state of security hardening build flag efforts
Hi,
With so many maintainers working to make sure that dpkg-buildflags
defaults are getting into their packages, I thought it might be fun to
see what sort of progress has been on security hardening build flags[1].
I took an optimistic approach to the data, since there are situations
where lacking stack-protector and fortify isn't a mistake[2]. I assume
that if any hardening features is found in any binary package, then the
source package was built with that feature intentionally enabled. For
collection, I used the amd64 architecture, and my approach was:
- report count of all source packages that produce at least 1 binary
package that contains at least 1 ELF.
- report count of all source packages that produce at least 1 binary
package that contains at least 1 ELF that is built with stack-protector.
- same again for fortify, relro, bindnow, and pie.
sources building ELFs: 9429
built with stackprotector: 1845 (19.6%)
built with fortify: 1058 (11.2%)
built with relro: 1521 (16.1%)
built with bindnow: 385 (4.1%)
built with pie: 363 (3.4%)
This is very exciting! It was only a short time ago when just a handful
of packages were building with hardening options. Now we're almost to 20%
on stack-protector. :) Thank you everyone for your great work!
I'm going to work on getting this graphed daily, like the debhelper
statistics[3].
-Kees
[1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2] http://wiki.debian.org/Hardening#Validation
[3] http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-07-10-debhelper-statistics-redux.html
--
Kees Cook @debian.org
Reply to: