Re: Enabling hardened build flags for Wheezy

To: Julian Taylor <jtaylor.debian@googlemail.com>
Cc: Russ Allbery <rra@debian.org>, debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Kees Cook <kees@debian.org>
Date: Fri, 2 Mar 2012 13:14:52 -0800
Message-id: <[🔎] 20120302211452.GL3990@outflux.net>
In-reply-to: <[🔎] 4F511455.4010602@googlemail.com>
References: <20120229215210.GA4774@pisco.westfalen.local> <4F4EA971.3070109@debian.org> <87zkc1w8n4.fsf@windlord.stanford.edu> <4F4EB09F.5060406@debian.org> <[🔎] eae9c0b5a7201e0f0d64b86ae3249a2c.squirrel@wm.kinkhorst.nl> <[🔎] 20120302055202.GV3990@outflux.net> <[🔎] 878vjjilxc.fsf@windlord.stanford.edu> <[🔎] 20120302081216.GA28891@glandium.org> <[🔎] 20120302165349.GC3990@outflux.net> <[🔎] 4F511455.4010602@googlemail.com>

On Fri, Mar 02, 2012 at 07:41:25PM +0100, Julian Taylor wrote:
> On 03/02/2012 05:53 PM, Kees Cook wrote:
> > On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote:
> >> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
> >>> Kees Cook <kees@debian.org> writes:
> >>>
> >>>> Speaking to the false positives problem, I've discussed with some people
> >>>> the idea of having build flags be included in some sort of ELF
> >>>> comment-like area that can be examined. That way it's becomes trivial to
> >>>> answer "how was this built?" and all these crapy heuristic checks that
> >>>> get thrown away. In the mean time, I'll continue to work on the crappy
> >>>> heuristic checks. ;)
> >>>
> >>> That sounds complicated, since there are separate compiler flags for every
> >>> object (which may not match) and then the linker flags used to assemble
> >>> the final executable or shared object.  Does ELF give you object-specific
> >>> comment areas?
> >>
> >> You can have a comment sections generated for each object (as a matter
> >> of fact, gcc does that already to put its version), and the linker
> >> aggregates them in a single section.
> >>
> >> I'm not a big fan of cluttering ELF binaries for a relatively small
> >> benefit. Except maybe if that's moved with the debug info in
> >> /usr/lib/debug.
> > 
> > Yeah, I'm not sure what it'd look like, but I would want to see it
> > upstream. Besides being an intrusive change, there are other projects
> > interested in this kind of post-build analysis.
> > 
> > -Kees
> > 
> 
> if I understood it correctly gcc 4.7 will support adding its switches to
> the debugging data:
> 
> http://gcc.gnu.org/gcc-4.7/changes.html
> Other significant improvements
>  A new option (-grecord-gcc-switches) was added that appends compiler
> command-line options that might affect code generation to the
> DW_AT_producer attribute string in the DWARF debugging information.

Ah-ha! That must be it. Thanks for finding that!

So, yes, I guess it means that a solid lintian check can be run if the
dbg packages are built also, or something along those lines.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Re: Enabling hardened build flags for Wheezy
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Kees Cook <kees@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Russ Allbery <rra@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Mike Hommey <mh@glandium.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Kees Cook <kees@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Julian Taylor <jtaylor.debian@googlemail.com>

Prev by Date: Re: Do not use tabs in /etc/init.d/[script]
Next by Date: Re: Enabling hardened build flags for Wheezy
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread