Re: Introducing security hardening features for Lenny
Pierre Habouzit wrote:
>> Fortify Source
>> This feature adds validation for internal C functions such as strcpy
>> for buffer sizes known during compile time. While vulnerabilities in
>> the functions it protects have become uncommon in high-profile apps,
>> it will be useful for fringe packages we have in the archive.
>> This feature is present in glibc since version 2.5, and is enabled
>> through the use of "-D_FORTIFY_SOURCE=3D2" and "-O2" or higher.
> Well, -D_FORTIFY_SOURCE=3D2 is a severe performance loss in many
> applications, and I wouldn't recommend activating it by default. =3D1 has
> not the drawback with that regard though, but is less useful security
> wise (though it catch many programmatic issues, and full archive rebuild
> with -D_FORTIFY_SOURCE=3D1 would be worthwile independently of this).
There are certainly performance trade-offs involved and the final
selection of features will depend on the testing of the respective
maintainers (testing should be eased by hardening-wrapper).
hardening-wrapper makes it simple to enable/disable selective single
features, if anyone wants to run specific benchmarks on the overhead,
please post them to the Wiki.
We're mostly trying to bootstrap a discussion here, the details on
how to put this into effect archive-wide will depend heavily on the
toolchain configuration proposal by Matthias Klose. Maybe "classes"
of security-sensitivity of applications can be defined, which specify
a set of selected options.