| 1 |
Dear Jan, |
| 2 |
|
| 3 |
I've run through what I'd wrote and I have a feeling, that it can be |
| 4 |
misleading. |
| 5 |
So here is an actual example output of the command "gcc-config -l": |
| 6 |
" |
| 7 |
hostname ~ # gcc-config -l |
| 8 |
[1] i686-pc-linux-gnu-4.2.4 * |
| 9 |
[2] i686-pc-linux-gnu-4.2.4-nofortify |
| 10 |
[3] i686-pc-linux-gnu-4.2.4-nopie |
| 11 |
[4] i686-pc-linux-gnu-4.2.4-nossp_all |
| 12 |
[5] i686-pc-linux-gnu-4.2.4-strict |
| 13 |
[6] i686-pc-linux-gnu-4.2.4-vanilla |
| 14 |
" |
| 15 |
Here you can see, that the same version of gcc has several profiles. The |
| 16 |
one without any additional tag is the default hardened profile. Compiles |
| 17 |
hardened executables by default. The vanilla profile is intended to |
| 18 |
implement the original non-hardened behavior. |
| 19 |
I'm running the experimental hardened toolchain, which is the reason I |
| 20 |
have entries 2, 4 and 5. If you are not using the experimental hardened |
| 21 |
toolchain you should probably have to have 3.4.6, -nopie, -nossp and |
| 22 |
-vanilla. If you have gcc-4+ and you are not using the experimental |
| 23 |
hardened toolchain you are probably missing hardened toolchain features |
| 24 |
(some developers tend to neglect and/or treat useless - I don't understand |
| 25 |
why). |
| 26 |
|
| 27 |
Regards, |
| 28 |
Dw. |
| 29 |
-- |
| 30 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 31 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 32 |
|
| 33 |
On Hét, November 24, 2008 20:40, atoth@××××××××××.hu wrote: |
| 34 |
> Let's start with this command: "gcc-config -l". You should see multiple |
| 35 |
> favors of each version of hardened gcc you installed. If the green mark is |
| 36 |
> beside the one without any additional tag at the end: that means you |
| 37 |
> compile executables hardened by default if you are running gcc (either |
| 38 |
> through make or executing g++). If you do not have -nopie and -vanilla |
| 39 |
> tags appended to the end of the particular version of gcc, that means your |
| 40 |
> gcc of that version is not hardened. You can switch back to the original |
| 41 |
> behavior with gcc-config selecting the vanilla profile. Just don't forget |
| 42 |
> to flip it back to the default hardened. Ebuilds can switch some features |
| 43 |
> (pie, ssp) on and off at compile time. |
| 44 |
> |
| 45 |
> If you want to make sure, that your executable is hardened you can use the |
| 46 |
> binutils executable called "readelf". Some examples: |
| 47 |
> "readelf -h <executable> | grep DYN" - shows if the executable is PIE |
| 48 |
> "readelf -s <executable> | grep {guard|stack}" - shows if the executable |
| 49 |
> is SSP-enabled (use guard for the old-, and stack for the new ssp |
| 50 |
> implementation) |
| 51 |
> "readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep |
| 52 |
> BIND" shows that some linker options were applied on the executable, which |
| 53 |
> make the hardening more complete. |
| 54 |
> |
| 55 |
> Is it clearer now? |
| 56 |
> |
| 57 |
> Regards, |
| 58 |
> Dw. |
| 59 |
> -- |
| 60 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
| 61 |
> 06-30-5962-962 |
| 62 |
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 63 |
> |
| 64 |
> On Hét, November 24, 2008 21:06, Jan Klod wrote: |
| 65 |
>> Please, could someone give a short introduction in how should I make |
| 66 |
>> sure, |
| 67 |
>> I |
| 68 |
>> am compiling with hardened features support? And if I do manually with |
| 69 |
>> some "make" or "gcc" or "g++"? |
| 70 |
>> Thank you... |
| 71 |
>> |
| 72 |
> |
| 73 |
> |
| 74 |
> |
Archives