Parallel wanna-build instance for security hardening

To: debian-wb-team@lists.debian.org
Subject: Parallel wanna-build instance for security hardening
From: d wk <dwksrc@gmail.com>
Date: Wed, 16 Nov 2016 15:26:48 -0500
Message-id: <[🔎] CAPESumojYO0bz9RS0+ajYbz7VaWfj=SaFxNmoEhTKkgc86jvgA@mail.gmail.com>

Hi there, I'm trying to compile a large number of Debian packages with
particular compiler flags. This is to test out a new security
hardening feature, similar to adding e.g. -fstack-protector-strong
(https://wiki.debian.org/Hardening), but the catch is that I need to
compile all dependencies of a package with the same flags. Previously,
I compiled all dependencies manually, but now I'm trying to test the
hardening feature on a wide range of packages and open it up for
testing by other users too. Ideally, I'd have a build bot (or many
bots) which would keep up with Debian stable, compiling a subset of
all packages, and then I'd serve the results as an apt-compatible
repository.

It seems like the easiest way to set this up would be to run a
separate wanna-build instance, with a few machines running my own
buildd with an appropriately-configured sbuild (which adds the
compiler flags I want). Right now, the compiler flags I want are
available in mainline GCC so configuring sbuild should be
straightforward. I tried to set up sbuild on a clean jessie machine,
but it hangs; I tried to follow the setup instructions for wanna-build
(https://wiki.debian.org/DebianWannaBuildInfrastructureOnOneServer),
but ran into multiple configuration issues. Is there any easier way to
do what I am proposing, or does anyone have pointers for setting up a
wanna-build instance that runs in parallel with Debian's, building the
same packages but delegating to buildd's that use different compiler
flags?

The security feature I'm testing is continuous layout randomization,
essentially ASLR done every few tens of milliseconds, rearranging the
code of a program as it runs. Obviously this is a challenging task and
it needs to be tested on more than the handful of programs I've run so
far. The majority of the task is handled by my own code but it needs
some additional meta-information from the compiler to work correctly
(it needs symbols and relocations), hence the need to recompile
packages. I believe that having this infrastructure in place would
allow researchers to test new security features more easily, and allow
users to get access to them sooner. Certainly if my build setup works
I'll leave it running so that people can access the .debs as needed.

Please let me know if you have any questions or suggestions. Thanks,

David

Reply to:

Prev by Date: Re: arm64/amd64 not picking up lazarus (uploaded yesterday)
Next by Date: Please give back consul on arm64
Previous by thread: Re: arm64/amd64 not picking up lazarus (uploaded yesterday)
Next by thread: Please give back consul on arm64
Index(es):
- Date
- Thread