From: ng0 <ng0@we.make.ritual.n0.is>
To: Alex Vong <alexvong1995@gmail.com>, Ricardo Wurmus <rekado@elephly.net>
Cc: guix-devel@gnu.org
Subject: Re: Hardening
Date: Fri, 19 Aug 2016 09:30:55 +0000 [thread overview]
Message-ID: <871t1lnm0g.fsf@we.make.ritual.n0.is> (raw)
In-Reply-To: <87mvkbw35w.fsf@we.make.ritual.n0.is>
ng0 <ng0@we.make.ritual.n0.is> writes:
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Hi,
>>
>> Wow, this was long time ago. I've forgot this completely.
>>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> Leo Famulari <leo@famulari.name> writes:
>>>
>>>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>>>> Alex Vong <alexvong1995@gmail.com> skribis:
>>>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>>>> > matches are found. It appears no packages are setting this flag
>>>>> > currently. I think this flag (perhaps also a couple others) should be
>>>>> > set by default since they help protect against buffer overflow
>>>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>>>>
>>>>> I definitely agree, that’s something I’ve been wanting to try out.
>>>>>
>>>>> The question is more how. Do we change the default #:configure-flags
>>>>> for ‘gnu-build-system’ to something like:
>>>>>
>>>>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>>>>> "CFLAGS=-O2 -g -fstack-protector-strong")
>>>>>
>>>>> ?
>>>>>
>>>>> That sounds like a good starting point, but I expect that (1) one third
>>>>> of the packages will fail to build, and (2) another third of the
>>>>> packages will not get these flags, for instance because they pass their
>>>>> own #:configure-flags.
>>>>>
>>>>> IOW, it will take a whole rebuild to find out exactly what’s going on
>>>>> and to fix any issues.
>>>>>
>>>>> Would you like to start working on it? Then we could create a branch,
>>>>> have Hydra build it, and incrementally fix things.
>>>>
>>>> We should pick this project back up. I was suprised to find we haven't
>>>> done anything like this after reading this recent blog post about Nix's
>>>> hardening effort:
>>>>
>>>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter
>>>
>>> Are the above flags the only flags we’d like to play with? There’s no
>>> harm in letting hydra rebuild the world with these flags on a separate
>>> branch — provided that all build nodes are usable.
>>>
>> There are indeed additional flags (for debian's hardening).
>>
>>
>> Here is the complete output (from the testing distribution):
>>
>> alexvong1995@debian:~$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags
>> CFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security
>> CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>> CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security
>> FCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong
>> FFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong
>> GCJFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong
>> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now
>> OBJCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security
>> OBJCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security
>>
>>
>> The `-fdebug-prefix-map' flag seems to be using the current working
>> directory.
>>
>>> ~~ Ricardo
>>
>> Cheers,
>> Alex
>>
>
> I think there's even more, I can add to this thread when I have access
> to my hardened vm systems again.
I mean there is more, but it depends on what we want. What I can share
is in the direction of Gentoo Hardened
( https://wiki.gentoo.org/wiki/Project:Hardened ,
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart )
and there are repos at https://gitweb.gentoo.org of the hardened project
showing the depths you can go to. Depending on what you will apply,
certain applications become difficult to compile but with patches
applied they succeed. Runtime gets difficult once you apply on top of a
PaX enabled kernel with GRSec the addtional useful things like paxctl-ng
for XATTR_PAX markings.
Gentoo hardened has not stabilized the gcc we use and use some other
version as stable, gcc-6 is testing in gentoo if I remember correctly.
If desired, I can setup a hardened gentoo again (my VM is currently
busy) and look at what their patches do in practice.
> Good to see that this is being picked up again.
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
next prev parent reply other threads:[~2016-08-19 9:31 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-31 13:56 [PATCH 1/2] Add (guix build build-flags) Alex Vong
2015-11-05 21:55 ` Ludovic Courtès
2015-12-25 15:38 ` Alex Vong
2015-12-30 16:06 ` Hardening Ludovic Courtès
2016-08-16 23:57 ` Hardening Leo Famulari
2016-08-17 6:49 ` Hardening Ricardo Wurmus
2016-08-17 13:48 ` Hardening Alex Vong
2016-08-17 20:28 ` Hardening ng0
2016-08-19 9:30 ` ng0 [this message]
2016-08-20 16:45 ` Hardening Alex Vong
2016-09-02 13:08 ` Hardening Ludovic Courtès
2016-09-03 11:34 ` Hardening ng0
-- strict thread matches above, loose matches on Subject: below --
2017-01-24 11:19 tor: update to 0.2.9.9 contact.ng0
2017-01-24 19:07 ` Leo Famulari
2017-01-24 20:56 ` Hardening (was: Re: tor: update to 0.2.9.9) ng0
2017-01-24 21:02 ` Leo Famulari
2017-01-24 21:09 ` ng0
2017-01-24 21:18 ` ng0
2017-01-24 21:32 ` Leo Famulari
2017-01-24 21:56 ` ng0
2017-01-25 13:04 ` Hardening Ludovic Courtès
2017-01-30 12:05 ` Hardening ng0
2017-01-30 12:16 ` Hardening ng0
2017-01-25 9:09 ` Hardening (was: Re: tor: update to 0.2.9.9) Ricardo Wurmus
2017-01-25 11:51 ` Hardening ng0
2018-01-29 12:44 hardening ng0
2018-01-29 19:21 ` hardening Joshua Branson
2018-01-29 20:55 ` hardening ng0
2018-01-31 12:20 ` hardening Alex Vong
2018-03-11 13:37 ` hardening ng0
2018-03-11 13:40 ` hardening ng0
2018-03-11 14:04 ` hardening Ricardo Wurmus
2018-03-11 14:36 ` hardening ng0
2018-03-22 13:16 ` hardening ng0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871t1lnm0g.fsf@we.make.ritual.n0.is \
--to=ng0@we.make.ritual.n0.is \
--cc=alexvong1995@gmail.com \
--cc=guix-devel@gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).