[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

On Thu, Mar 01, 2012 at 12:01:12PM -0400, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > 1. dpkg-buildflags exports hardened build flags. These hardened build
> > flags mitigate/nullify some classes of security vulnerabilities and
> > make exploitation of security problems more difficult. 
> At least temporarily. Are you familiar with Return Oriented Programming
> and similar technologies for getting around these protections?

This is why everyone should run 64-bit systems and build with hardening
fully enabled:

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all

In this situation, you've got NX for sure, full ASLR in a large memory
space, stack protector, and the libc fortifications in place. It'll
always be an arms race, but why knowingly be behind? :)


Kees Cook                                            @debian.org

Reply to: