Hey all,
According to this page https://wiki.ubuntu.com/Security/Features#Hardening, it seems that Ubuntu has a default compilation policy so as to incorporate some hardening features (stack protector, ASLR,..)
What do you think about their implementation ?
Is there any other binary distro that takes into account, by default, hardening features?
As far as I know, Fedora/RedHat use SELinux mechanisms, but nothing regarding compilation.
Thanks
Binary hardened distro
3 posts
• Page 1 of 1
Binary hardened distro
by evilangel » Thu May 06, 2010 11:24 am
- evilangel
- Posts: 59
- Joined: Thu May 15, 2008 7:57 pm
Re: Binary hardened distro
by Grach » Thu May 06, 2010 12:42 pm
CentOS (RHEL) and recent OpenSUSE also has some binaries compiled with SSP (with -fstack-protector, not with -fstack-protector-all), FORTIFY_SOURCE, some of them are PIE even, many of them has "partial" RELRO. You should check every binary by yourself to figure out how well it is protected, here's the script: http://www.grsecurity.net/~spender/checksec-new.sh
For example, last time I checked Firefox in Ubuntu was non-PIE - they think it's worth to speed up the startup by a second or two in exchange of ET_DYN randomization (while I, personally, think it's not). Be careful.
For example, last time I checked Firefox in Ubuntu was non-PIE - they think it's worth to speed up the startup by a second or two in exchange of ET_DYN randomization (while I, personally, think it's not). Be careful.
- Grach
- Posts: 66
- Joined: Thu Feb 05, 2009 11:15 pm
Re: Binary hardened distro
by taaroa » Mon May 24, 2010 4:58 pm
- Code: Select all
$ cat gcc_out.sh
#!/bin/sh
CFLAGS=`grep 'CFLAGS=' /etc/make.conf|awk -F\" '{print $2}'`
gcc $CFLAGS -E -v - </dev/null 2>&1 | sed -n 's/.* -v - //p'
$ ./gcc_out.sh
-D_FORTIFY_SOURCE=2 -march=k8-sse3 -mcx16 -msahf --param l1-cache-size=64 --param l1-cache-line-size=64 --param l2-cache-size=512 -mtune=k8 -fno-strict-overflow -mmmx -msse -msse2 -msse3 -mssse3 -m3dnow -mfpmath=sse -fPIE -O2 -fstack-protector-all
$ LANG="C" gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.4.4/work/gcc-4.4.4/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.4.4 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --disable-fixed-point --with-ppl --with-cloog --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-multilib --enable-libmudflap --disable-libssp --enable-esp=all --enable-libgomp --enable-cld --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.4.4/python --disable-libgcj --enable-languages=c,c++,fortran --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 4.4.4 p1.0, pie-0.4.1'
Thread model: posix
gcc version 4.4.4 (Gentoo Hardened 4.4.4 p1.0, pie-0.4.1)
see briefly
- taaroa
- Posts: 19
- Joined: Thu Mar 25, 2010 2:58 am
3 posts
• Page 1 of 1