Re: Switch on compiler hardening defaults

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: debian-devel@lists.debian.org, debian-gcc@lists.debian.org
Subject: Re: Switch on compiler hardening defaults
From: Kees Cook <kees@debian.org>
Date: Sun, 20 Dec 2009 18:30:37 -0800
Message-id: <[🔎] 20091221023037.GR5396@outflux.net>
In-reply-to: <slrnhgoh2h.2es.jmm@inutil.org>
References: <20091025185525.GI6711@outflux.net> <4AEDD920.2060604@debian.org> <20091105044004.GL26691@outflux.net> <slrnhgoh2h.2es.jmm@inutil.org>

Hi,

On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
> On 2009-11-05, Kees Cook <kees@debian.org> wrote:
> > This would certainly be better than nothing, and better than the
> > hardening-wrapper package, but it would require that every package in
> > Debian be modified to respect external environments.  Also, I think
> > having the compiler itself be hardened is the bigger win.
> 
> If doko feels uncomfortable with appyling the patches, we should use
> the dpkg-buildpackage way (which I'm technically fine with). It also
> has the nice side effect that we get a central place where we can
> opt out architecture which don't implement a specific hardening feature.
> It also allows maintainers to specifically opt out in cases where they
> feel the overhead to be inacceptably high. (e.g., a number-crunching
> math application).

Right.  So, the main problem is that I haven't seen a way to interact
between dpkg-buildpackage and the rules file itself for cases where
a maintainer wants to specifically disable a portion of the hardening
(like PIE) without potentially interfering with the package's upstream
configured flags.  Instead, I've now implemented[1] a new binary package
"hardening-includes" which provides a Makefile include[2] that can be used
to get the (potentially arch-specific) hardening flags.

As an example, I have a debdiff against openssh to use it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887

With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.

> > Out of curiosity, where can I and others find the documentation for the
> > dpkg-buildpackage environment framework?  We should immediately add the
> > hardening options to it now for the packages that it will work on.
> 
> See dpkg-buildpackage(1) in the section "ENVIRONMENT VARIABLES"

Yeah, maybe I'm dense, but I didn't see a good way to selectively disable
portions of the flags.  It seems like it's better suited to things like
-O2, etc (which it's doing already).

> What flags do you intend to enable?  -Wformat, -Wformat-security, 
> -D_FORTIFY_SOURCE=2 and -fstack-protector ?

Also -fPIE/-fPIE -pie, -Wl,-z,relro, -Wl,-z,now

I've also started work on a very simple hardening characteristic
checker[3] that just looks for everything and reports back.  This can
be used to validate a built binary, etc.

> Could you file a bug against dpkg-dev?

If this approach works, perhaps debhelper could do the include
automatically in a full dh 7 style rules file?

-Kees

[1] http://packages.qa.debian.org/h/hardening-wrapper/news/20091220T121706Z.html
[2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening.make
[3] http://svn.debian.org/wsvn/hardening/hardening-wrapper/hardening-check

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Re: Switch on compiler hardening defaults
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Bits from the kernel team
Next by Date: Bug#561893: ITP: libsub-exporter-formethods-perl -- Sub::Exporter extension for handling methods
Previous by thread: Bug#561876: ITP: php-archive-tar -- Tar file management class
Next by thread: Re: Switch on compiler hardening defaults
Index(es):
- Date
- Thread