Re: Switch on compiler hardening defaults
Hi,
On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
> On 2009-11-05, Kees Cook <kees@debian.org> wrote:
> > This would certainly be better than nothing, and better than the
> > hardening-wrapper package, but it would require that every package in
> > Debian be modified to respect external environments. Also, I think
> > having the compiler itself be hardened is the bigger win.
>
> If doko feels uncomfortable with appyling the patches, we should use
> the dpkg-buildpackage way (which I'm technically fine with). It also
> has the nice side effect that we get a central place where we can
> opt out architecture which don't implement a specific hardening feature.
> It also allows maintainers to specifically opt out in cases where they
> feel the overhead to be inacceptably high. (e.g., a number-crunching
> math application).
Right. So, the main problem is that I haven't seen a way to interact
between dpkg-buildpackage and the rules file itself for cases where
a maintainer wants to specifically disable a portion of the hardening
(like PIE) without potentially interfering with the package's upstream
configured flags. Instead, I've now implemented[1] a new binary package
"hardening-includes" which provides a Makefile include[2] that can be used
to get the (potentially arch-specific) hardening flags.
As an example, I have a debdiff against openssh to use it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.
> > Out of curiosity, where can I and others find the documentation for the
> > dpkg-buildpackage environment framework? We should immediately add the
> > hardening options to it now for the packages that it will work on.
>
> See dpkg-buildpackage(1) in the section "ENVIRONMENT VARIABLES"
Yeah, maybe I'm dense, but I didn't see a good way to selectively disable
portions of the flags. It seems like it's better suited to things like
-O2, etc (which it's doing already).
> What flags do you intend to enable? -Wformat, -Wformat-security,
> -D_FORTIFY_SOURCE=2 and -fstack-protector ?
Also -fPIE/-fPIE -pie, -Wl,-z,relro, -Wl,-z,now
I've also started work on a very simple hardening characteristic
checker[3] that just looks for everything and reports back. This can
be used to validate a built binary, etc.
> Could you file a bug against dpkg-dev?
If this approach works, perhaps debhelper could do the include
automatically in a full dh 7 style rules file?
-Kees
[1] http://packages.qa.debian.org/h/hardening-wrapper/news/20091220T121706Z.html
[2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening.make
[3] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening-check
--
Kees Cook @debian.org
Reply to: