option, which
I'd like to play with a little more. I am currently of the opinion that
its security protections may not exceed the slowness to spawn. I am
guessing that in the end, it will be disabled by default, but that we
can add to many daemon builds either "-z now" directly, or define a
environment variable to enable it.
All the other options seem best to enable by default:
-fstack-protector (disabled with -fno-stack-protector)
-Wformat -Wformat=security (disabled with -Wno-format)
-D_FORTIFY_SOURCE=2 (disabled with -D_FORTIFY_SOURCE=0)
-pie (-fPIE) (disabled with -nopie)
So far, I've tested builds of "hello" and "inkscape", attempting to find
either end of build complexity. I figure I will attempt a kernel and
OOo build next... *cross fingers*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20071011/e1979451/attachment.pgp
More information about the ubuntu-devel