Switch on compiler hardening defaults
Hello,
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this time, use of the hardening-wrapper[4]
package is still very low, so I think the right thing to do is to just fix
this in the compiler and everyone wins. I'm not suggesting that there
won't be added work to fix problems, but I believe that for Debian the
benefits now out-weigh the risks.
I do not expect to reach consensus with all developers on this, so I'm
not sure who I need to convince to move it forward. (Perhaps just the
GCC maintainers?) Regardless, if you agree with this, please speak up.
I think it's very important that this change happens.
My candid commentary and possible trolling...
Arguments for:
- users of Debian become safer (real[5] security vulnerabilities are
either non-issues or reduced to a DoS).
- security team has less work to do.
- software quality improves by finding subtle bugs (and not just
packaged software -- anything compiled with the Debian gcc).
Arguments against:
- makes the compiler's behavior different than stock compiler.
Rebuttal: honestly, I don't care -- it seems like such a
huge win for safety and is easy to debug. Debian
already carries plenty of patches anyway -- there
is no such thing as the "stock compiler".
- makes more work for dealing with warnings.
Rebuttal: those warnings are there for a reason -- they can
be real security issues, and should be fixed.
- lacks documentation.
Rebuttal: that may have been true a while ago, but I've worked
hard to document the features and how to handle
problems. See [2]. Even the gcc man pages are patched.
- makes running Debian slower.
Rebuttal: no, nothing supports this. The bulk of _FORTIFY_SOURCE
is compile-time. Run-time checks, including those from
-fstack-protector are just not measurable. The burden of
evidence for anyone claiming this is on them. I'm not
suggesting we turn on PIE; that option can be a problem.
Inflammatory observation: Debian may be the single remaining major Linux
distribution that does not use the stack protector and _FORTIFY_SOURCE
when building its packages. I find this embarrassing. Check[6] for
yourself.
Thanks,
-Kees
[1] http://outflux.net/hardening-for-all.patch
(Note that the gcc hardening does NOT turn on PIE, which has
measurable performance problems on some architectures.)
[2] https://wiki.ubuntu.com/CompilerFlags
[3] Sampling of bugs I've personally filed:
Closed
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521108
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529074
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479398
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488456
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488457
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497833
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497865
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505734
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505233
Open
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523807
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488460
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488462
[4] http://wiki.debian.org/Hardening
[5] Many vulnerabilities have been blocked in Ubuntu, but I will give one
good example of a remote root vulnerability with functional exploits
in the wild that was a non-issue on versions of Ubuntu with the
hardened compiler defaults:
http://www.debian.org/security/2009/dsa-1833
[6] Are there _chk functions in common binaries?
$ objdump -R /bin/df | grep _chk
0000000000612048 R_X86_64_JUMP_SLOT __fprintf_chk
0000000000612068 R_X86_64_JUMP_SLOT __printf_chk
00000000006120c0 R_X86_64_JUMP_SLOT __memcpy_chk
00000000006121c0 R_X86_64_JUMP_SLOT __stack_chk_fail
0000000000612220 R_X86_64_JUMP_SLOT __sprintf_chk
0000000000612230 R_X86_64_JUMP_SLOT __snprintf_chk
--
Kees Cook @debian.org
Reply to: