[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

On 03/02/2012 05:53 PM, Kees Cook wrote:
> On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote:
>> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
>>> Kees Cook <kees@debian.org> writes:
>>>> Speaking to the false positives problem, I've discussed with some people
>>>> the idea of having build flags be included in some sort of ELF
>>>> comment-like area that can be examined. That way it's becomes trivial to
>>>> answer "how was this built?" and all these crapy heuristic checks that
>>>> get thrown away. In the mean time, I'll continue to work on the crappy
>>>> heuristic checks. ;)
>>> That sounds complicated, since there are separate compiler flags for every
>>> object (which may not match) and then the linker flags used to assemble
>>> the final executable or shared object.  Does ELF give you object-specific
>>> comment areas?
>> You can have a comment sections generated for each object (as a matter
>> of fact, gcc does that already to put its version), and the linker
>> aggregates them in a single section.
>> I'm not a big fan of cluttering ELF binaries for a relatively small
>> benefit. Except maybe if that's moved with the debug info in
>> /usr/lib/debug.
> Yeah, I'm not sure what it'd look like, but I would want to see it
> upstream. Besides being an intrusive change, there are other projects
> interested in this kind of post-build analysis.
> -Kees

if I understood it correctly gcc 4.7 will support adding its switches to
the debugging data:

Other significant improvements
 A new option (-grecord-gcc-switches) was added that appends compiler
command-line options that might affect code generation to the
DW_AT_producer attribute string in the DWARF debugging information.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: