[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults


On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
> On 2009-11-05, Kees Cook <kees@debian.org> wrote:
> > This would certainly be better than nothing, and better than the
> > hardening-wrapper package, but it would require that every package in
> > Debian be modified to respect external environments.  Also, I think
> > having the compiler itself be hardened is the bigger win.
> If doko feels uncomfortable with appyling the patches, we should use
> the dpkg-buildpackage way (which I'm technically fine with). It also
> has the nice side effect that we get a central place where we can
> opt out architecture which don't implement a specific hardening feature.
> It also allows maintainers to specifically opt out in cases where they
> feel the overhead to be inacceptably high. (e.g., a number-crunching
> math application).

Right.  So, the main problem is that I haven't seen a way to interact
between dpkg-buildpackage and the rules file itself for cases where
a maintainer wants to specifically disable a portion of the hardening
(like PIE) without potentially interfering with the package's upstream
configured flags.  Instead, I've now implemented[1] a new binary package
"hardening-includes" which provides a Makefile include[2] that can be used
to get the (potentially arch-specific) hardening flags.

As an example, I have a debdiff against openssh to use it:

With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.

> > Out of curiosity, where can I and others find the documentation for the
> > dpkg-buildpackage environment framework?  We should immediately add the
> > hardening options to it now for the packages that it will work on.
> See dpkg-buildpackage(1) in the section "ENVIRONMENT VARIABLES"

Yeah, maybe I'm dense, but I didn't see a good way to selectively disable
portions of the flags.  It seems like it's better suited to things like
-O2, etc (which it's doing already).

> What flags do you intend to enable?  -Wformat, -Wformat-security, 
> -D_FORTIFY_SOURCE=2 and -fstack-protector ?

Also -fPIE/-fPIE -pie, -Wl,-z,relro, -Wl,-z,now

I've also started work on a very simple hardening characteristic
checker[3] that just looks for everything and reports back.  This can
be used to validate a built binary, etc.

> Could you file a bug against dpkg-dev?

If this approach works, perhaps debhelper could do the include
automatically in a full dh 7 style rules file?


[1] http://packages.qa.debian.org/h/hardening-wrapper/news/20091220T121706Z.html
[2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening.make
[3] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening-check

Kees Cook                                            @debian.org

Reply to: