Re: Enabling hardened build flags for Wheezy
On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote:
> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
> > Kees Cook <firstname.lastname@example.org> writes:
> > > Speaking to the false positives problem, I've discussed with some people
> > > the idea of having build flags be included in some sort of ELF
> > > comment-like area that can be examined. That way it's becomes trivial to
> > > answer "how was this built?" and all these crapy heuristic checks that
> > > get thrown away. In the mean time, I'll continue to work on the crappy
> > > heuristic checks. ;)
> > That sounds complicated, since there are separate compiler flags for every
> > object (which may not match) and then the linker flags used to assemble
> > the final executable or shared object. Does ELF give you object-specific
> > comment areas?
> You can have a comment sections generated for each object (as a matter
> of fact, gcc does that already to put its version), and the linker
> aggregates them in a single section.
> I'm not a big fan of cluttering ELF binaries for a relatively small
> benefit. Except maybe if that's moved with the debug info in
Yeah, I'm not sure what it'd look like, but I would want to see it
upstream. Besides being an intrusive change, there are other projects
interested in this kind of post-build analysis.
Kees Cook @debian.org