Re: Enabling hardened build flags for Wheezy
On Thu, Mar 01, 2012 at 12:01:12PM -0400, Joey Hess wrote:
> Moritz Muehlenhoff wrote:
> > 1. dpkg-buildflags exports hardened build flags. These hardened build
> > flags mitigate/nullify some classes of security vulnerabilities and
> > make exploitation of security problems more difficult.
>
> At least temporarily. Are you familiar with Return Oriented Programming
> and similar technologies for getting around these protections?
This is why everyone should run 64-bit systems and build with hardening
fully enabled:
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
In this situation, you've got NX for sure, full ASLR in a large memory
space, stack protector, and the libc fortifications in place. It'll
always be an arms race, but why knowingly be behind? :)
-Kees
--
Kees Cook @debian.org
Reply to: