Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Russ Allbery <rra@debian.org>
Date: Thu, 01 Mar 2012 21:58:23 -0800
Message-id: <[🔎] 878vjjilxc.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20120302055202.GV3990@outflux.net> (Kees Cook's message of "Thu, 1 Mar 2012 21:52:02 -0800")
References: <20120229215210.GA4774@pisco.westfalen.local> <4F4EA971.3070109@debian.org> <87zkc1w8n4.fsf@windlord.stanford.edu> <4F4EB09F.5060406@debian.org> <[🔎] eae9c0b5a7201e0f0d64b86ae3249a2c.squirrel@wm.kinkhorst.nl> <[🔎] 20120302055202.GV3990@outflux.net>

Kees Cook <kees@debian.org> writes:

> Speaking to the false positives problem, I've discussed with some people
> the idea of having build flags be included in some sort of ELF
> comment-like area that can be examined. That way it's becomes trivial to
> answer "how was this built?" and all these crapy heuristic checks that
> get thrown away. In the mean time, I'll continue to work on the crappy
> heuristic checks. ;)

That sounds complicated, since there are separate compiler flags for every
object (which may not match) and then the linker flags used to assemble
the final executable or shared object.  Does ELF give you object-specific
comment areas?

It sounds like it would need patches to both the compiler and the linker.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Enabling hardened build flags for Wheezy
  - From: Mike Hommey <mh@glandium.org>

References:
- Re: Enabling hardened build flags for Wheezy
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Kees Cook <kees@debian.org>

Prev by Date: Re: Enabling hardened build flags for Wheezy
Next by Date: Re: Enabling hardened build flags for Wheezy
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread