| 1 |
Let's start with this command: "gcc-config -l". You should see multiple |
| 2 |
favors of each version of hardened gcc you installed. If the green mark is |
| 3 |
beside the one without any additional tag at the end: that means you |
| 4 |
compile executables hardened by default if you are running gcc (either |
| 5 |
through make or executing g++). If you do not have -nopie and -vanilla |
| 6 |
tags appended to the end of the particular version of gcc, that means your |
| 7 |
gcc of that version is not hardened. You can switch back to the original |
| 8 |
behavior with gcc-config selecting the vanilla profile. Just don't forget |
| 9 |
to flip it back to the default hardened. Ebuilds can switch some features |
| 10 |
(pie, ssp) on and off at compile time. |
| 11 |
|
| 12 |
If you want to make sure, that your executable is hardened you can use the |
| 13 |
binutils executable called "readelf". Some examples: |
| 14 |
"readelf -h <executable> | grep DYN" - shows if the executable is PIE |
| 15 |
"readelf -s <executable> | grep {guard|stack}" - shows if the executable |
| 16 |
is SSP-enabled (use guard for the old-, and stack for the new ssp |
| 17 |
implementation) |
| 18 |
"readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep |
| 19 |
BIND" shows that some linker options were applied on the executable, which |
| 20 |
make the hardening more complete. |
| 21 |
|
| 22 |
Is it clearer now? |
| 23 |
|
| 24 |
Regards, |
| 25 |
Dw. |
| 26 |
-- |
| 27 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 28 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 29 |
|
| 30 |
On Hét, November 24, 2008 21:06, Jan Klod wrote: |
| 31 |
> Please, could someone give a short introduction in how should I make sure, |
| 32 |
> I |
| 33 |
> am compiling with hardened features support? And if I do manually with |
| 34 |
> some "make" or "gcc" or "g++"? |
| 35 |
> Thank you... |
| 36 |
> |
Archives