Re: Switch on compiler hardening defaults

[Kees Cook <kees@debian.org>]

On Thu, Dec 24, 2009 at 12:23:01PM +0100, Stefan Fritsch wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> >>>With the new package, the arch-specific logic for hardening defaults
> >>>is in one place, and a maintainer can selectively disable anything they
> >>>don't want on by default.
> >>
> >>This might be a good compromise to get network services hardened
> >>without changing the default build system.  Is there a plan for which
> >
> >That's certainly a viable plan.  This is kind of the approach we took in
> >Ubuntu for the PIE feature.  We also considered packages with a less than
> >stellar security history.  The list of packages built with PIE in Ubuntu
> >is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
> >
> >amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
> >ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd
> >openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark
> >xinetd
> 
> The problem with PIE is that it is not supported by Debian's gdb
> (#346409). That's why I disabled it again for apache2.

There is a maintained (by RedHat) patch for dealing with PIE.  I already
maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
the gdb maintainer doesn't want it until it's in upstream.  I, obviously,
think that's ridiculous.  PIE works and is useful.  Blocking its rollout
because gdb's support for it isn't upstream just furthers the catch-22.

> IIRC, there were also some apps (python?) that have performance
> problems with PIE. Therefore, PIE should not be switched on by
> default yet.

Yes, some programs show slow-down on i386 and other architectures with
limited registers.  Those packages are exceptions, and should just
disable PIE in their build when they add hardening-includes:
    DEB_BUILD_HARDENING_PIE:=0

-Kees

-- 
Kees Cook                                            @debian.org