On 03/02/2012 05:53 PM, Kees Cook wrote: > On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote: >> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote: >>> Kees Cook <email@example.com> writes: >>> >>>> Speaking to the false positives problem, I've discussed with some people >>>> the idea of having build flags be included in some sort of ELF >>>> comment-like area that can be examined. That way it's becomes trivial to >>>> answer "how was this built?" and all these crapy heuristic checks that >>>> get thrown away. In the mean time, I'll continue to work on the crappy >>>> heuristic checks. ;) >>> >>> That sounds complicated, since there are separate compiler flags for every >>> object (which may not match) and then the linker flags used to assemble >>> the final executable or shared object. Does ELF give you object-specific >>> comment areas? >> >> You can have a comment sections generated for each object (as a matter >> of fact, gcc does that already to put its version), and the linker >> aggregates them in a single section. >> >> I'm not a big fan of cluttering ELF binaries for a relatively small >> benefit. Except maybe if that's moved with the debug info in >> /usr/lib/debug. > > Yeah, I'm not sure what it'd look like, but I would want to see it > upstream. Besides being an intrusive change, there are other projects > interested in this kind of post-build analysis. > > -Kees > if I understood it correctly gcc 4.7 will support adding its switches to the debugging data: http://gcc.gnu.org/gcc-4.7/changes.html Other significant improvements A new option (-grecord-gcc-switches) was added that appends compiler command-line options that might affect code generation to the DW_AT_producer attribute string in the DWARF debugging information.
Description: OpenPGP digital signature