Add compiler and linker hardening after the fact

Ian Lance Taylor iant@google.com
Sat Mar 24 01:14:00 GMT 2012


Jeffrey Walton <noloader@gmail.com> writes:

> I'm working on a system which includes binaries (not source code)
> which do not utilize hardening techniques such as -z,relro -z,now,
> -z,noexecstack, -znoexecheap, and -fPIE.
>
> Does Binutils offer a tool to set the relevant bits (assuming the
> binary is not signed nor integrity checked)? I'm not sure what needs
> to be done for RELRO, NOW and PIE. I know -z,noexecstack, -znoexecheap
> need new sections added for PT_GNU_STACK and PT_GNU_HEAP markings (and
> no-exec heaps might not be available).

It is impossible to turn a non-relro executable into a relro
executable.  Relro requires specific alignment.

It is impossible to turn a non-PIE into a PIE.  PIE requires dynamic
relocations.

Adding -z now requires adding another dynamic tag.  Most executables
will have space for this.

Marking an executable as noexecstack or noexecheap requires adding
another segment.  Some executables will have space for this, some will
not.

Ian



More information about the Binutils mailing list