Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Kees Cook <kees@debian.org>
Date: Thu, 1 Mar 2012 22:00:21 -0800
Message-id: <[🔎] 20120302060021.GX3990@outflux.net>
In-reply-to: <[🔎] 20120301160112.GA12570@gnu.kitenet.net>
References: <20120229215210.GA4774@pisco.westfalen.local> <[🔎] 20120301160112.GA12570@gnu.kitenet.net>

On Thu, Mar 01, 2012 at 12:01:12PM -0400, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > 1. dpkg-buildflags exports hardened build flags. These hardened build
> > flags mitigate/nullify some classes of security vulnerabilities and
> > make exploitation of security problems more difficult. 
> 
> At least temporarily. Are you familiar with Return Oriented Programming
> and similar technologies for getting around these protections?

This is why everyone should run 64-bit systems and build with hardening
fully enabled:

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all

In this situation, you've got NX for sure, full ASLR in a large memory
space, stack protector, and the libc fortifications in place. It'll
always be an arms race, but why knowingly be behind? :)

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Re: Enabling hardened build flags for Wheezy
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Enabling hardened build flags for Wheezy
Next by Date: speed up /etc/cron.d/php5
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread