1 |
Let's start with this command: "gcc-config -l". You should see multiple |
2 |
favors of each version of hardened gcc you installed. If the green mark is |
3 |
beside the one without any additional tag at the end: that means you |
4 |
compile executables hardened by default if you are running gcc (either |
5 |
through make or executing g++). If you do not have -nopie and -vanilla |
6 |
tags appended to the end of the particular version of gcc, that means your |
7 |
gcc of that version is not hardened. You can switch back to the original |
8 |
behavior with gcc-config selecting the vanilla profile. Just don't forget |
9 |
to flip it back to the default hardened. Ebuilds can switch some features |
10 |
(pie, ssp) on and off at compile time. |
11 |
|
12 |
If you want to make sure, that your executable is hardened you can use the |
13 |
binutils executable called "readelf". Some examples: |
14 |
"readelf -h <executable> | grep DYN" - shows if the executable is PIE |
15 |
"readelf -s <executable> | grep {guard|stack}" - shows if the executable |
16 |
is SSP-enabled (use guard for the old-, and stack for the new ssp |
17 |
implementation) |
18 |
"readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep |
19 |
BIND" shows that some linker options were applied on the executable, which |
20 |
make the hardening more complete. |
21 |
|
22 |
Is it clearer now? |
23 |
|
24 |
Regards, |
25 |
Dw. |
26 |
-- |
27 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
28 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
29 |
|
30 |
On Hét, November 24, 2008 21:06, Jan Klod wrote: |
31 |
> Please, could someone give a short introduction in how should I make sure, |
32 |
> I |
33 |
> am compiling with hardened features support? And if I do manually with |
34 |
> some "make" or "gcc" or "g++"? |
35 |
> Thank you... |
36 |
> |