hardened toolchain options via "hardening-wrapper"

Kees Cook kees at ubuntu.com
Thu Jan 24 12:24:54 GMT 2008 

While the DistCompilerFlags[1][2] spec matures, we need a way to test
security hardening compiler options (in the hopes of implementing it
distro-wide for Hardy+1).  The "hardening-wrapper" package installs
wrappers for ld and gcc/g++ (4.1, 4.2, 4.3 -- 3.x is not included since
it seems that it won't be in the archive for Hardy+1, though these can be
added if someone needs it).  These options enable several features[3]
that make the resulting binaries more resistant to memory corruption
vulnerability exploitation (making targets in the binary harder to find,
reducing the number of targets, catching overflows before they happen,
and warning about unsafe *printf usage during compile).

To perform package builds with the options enabled, a developer needs
to do two things:
- install hardening-wrapper (surprise!)
- set the environment variable DEB_BUILD_HARDENING=1

The hardening features can be individually disabled[3] if there are
complications during a build.  The most likely build failures will
be related to DEB_BUILD_HARDENING_PIE which has the largest impact on
the built objects.  Some more complex packages (e.g. openoffice.org)
are known not to work with this wrapper's implementation of the PIE
compiler options.  When build failures are found that are specific to
enabling the hardening features, please open a bug against the failed
package with this information and:
- attach the build log when built with DEB_BUILD_HARDENING_DEBUG=1 enabled
- tag the bug as "hardening-ftbfs"
- discuss any tested work-arounds (does it compile with certain options
  disabled?)

When performing compiles, also please keep an eye out for this kind
of warning:
foo.c: In function 'bar':
foo.c:16: warning: format not a string literal and no format arguments

This indicates a (possibly) unsafe use of a *printf function (i.e.
printf(strvar) when printf("%s",str) should be used), and should be
investigated to make sure the package is not vulnerable to a format
string attack.  Please open bugs for these as well, and tag them
"format-security".

(This email's information is also repeated in the wiki[4] so that the
instructions can evolve.)

-Kees

[1] https://wiki.ubuntu.com/DistCompilerFlags
[2] http://lists.debian.org/debian-devel/2007/12/msg00090.html
[3] http://wiki.debian.org/Hardening
[4] https://wiki.ubuntu.com/Security/HardeningWrapper

-- 
Kees Cook

More information about the ubuntu-devel mailing list