Switch on compiler hardening defaults
I would like to propose enabling the GCC hardening patches that Ubuntu
uses. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment. After all this time, use of the hardening-wrapper
package is still very low, so I think the right thing to do is to just fix
this in the compiler and everyone wins. I'm not suggesting that there
won't be added work to fix problems, but I believe that for Debian the
benefits now out-weigh the risks.
I do not expect to reach consensus with all developers on this, so I'm
not sure who I need to convince to move it forward. (Perhaps just the
GCC maintainers?) Regardless, if you agree with this, please speak up.
I think it's very important that this change happens.
My candid commentary and possible trolling...
- users of Debian become safer (real security vulnerabilities are
either non-issues or reduced to a DoS).
- security team has less work to do.
- software quality improves by finding subtle bugs (and not just
packaged software -- anything compiled with the Debian gcc).
- makes the compiler's behavior different than stock compiler.
Rebuttal: honestly, I don't care -- it seems like such a
huge win for safety and is easy to debug. Debian
already carries plenty of patches anyway -- there
is no such thing as the "stock compiler".
- makes more work for dealing with warnings.
Rebuttal: those warnings are there for a reason -- they can
be real security issues, and should be fixed.
- lacks documentation.
Rebuttal: that may have been true a while ago, but I've worked
hard to document the features and how to handle
problems. See . Even the gcc man pages are patched.
- makes running Debian slower.
Rebuttal: no, nothing supports this. The bulk of _FORTIFY_SOURCE
is compile-time. Run-time checks, including those from
-fstack-protector are just not measurable. The burden of
evidence for anyone claiming this is on them. I'm not
suggesting we turn on PIE; that option can be a problem.
Inflammatory observation: Debian may be the single remaining major Linux
distribution that does not use the stack protector and _FORTIFY_SOURCE
when building its packages. I find this embarrassing. Check for
(Note that the gcc hardening does NOT turn on PIE, which has
measurable performance problems on some architectures.)
 Sampling of bugs I've personally filed:
 Many vulnerabilities have been blocked in Ubuntu, but I will give one
good example of a remote root vulnerability with functional exploits
in the wild that was a non-issue on versions of Ubuntu with the
hardened compiler defaults:
 Are there _chk functions in common binaries?
$ objdump -R /bin/df | grep _chk
0000000000612048 R_X86_64_JUMP_SLOT __fprintf_chk
0000000000612068 R_X86_64_JUMP_SLOT __printf_chk
00000000006120c0 R_X86_64_JUMP_SLOT __memcpy_chk
00000000006121c0 R_X86_64_JUMP_SLOT __stack_chk_fail
0000000000612220 R_X86_64_JUMP_SLOT __sprintf_chk
0000000000612230 R_X86_64_JUMP_SLOT __snprintf_chk
Kees Cook @debian.org