Re: [gentoo-hardened] How to compile with hardened toolchain?

Re: [gentoo-hardened] How to compile with hardened toolchain?

[atoth]

Let's start with this command: "gcc-config -l". You should see multiple
favors of each version of hardened gcc you installed. If the green mark is
beside the one without any additional tag at the end: that means you
compile executables hardened by default if you are running gcc (either
through make or executing g++). If you do not have -nopie and -vanilla
tags appended to the end of the particular version of gcc, that means your
gcc of that version is not hardened. You can switch back to the original
behavior with gcc-config selecting the vanilla profile. Just don't forget
to flip it back to the default hardened. Ebuilds can switch some features
(pie, ssp) on and off at compile time.

If you want to make sure, that your executable is hardened you can use the
binutils executable called "readelf". Some examples:
"readelf -h <executable> | grep DYN" - shows if the executable is PIE
"readelf -s <executable> | grep {guard|stack}" - shows if the executable
is SSP-enabled (use guard for the old-, and stack for the new ssp
implementation)
"readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep
BIND" shows that some linker options were applied on the executable, which
make the hardening more complete.

Is it clearer now?

Regards,
Dw.
-- 
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Hét, November 24, 2008 21:06, Jan Klod wrote:
> Please, could someone give a short introduction in how should I make sure,
> I
> am compiling with hardened features support? And if I do manually with
> some "make" or "gcc" or "g++"?
> Thank you...
>

Re: [gentoo-hardened] How to compile with hardened toolchain?

[atoth]

Dear Jan,

I've run through what I'd wrote and I have a feeling, that it can be
misleading.
So here is an actual example output of the command "gcc-config -l":
"
hostname ~ # gcc-config -l
 [1] i686-pc-linux-gnu-4.2.4 *
 [2] i686-pc-linux-gnu-4.2.4-nofortify
 [3] i686-pc-linux-gnu-4.2.4-nopie
 [4] i686-pc-linux-gnu-4.2.4-nossp_all
 [5] i686-pc-linux-gnu-4.2.4-strict
 [6] i686-pc-linux-gnu-4.2.4-vanilla
"
Here you can see, that the same version of gcc has several profiles. The
one without any additional tag is the default hardened profile. Compiles
hardened executables by default. The vanilla profile is intended to
implement the original non-hardened behavior.
I'm running the experimental hardened toolchain, which is the reason I
have entries 2, 4 and 5. If you are not using the experimental hardened
toolchain you should probably have to have 3.4.6, -nopie, -nossp and
-vanilla. If you have gcc-4+ and you are not using the experimental
hardened toolchain you are probably missing hardened toolchain features
(some developers tend to neglect and/or treat useless - I don't understand
why).

Regards,
Dw.
-- 
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Hét, November 24, 2008 20:40, atoth@atoth.sote.hu wrote:
> Let's start with this command: "gcc-config -l". You should see multiple
> favors of each version of hardened gcc you installed. If the green mark is
> beside the one without any additional tag at the end: that means you
> compile executables hardened by default if you are running gcc (either
> through make or executing g++). If you do not have -nopie and -vanilla
> tags appended to the end of the particular version of gcc, that means your
> gcc of that version is not hardened. You can switch back to the original
> behavior with gcc-config selecting the vanilla profile. Just don't forget
> to flip it back to the default hardened. Ebuilds can switch some features
> (pie, ssp) on and off at compile time.
>
> If you want to make sure, that your executable is hardened you can use the
> binutils executable called "readelf". Some examples:
> "readelf -h <executable> | grep DYN" - shows if the executable is PIE
> "readelf -s <executable> | grep {guard|stack}" - shows if the executable
> is SSP-enabled (use guard for the old-, and stack for the new ssp
> implementation)
> "readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep
> BIND" shows that some linker options were applied on the executable, which
> make the hardening more complete.
>
> Is it clearer now?
>
> Regards,
> Dw.
> --
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057,
> 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>
> On Hét, November 24, 2008 21:06, Jan Klod wrote:
>> Please, could someone give a short introduction in how should I make
>> sure,
>> I
>> am compiling with hardened features support? And if I do manually with
>> some "make" or "gcc" or "g++"?
>> Thank you...
>>
>
>
>

[gentoo-hardened] How to compile with hardened toolchain?

[Jan Klod]

Please, could someone give a short introduction in how should I make sure, I 
am compiling with hardened features support? And if I do manually with 
some "make" or "gcc" or "g++"?
Thank you...

Re: [gentoo-hardened] How to compile with hardened toolchain?

[Jan Klod]

On Monday 24 November 2008 21:53:37 atoth@atoth.sote.hu wrote:
> Dear Jan,
>
> I've run through what I'd wrote and I have a feeling, that it can be
> misleading.
> So here is an actual example output of the command "gcc-config -l":
> "
> hostname ~ # gcc-config -l
>  [1] i686-pc-linux-gnu-4.2.4 *
>  [2] i686-pc-linux-gnu-4.2.4-nofortify
>  [3] i686-pc-linux-gnu-4.2.4-nopie
>  [4] i686-pc-linux-gnu-4.2.4-nossp_all
>  [5] i686-pc-linux-gnu-4.2.4-strict
>  [6] i686-pc-linux-gnu-4.2.4-vanilla
> "
> Here you can see, that the same version of gcc has several profiles. The
> one without any additional tag is the default hardened profile. Compiles
> hardened executables by default. The vanilla profile is intended to
> implement the original non-hardened behavior.
> I'm running the experimental hardened toolchain, which is the reason I
> have entries 2, 4 and 5. If you are not using the experimental hardened
> toolchain you should probably have to have 3.4.6, -nopie, -nossp and
> -vanilla. If you have gcc-4+ and you are not using the experimental
> hardened toolchain you are probably missing hardened toolchain features
> (some developers tend to neglect and/or treat useless - I don't understand
> why).
>
> Regards,
> Dw.

You are helpful this evening :)
Well, I am reading about various things *hardened.

Regards