[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
> Kees Cook <kees@debian.org> writes:
> 
> > Speaking to the false positives problem, I've discussed with some people
> > the idea of having build flags be included in some sort of ELF
> > comment-like area that can be examined. That way it's becomes trivial to
> > answer "how was this built?" and all these crapy heuristic checks that
> > get thrown away. In the mean time, I'll continue to work on the crappy
> > heuristic checks. ;)
> 
> That sounds complicated, since there are separate compiler flags for every
> object (which may not match) and then the linker flags used to assemble
> the final executable or shared object.  Does ELF give you object-specific
> comment areas?

You can have a comment sections generated for each object (as a matter
of fact, gcc does that already to put its version), and the linker
aggregates them in a single section.

I'm not a big fan of cluttering ELF binaries for a relatively small
benefit. Except maybe if that's moved with the debug info in
/usr/lib/debug.

Mike
Reply to: