(disabled for these archs by default in hardening-wrapper 1.8) warning:-fstack-protectornotsupportedforthistarget Not supported on mips and hppa. (disabled for these archs by default in hardening-wrapper 1.10) warning:-fstack-protectornotsupportedforthistargetPosition Independent Executable are needed to take advantage of Address Space Layout Randomization, supported by some kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this (-fPIC), so they gain ASLR automatically, but binary .text regions need to be build PIE to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.Hardened build: DEBBUILDHARDENING1 make trivial cc -Wall -O2 trivial.c -o trivial trivial.c: In function main: trivial.c:16: warning: format not a string literal and no format arguments file trivial trivial: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, not strippedKnown problems: (Common build failures, non-availability on some archs) Doesnt work on hppa and m68k (disabled for these archs by default in hardening-wrapper 1.6) Doesnt work on some assembler, due to lack of registers. e.g.: vfdecimate.c:26:error:cantfindaregisterinclassBREGwhilereloadingasmDuring program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.Hardened build: DEBBUILDHARDENING1 make trivial cc -Wall -O2 trivial.c -o trivial trivial.c: In function main: trivial.c:16: warning: format not a string literal and no format arguments objdump -x trivial grep RELRO RELRO off 0x0000000000000de8 vaddr 0x0000000000200de8 paddr 0x0000000000200de8 align 20During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to -z relro above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldnt be an issue for daemons.Hardened build: DEBBUILDHARDENING1 make trivial cc -Wall -O2 trivial.c -o trivial trivial.c: In function main: trivial.c:16: warning: format not a string literal and no format arguments readelf -d trivial grep BIND 0x0000000000000018 (BINDNOW)A list of packages including hardening-wrapper and hardening-includes in their build-deps can be retrieved with the folowing commands: reverse-build-depends --only-main --distribution unstable hardening-wrapper reverse-build-depends --only-main --distribution unstable hardening-includesAfter their meeting on the 14-16 January 2011, the debian security team announced in an email they intend to push the inclusion of hardening features for the wheezy release. A Birds of a Feather-session will be organized during the 2011 debconf to setup a process.gccs -fstack-protector attempts to detect when a stack has been overwritten and aborts the program. Ubuntu has had this enabled by default since Edgy. Some programs do not play nice with it, and can be worked around with -fno-stack-protector. It would be nice to enable this by default, and for gcc to only attempt to use it when libc is being linked against.While not all programs correctly implement the printf hints (like glibs GGNUCPRINTF macro), adding this will at least call out simple printf format string vulnerabilities. Any programs whose builds become noisy as a result, should be fixed anyway.This is especially difficult to plumb into packaging in a safe way, since it requires the executable be built with -fPIE for any .o files that are linked at the end with -pie. There is some amount of performance loss, but only due to the -fPIE, which is already true for all the linked libraries (via their -fPIC).Stops execution of code in heap/stack. i386 specific (nx already does this for amd64), and introduces some small level of performance loss (5 for CPU-bound). Some people have worked on getting it pushed into the mainline kernel. Current state unknown -- would be very handy to have due to the popularity of i386. Marcus Better may be willing to continue to maintain the patchset for Debian.From the GRSecurity patchset, protections against hardlink/symlink creation/following in world-writable areas. (Solves tmp races.) May potentially break things like postfix that manipulation hardlinks Breaks POSIX.
