| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 09/07/2013 01:25 PM, Ryan Hill wrote: |
| 5 |
> On Thu, 05 Sep 2013 12:13:28 +0200 |
| 6 |
> Agostino Sarubbo <ago@g.o> wrote: |
| 7 |
> |
| 8 |
>> Hello, |
| 9 |
>> |
| 10 |
>> during an irc debate, me and other people just noticed that the default |
| 11 |
>> profile could use more flags to enhance the security. |
| 12 |
>> |
| 13 |
>> An hint is here: |
| 14 |
>> https://wiki.ubuntu.com/ToolChain/CompilerFlags |
| 15 |
>> |
| 16 |
>> Please argue about what we _don't_ use. |
| 17 |
>> |
| 18 |
>> Note: please CC me in your response. |
| 19 |
> |
| 20 |
> * -fstack-protector{-all} |
| 21 |
> No thank you. -fstack-protector has very limited coverage (which is why |
| 22 |
> Ubuntu felt they needed to mess with the min size) and -fstack-protector-all |
| 23 |
> has enough overhead that every distro that experimented with it dropped it in |
| 24 |
> the end. If security is important enough to you that you are willing to take |
| 25 |
> the hit then you should be using hardened where it's the default. |
| 26 |
> |
| 27 |
> There is a new option, -fstack-protector-strong, that's intended to be a |
| 28 |
> balance between the two extremes and something that distros can enable by |
| 29 |
> default. It was just added to mainline so it should be in GCC 4.9. So let's |
| 30 |
> revisit this a couple years down the line. |
| 31 |
> |
| 32 |
> * -D_FORTIFY_SOURCE=2 |
| 33 |
> Enabled by default since gcc-4.5.0 (patch) |
| 34 |
> |
| 35 |
> * -Wformat -Wformat-security |
| 36 |
> Enabled by default since gcc 4.3.3 (patch) |
| 37 |
> |
| 38 |
> * -Wl,-z,relro |
| 39 |
> Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL |
| 40 |
> releases). (patch) |
| 41 |
> |
| 42 |
> * -Wl,--hash-style={both,gnu} |
| 43 |
> Enabled by default since binutils 2.18 except on mips where it is unsupported. |
| 44 |
> (patch sets it to "both", developer profiles set it to "gnu" for ignored LDFLAGs |
| 45 |
> detection) |
| 46 |
> |
| 47 |
> * -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed |
| 48 |
> Enabled by default since binutils 2.22. (upstream default) |
| 49 |
> |
| 50 |
> * -Wl,--as-needed |
| 51 |
> Enabled by default since July 2010 (in profiles). I think this is the upstream |
| 52 |
> default now as well. |
| 53 |
> |
| 54 |
> In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. |
| 55 |
> |
| 56 |
> |
| 57 |
> |
| 58 |
Thank you so much for spelling it out for us. I don't even know where to |
| 59 |
begin looking for how some of this stuff is enabled so you telling us |
| 60 |
what is enabled makes a huge difference. |
| 61 |
|
| 62 |
I'm semi-familiar with -fstack-protector-strong and I look forward to |
| 63 |
revisiting that at a later date (and I'd love to help do the testing so |
| 64 |
hold me to if if you like). |
| 65 |
|
| 66 |
Thanks, |
| 67 |
Zero |
| 68 |
-----BEGIN PGP SIGNATURE----- |
| 69 |
Version: GnuPG v2.0.20 (GNU/Linux) |
| 70 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 71 |
|
| 72 |
iQIcBAEBAgAGBQJSK4OVAAoJEKXdFCfdEflK/N4P/3zPgskznIRwgkEVmqJgOGKL |
| 73 |
jUQSva6zOptAGUX3TBdmxppERiWwRR+qh00+JdRP34rH+yEaU3THyjoSreTzunXW |
| 74 |
+oFcBeNR6qiiYGTKoGwQTtM0gxbkFvCx6fe/AAGkwYinTrorL8eo3VmnjBvzvBP4 |
| 75 |
Gmw138SMA/JGLG4A2s5vQBlBZlwvFOyNwP6RzAt9SoNsYVuskDMnFiw77pnqbEYT |
| 76 |
OwdkGRwG29995L+p3O4lbsj7UjLx7S4/SpFfh9OK2EObQ7IKTb4M/y7TUv4vMSxG |
| 77 |
b4uEtNRH2ymr/u8kHOLeVBFBvKbtB35hE1ubLN0ugtuAvQKyD/tECC1msXuKidqi |
| 78 |
vjrhxqtMG4c9+7yY1My0S9CkFqR015ReiC9mFgbVO588XKDOCT7QtcCqGVfvEOrS |
| 79 |
/CNh0qMS5JeBwAya4rmiZpGkc0LTW3rjzLsJfu3sVAd6nvHh1923gSpnJpnd7u9X |
| 80 |
EpGORP29NUyu3W7zggJm36JEX+pNvTlG1NmR7ux9NWVFKVfUVBU/wAnfHmCpTHo8 |
| 81 |
O8FI2Z3GlEwXNXL9nvDn7DJRVsC4TOl6SbHteVRY0soGmyoQhf9I1D0idLFLv88k |
| 82 |
HHeTzhVt0dl0OiWBs8n7AU42bA/QMUvLF4wUJM+zBjkZHNgWvbL895eyAOJdGAyo |
| 83 |
2HEguV/K746RLBHhRRTe |
| 84 |
=gq9h |
| 85 |
-----END PGP SIGNATURE----- |
Archives