hardening-wrapper 2.5ubuntu2 / usr / share / doc / hardening-wrapper / README.Debian

This file is indexed.

/usr/share/doc/hardening-wrapper/README.Debian is in hardening-wrapper 2.5ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
The hardening-wrapper package works by diverting g{cc,++}-4.[2345678] and
ld with perl scripts that enforce the use of several toolchain hardening
features. Note that due to how diversions work, symlinks are created for
versions of gcc that may not be installed.

The following options are currently supported through the wrapper, when
the DEB_BUILD_HARDENING environment variable is set to "1". They can be
selectively disabled by exporting various environment variables. By default,
all DEB_BUILD_HARDENING_* are enabled. To disable a specific feature,
export "DEB_BUILD_HARDENING_[feature]=0".

System-wide defaults can be set using /etc/hardening-wrapper.conf, one
DEB_BUILD_HARDENING* variable per line.


The hardening-includes package works by providing a Makefile include
that prepopulates several CFLAG and LDFLAG environment variables. See
that file for further details.


Please also see http://wiki.debian.org/Hardening


Features
--------
-fstack-protector --param ssp-buffer-size=4 (DEB_BUILD_HARDENING_STACKPROTECTOR)

This is a mainline GCC feature, which adds safety checks against stack
overwrites. This renders many potential code injection attacks into
aborting situations. In the best case this turns code injection vulnerabilities
into denial of service or into non-issues (depending on the application).
http://en.wikipedia.org/wiki/Stack-smashing_protection

-Wl,-z,relro (DEB_BUILD_HARDENING_RELRO)

Several ELF sections need to be written to by the linker, but can be
turned read-only after starting. Most notably this prevents GOT overwrites
attacks.

-Wl,-z,now (DEB_BUILD_HARDENING_BINDNOW)

Perform all dynamic bindings at start-up instead of on-demand. This prevents
PLT overwrite attacks.

-pie, -fPIE (DEB_BUILD_HARDENING_PIE)

Position Independent Executable are needed for effective Address Space Layout
randomization. http://en.wikipedia.org/wiki/ASLR

-D_FORTIFY_SOURCE=2, (DEB_BUILD_HARDENING_FORTIFY)

During code generation the compiler knows a great deal of information about
buffer sizes (where possible), and attempts to replace insecure unlimited
length buffer function calls with length-limited ones. This is especially
useful for old, crufty code. Note that for this feature to be fully enabled,
the source must also be compiled with -O2 or higher.

-Wformat -Wformat-security -Werror=format-security (DEB_BUILD_HARDENING_FORMAT)

Quoting the gcc man page:
| If `-Wformat' is specified, also warn about uses of format
| functions that represent possible security problems. At present,
| this warns about calls to `printf' and `scanf' functions where the
| format string is not a string literal and there are no format
| arguments, as in `printf (foo);'. This may be a security hole if
| the format string came from untrusted input and contains `%n'.
http://en.wikipedia.org/wiki/Format_string_attack


This package was based on "pentium-builder". It's a hack, but it works. We
welcome a cleaner solution.

APT Browse - Built by Thomas Orozco.