This is the mail archive of the crossgcc@sourceware.org mailing list for the crossgcc project.

See the CrossGCC FAQ for lots more information.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: adding support for hardened toolchain

From: Johannes Stezenbach <js at sig21 dot net>
To: Heiko Zuerker <heiko at zuerker dot org>
Cc: crossgcc at sourceware dot org
Date: Thu, 6 Jan 2011 15:04:11 +0100
Subject: Re: adding support for hardened toolchain
References: <20101229131529.152749nes31253v4@www.home.zuerker.org> <AANLkTikaZLpN2VcL_Tiub8J=FmuWBACTJ9H7ccnWNn6u@mail.gmail.com> <AANLkTi=ejx-1+mRFDCEhfPU7M2TzAwr2LOPwDq3kGE9=@mail.gmail.com> <20101230064328.12881kdwk2y28mlc@www.home.zuerker.org> <AANLkTikrghq3qBLE0vQ6JgX8rfJmHquEbSEGcPfhzBhp@mail.gmail.com> <20101230082022.58657auavndxwnoc@www.home.zuerker.org>

Hello Heiko,

On Thu, Dec 30, 2010 at 08:20:22AM -0600, Heiko Zuerker wrote:
> The hardened toolchain is not anything folks would look at on their
> own usually. Adding it to ct-ng would give it more exposure and more
> folks may tend to try it out. We really need to get to a place where
> things get more secure for everybody.

I agree on that, and thank you for bringing up this issue.

http://devil-linux.git.sourceforge.net/git/gitweb.cgi?p=devil-linux/devil-linux;a=tree;f=target/Devil-Linux/default/patches.ct-ng/gcc/4.4.5;h=4f163b8745174fb570da57a5fe7abb6685928d4b;hb=HEAD

I've briefly looked at those patches and have a few comments.
My primary targets are lowly embedded systems, mostly ARM based.

- There seems to be no clear information about the downsides
of the hardening patches, e.g. wrt code size and performance
(benchmarks).
How about binary compatibility between hardened and unhardened
executables?

- Can the hardened toolchain build kernels? E.g. ARM support
for -fstack-protector was added in 2.6.35 c743f38013aeff58ef6252601e397b5ba281c633,
I have no idea about other architiectures.

- Do the PIE + RELRO changes work with uClibc?

- gcc-4.4.5-fortify_source-1.patch mixes three changes
in one patch:
1. -D_FORTIFY_SOURCE=2 default
2. "always overflow error"
3. some unspcified changes in libjava/java/lang/natClass.cc
I like 1., but 2. is an ugly hack (using getenv() to disable
the error), and 3. is unclear to me

- gcc-4.4.5-fpie-1.patch mixes:
1. -fPIE default
2. RELRO default
3. -Wl,--fatal-warnings
I think 1. is good (although it defeats prelink, http://lwn.net/Articles/190495/),
but 2. impacts startup time due to BIND_NOW; not sure about 3.

- gcc-4.4.5-fstack_protector-1.patch looks good

I think the patches might need to be split, and there should
be a config option for each patch which spells out the upsides
and downsides in the help text so the user has all the information
to make the right choice.

Thanks,
Johannes

--
For unsubscribe information see http://sourceware.org/lists.html#faq

Follow-Ups:
- Re: adding support for hardened toolchain
  - From: Heiko Zuerker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]