Add compiler and linker hardening after the fact

John Reiser jreiser@bitwagon.com
Sat Mar 24 02:28:00 GMT 2012


> It is impossible to turn a non-relro executable into a relro
> executable.  Relro requires specific alignment.
> 
> It is impossible to turn a non-PIE into a PIE.  PIE requires dynamic
> relocations.

The above two "impossible" are under normal circumstances.  If the payoff
is high (> $1.0e06) and the time allowed is long enough (some months),
then it is amazing what can be done using binary re-writing.

> 
> Adding -z now requires adding another dynamic tag.  Most executables
> will have space for this.

In particular, by default any executable produced by ld in the last several years
will have enough space, because extra space was left to be used by prelink.
If necessary, then undo the prelink to gain space for 3 [?] ElfXX_Dyn.

> 
> Marking an executable as noexecstack or noexecheap requires adding
> another segment.  Some executables will have space for this, some will
> not.

In effect every executable has space to add another ElfXX_Phdr,
because the entire Phdr table can be moved to the old EOF
(leaving the original ElfXX_Phdr table as un-referenced "garbage"):
just set ElfXX_Ehdr.e_phoff = stbuf.st_size, then append the new
Phdr table.

-- 



More information about the Binutils mailing list