Re: state of security hardening build flag efforts
On 01.04.2012 20:29, Kees Cook wrote:
On Sun, Apr 01, 2012 at 05:24:00PM +0800, Paul Wise wrote:
On Sun, Apr 1, 2012 at 3:49 PM, Kees Cook wrote:
I'm going to work on getting this graphed daily, like the debhelper
If you do, please add that to the statistics wiki page:
Ah-ha, yes. I will do that. :)
Under what circumstances do you think GCC upstream should be enabling
these options by default (as several distributions other than Debian
I haven't attempted to push these things to upstream yet, but I still
think it would be a great idea. Magnus Granberg from Gentoo maintains
a patch against gcc for Gentoo, and has made attempts to upstream it,
but I'm not sure where it stands:
Unlikely that upstream will apply a patch to make pie the default.
Take my opinion with a grain of salt, as even I recognize that I'm a bit
of an extremist about this, but yes, absolutely. I succeeded in making
this happen in Ubuntu, and while the path is very different in Debian,
for package builds it is effectively "by default" now too (assuming
the package's build system is modern and the flags are passed into the
build correctly). As for the upstream compiler, I recognize they have
more users than just distro builders, but it seems to me that it is
irresponsible to not enable these features by default in the compiler. :)
Afaicr, the updates to build GCC itself using these flags, and adjusting the
testsuite never did happen. So before getting any default change upstream, make
sure that GCC itself builds and runs with these defaults. Some patches were sent
upstream, but the testsuite-hardening-* patches are not, and were not updated
for a long time.
Note that the default flags in both Ubuntu and Debian lack PIE (where
as Gentoo's hardening patchset includes PIE by default). The Debian
hardening documentation has encouraged maintainers to enable PIE too
if they have a sensitive package (daemons, media processors, browsers,
interpreters, etc), so it's not totally absent.
I'd like to see the default on architectures with enough general registers
(e.g. amd64) include PIE. The other archs, like i386, suffer quite a bit
(15% performance hit) in some cases, so while I think it should still be
the default there, it's not a decision I'm likely to be able to convince
more performance-sensitive people about.
I'd like to push for it on amd64 once more packages are building with
the default flags. We'd need the entire base system converted, though, to
deal with some of the build ordering problems with switching to PIE. The
problem is with shipped .a files: those object files must all be built
with -fPIE for them to link into a -pie binary. (i.e. all static users
of the .a need to be rebuilt after the .a is built.) It's doable, it
just needs to be done careful attention given to dependency ordering. I
don't think a specific flag-day would be needed.
You see performance regressions on amd64 as well, and on i386 regressions larger
than 15% as well. And I assume you want to do this kind of analysis for every
And what sense does a hardened cc1/cc1plus make if it slows down the compiler?
If you think that enabling them by default in GCC upstream is doable,
what kind of blockers and timeframe would we expect for that?
I think the blockers are mostly political.
No. Pretty please, first get the changes to build GCC itself using the "default
flags" upstream. Unfortunately it doesn't seem to be one of your priorities,
but it's definitely not political.