[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor hardening at compile time



Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote
Fri, 07 May 2010 15:15:07 +0200:

| ./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening
| --enable-linker-hardening && make && sudo make install

I can report that this works well on NetBSD (5.0.2) @ i386 as well.
I'm using gcc 4.1.3, the one shipped with NetBSD.


| The end result on Debian Lenny is a slightly hardened build when checked
| with checksec.sh[0].
| 
| This is weasel's build on my x86 machine:
| RELRO           STACK CANARY      NX            PIE
|    Partial RELRO   Canary found      NX enabled    PIE enabled
| 
| This is a build with my new options on the same machine:
| RELRO           STACK CANARY      NX            PIE
| Full RELRO      Canary found      NX enabled    PIE enabled
| 
| This is a build without my new options on the same machine:
| RELRO           STACK CANARY      NX            PIE
| No RELRO        No canary found   NX enabled    No PIE

My observations are as follow.

- I see the GNU_RELRO header but not the BIND_NOW header.  This would
  have been displayed by checksec.sh as "Partial RELRO".
- Canary is found.
- I don't see GNU_STACK so NX is not there.
- PIE is enabled


| This seems like a useful improvement for people building from source.

Indeed.  Thanks!

I'll look into why BIND_NOW and GNU_STACK aren't present.  Do you have
any ideas?

Attachment: pgpZ9kogdOfA1.pgp
Description: PGP signature