1 |
Dear Jan, |
2 |
|
3 |
I've run through what I'd wrote and I have a feeling, that it can be |
4 |
misleading. |
5 |
So here is an actual example output of the command "gcc-config -l": |
6 |
" |
7 |
hostname ~ # gcc-config -l |
8 |
[1] i686-pc-linux-gnu-4.2.4 * |
9 |
[2] i686-pc-linux-gnu-4.2.4-nofortify |
10 |
[3] i686-pc-linux-gnu-4.2.4-nopie |
11 |
[4] i686-pc-linux-gnu-4.2.4-nossp_all |
12 |
[5] i686-pc-linux-gnu-4.2.4-strict |
13 |
[6] i686-pc-linux-gnu-4.2.4-vanilla |
14 |
" |
15 |
Here you can see, that the same version of gcc has several profiles. The |
16 |
one without any additional tag is the default hardened profile. Compiles |
17 |
hardened executables by default. The vanilla profile is intended to |
18 |
implement the original non-hardened behavior. |
19 |
I'm running the experimental hardened toolchain, which is the reason I |
20 |
have entries 2, 4 and 5. If you are not using the experimental hardened |
21 |
toolchain you should probably have to have 3.4.6, -nopie, -nossp and |
22 |
-vanilla. If you have gcc-4+ and you are not using the experimental |
23 |
hardened toolchain you are probably missing hardened toolchain features |
24 |
(some developers tend to neglect and/or treat useless - I don't understand |
25 |
why). |
26 |
|
27 |
Regards, |
28 |
Dw. |
29 |
-- |
30 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
31 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
32 |
|
33 |
On Hét, November 24, 2008 20:40, atoth@××××××××××.hu wrote: |
34 |
> Let's start with this command: "gcc-config -l". You should see multiple |
35 |
> favors of each version of hardened gcc you installed. If the green mark is |
36 |
> beside the one without any additional tag at the end: that means you |
37 |
> compile executables hardened by default if you are running gcc (either |
38 |
> through make or executing g++). If you do not have -nopie and -vanilla |
39 |
> tags appended to the end of the particular version of gcc, that means your |
40 |
> gcc of that version is not hardened. You can switch back to the original |
41 |
> behavior with gcc-config selecting the vanilla profile. Just don't forget |
42 |
> to flip it back to the default hardened. Ebuilds can switch some features |
43 |
> (pie, ssp) on and off at compile time. |
44 |
> |
45 |
> If you want to make sure, that your executable is hardened you can use the |
46 |
> binutils executable called "readelf". Some examples: |
47 |
> "readelf -h <executable> | grep DYN" - shows if the executable is PIE |
48 |
> "readelf -s <executable> | grep {guard|stack}" - shows if the executable |
49 |
> is SSP-enabled (use guard for the old-, and stack for the new ssp |
50 |
> implementation) |
51 |
> "readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep |
52 |
> BIND" shows that some linker options were applied on the executable, which |
53 |
> make the hardening more complete. |
54 |
> |
55 |
> Is it clearer now? |
56 |
> |
57 |
> Regards, |
58 |
> Dw. |
59 |
> -- |
60 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
61 |
> 06-30-5962-962 |
62 |
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
63 |
> |
64 |
> On Hét, November 24, 2008 21:06, Jan Klod wrote: |
65 |
>> Please, could someone give a short introduction in how should I make |
66 |
>> sure, |
67 |
>> I |
68 |
>> am compiling with hardened features support? And if I do manually with |
69 |
>> some "make" or "gcc" or "g++"? |
70 |
>> Thank you... |
71 |
>> |
72 |
> |
73 |
> |
74 |
> |