1
The way this package works is it diverts gcc, cc, g++, ld, etc, with shell
2
scripts that enforce the use of several toolchain hardening features.
4
The following options are currently supported through the wrapper.
5
They can be selectively disabled by exporting some environment
6
variables. By default, all DEB_BUILD_HARDENING_* are enabled. To disable a
7
specific feature, export "DEB_BUILD_HARDENING_[feature]=0"
9
Please also see http://wiki.debian.org/Hardening
14
-fstack-protector (DEB_BUILD_HARDENING_STACKPROTECTOR)
16
This is a mainline GCC feature, which adds safety checks against stack
17
overwrites. This renders many potential code injection attacks into
18
aborting situations. In the best case this turns code injection vulnerabilities
19
into denial of service or into non-issues (depending on the application).
20
http://en.wikipedia.org/wiki/Stack-smashing_protection
22
-z relro (DEB_BUILD_HARDENING_RELRO)
24
Several ELF sections need to be written to by the linker, but can be
25
turned read-only after starting. Most notably this prevents GOT overwrites
28
-pie, -fPIE (DEB_BUILD_HARDENING_PIE)
30
Position Independent Executable are needed for effective Address Space Layout
31
randomization. http://en.wikipedia.org/wiki/ASLR
33
-D_FORTIFY_SOURCE=2, (DEB_BUILD_HARDENING_FORTIFY)
35
During code generation the compiler knows a great deal of information about
36
buffer sizes (where possible). This GCC feature adds checks to several insecure
37
functions. This is especially useful for old, crufty code.
39
-Wformat -Wformat-security (DEB_BUILD_HARDENING_FORMAT)
40
| If `-Wformat' is specified, also warn about uses of format
41
| functions that represent possible security problems. At present,
42
| this warns about calls to `printf' and `scanf' functions where the
43
| format string is not a string literal and there are no format
44
| arguments, as in `printf (foo);'. This may be a security hole if
45
| the format string came from untrusted input and contains `%n'.
47
http://en.wikipedia.org/wiki/Format_string_attack
50
This package was based on "pentium-builder". It's a hack, but it works. We
51
welcome a cleaner solution.