hardening-wrapper-2.5ubuntu2/0000775000000000000000000000000012306322244013210 5ustar hardening-wrapper-2.5ubuntu2/hardening-check0000775000000000000000000003213512214670103016152 0ustar #!/usr/bin/perl # Report the hardening characterists of a set of binaries. # Copyright (C) 2009-2013 Kees Cook # License: GPLv2 or newer use strict; use warnings; use Getopt::Long qw(:config no_ignore_case bundling); use Pod::Usage; use IPC::Open3; use Symbol qw(gensym); use Term::ANSIColor; my $skip_pie = 0; my $skip_stackprotector = 0; my $skip_fortify = 0; my $skip_relro = 0; my $skip_bindnow = 0; my $report_functions = 0; my $find_libc_functions = 0; my $color = 0; my $lintian = 0; my $verbose = 0; my $debug = 0; my $quiet = 0; my $help = 0; my $man = 0; GetOptions( "nopie|p+" => \$skip_pie, "nostackprotector|s+" => \$skip_stackprotector, "nofortify|f+" => \$skip_fortify, "norelro|r+" => \$skip_relro, "nobindnow|b+" => \$skip_bindnow, "report-functions|R!" => \$report_functions, "find-libc-functions|F!" => \$find_libc_functions, "color|c!" => \$color, "lintian|l!" => \$lintian, "verbose|v!" => \$verbose, "debug!" => \$debug, "quiet|q!" => \$quiet, "help|h|?" => \$help, "man|H" => \$man, ) or pod2usage(2); pod2usage(1) if $help; pod2usage(-exitstatus => 0, -verbose => 2, -noperldoc => 1) if $man; my $overall = 0; my $rc = 0; my $report = ""; my @tags; my %libc; # Report a good test. sub good { my ($name, $msg_color, $msg) = @_; $msg_color = colored($msg_color, 'green') if $color; if (defined $msg) { $msg_color .= $msg; } good_msg("$name: $msg_color"); } sub good_msg($) { my ($msg) = @_; if ($quiet == 0) { $report .= "\n$msg"; } } sub unknown { my ($name, $msg) = @_; $msg = colored($msg, 'yellow') if $color; good_msg("$name: $msg"); } # Report a failed test, possibly ignoring it. sub bad($$$$$) { my ($name, $file, $long_name, $msg, $ignore) = @_; $msg = colored($msg, 'red') if $color; $msg = "$long_name: " . $msg; if ($ignore) { $msg .= " (ignored)"; } else { $rc = 1; if ($lintian) { push(@tags, "$name:$file"); } } $report .= "\n$msg"; } # Safely run list-based command line and return stdout. sub output(@) { my (@cmd) = @_; my ($pid, $stdout, $stderr); if ($debug) { print join(" ", @cmd),"\n"; } $stdout = gensym; $stderr = gensym; $pid = open3(gensym, $stdout, $stderr, @cmd); my $collect = ""; while ( <$stdout> ) { $collect .= $_; } waitpid($pid, 0); my $rc = $?; if ($rc != 0) { while ( <$stderr> ) { print STDERR; } return ""; } return $collect; } # Find the libc used in this executable, if any. sub find_libc($) { my ($file) = @_; my $ldd = output("ldd", $file); $ldd =~ /^\s*libc\.so\.\S+\s+\S+\s+(\S+)/m; return $1 || ""; } sub find_functions($$) { my ($file, $undefined) = @_; my (%funcs); # Catch "NOTYPE" for object archives. my $func_regex = " (I?FUNC|NOTYPE) "; my $relocs = output("readelf", "-sW", $file); for my $line (split("\n", $relocs)) { next if ($line !~ /$func_regex/); next if ($undefined && $line !~ /$func_regex.* UND /); $line =~ s/ \([0-9]+\)$//; $line =~ s/.* //; $line =~ s/@.*//; $funcs{$line} = 1; } return \%funcs; } $ENV{'LANG'} = "C"; if ($find_libc_functions) { pod2usage(1) if (!defined($ARGV[0])); my $libc_path = find_libc($ARGV[0]); my $funcs = find_functions($libc_path, 0); for my $func (sort(keys(%{$funcs}))) { if ($func =~ /^__(\S+)_chk$/) { print " '$1' => 1,\n"; } } exit(0); } die "List of libc functions not defined!" if (scalar(keys %libc) < 1); my $name; foreach my $file (@ARGV) { $rc = 0; my $elf = 1; $report = "$file:"; @tags = (); # Get program headers. my $PROG_REPORT=output("readelf", "-lW", $file); if (length($PROG_REPORT) == 0) { $overall = 1; next; } # Get ELF headers. my $DYN_REPORT=output("readelf", "-dW", $file); # Get list of all symbols needing external resolution. my $functions = find_functions($file, 1); # PIE # First, verify this is an executable, not a library. This seems to be # best seen by checking for the PHDR program header. $name = " Position Independent Executable"; $PROG_REPORT =~ /^Elf file type is (\S+)/m; my $elftype = $1 || ""; if ($elftype eq "DYN") { if ($PROG_REPORT =~ /^ *\bPHDR\b/m) { # Executable, DYN ELF type. good($name, "yes"); } else { # Shared library, DYN ELF type. good($name, "no, regular shared library (ignored)"); } } elsif ($elftype eq "EXEC") { # Executable, EXEC ELF type. bad("no-pie", $file, $name, "no, normal executable!", $skip_pie); } else { $elf = 0; # Is this an ar file with objects? open(AR, "<$file"); my $header = ; close(AR); if ($header eq "!\n") { good($name, "no, object archive (ignored)"); } else { # ELF type is neither DYN nor EXEC. bad("unknown-elf", $file, $name, "not a known ELF type!? ($elftype)", 0); } } # Stack-protected $name = " Stack protected"; if (defined($functions->{'__stack_chk_fail'}) || (!$elf && defined($functions->{'__stack_chk_fail_local'}))) { good($name, "yes") } else { bad("no-stackprotector", $file, $name, "no, not found!", $skip_stackprotector); } # Fortified Source $name = " Fortify Source functions"; my @unprotected; my @protected; for my $name (keys(%libc)) { if (defined($functions->{$name})) { push(@unprotected, $name); } if (defined($functions->{"__${name}_chk"})) { push(@protected, $name); } } if ($#protected > -1) { if ($#unprotected == -1) { # Certain. good($name, "yes"); } else { # Vague, due to possible compile-time optimization, # multiple linkages, etc. Assume "yes" for now. good($name, "yes", " (some protected functions found)"); } } else { if ($#unprotected == -1) { unknown($name, "unknown, no protectable libc functions used"); } else { # Vague, since it's possible to have the compile-time # optimizations do away with them, or be unverifiable # at runtime. Assume "no" for now. bad("no-fortify-functions", $file, $name, "no, only unprotected functions found!", $skip_fortify); } } if ($verbose) { for my $name (@unprotected) { good_msg("\tunprotected: $name"); } for my $name (@protected) { good_msg("\tprotected: $name"); } } # Format # Unfortunately, I haven't thought of a way to test for this after # compilation. What it really needs is a lintian-like check that # reviews the build logs and looks for the warnings, or that the # argument is changed to use -Werror=format-security to stop the build. # RELRO $name = " Read-only relocations"; if ($PROG_REPORT =~ /^ *\bGNU_RELRO\b/m) { good($name, "yes"); } else { if ($elf) { bad("no-relro", $file, $name, "no, not found!", $skip_relro); } else { good($name, "no", ", non-ELF (ignored)"); } } # BIND_NOW # This marking keeps changing: # 0x0000000000000018 (BIND_NOW) # 0x000000006ffffffb (FLAGS) Flags: BIND_NOW # 0x000000006ffffffb (FLAGS_1) Flags: NOW $name = " Immediate binding"; if ($DYN_REPORT =~ /^\s*\S+\s+\(BIND_NOW\)/m || $DYN_REPORT =~ /^\s*\S+\s+\(FLAGS\).*\bBIND_NOW\b/m || $DYN_REPORT =~ /^\s*\S+\s+\(FLAGS_1\).*\bNOW\b/m) { good($name, "yes"); } else { if ($elf) { bad("no-bindnow", $file, $name, "no, not found!", $skip_bindnow); } else { good($name, "no", ", non-ELF (ignored)"); } } if (!$lintian && (!$quiet || $rc != 0)) { print $report,"\n"; } if ($report_functions) { for my $name (keys(%{$functions})) { print $name,"\n"; } } if (!$lintian && $rc) { $overall = $rc; } if ($lintian) { for my $tag (@tags) { print $tag, "\n"; } } } exit($overall); __END__ =pod =head1 NAME hardening-check - check binaries for security hardening features =head1 SYNOPSIS hardening-check [options] [ELF ...] Examine a given set of ELF binaries and check for several security hardening features, failing if they are not all found. =head1 DESCRIPTION This utility checks a given list of ELF binaries for several security hardening features that can be compiled into an executable. These features are: =over 8 =item B This indicates that the executable was built in such a way (PIE) that the "text" section of the program can be relocated in memory. To take full advantage of this feature, the executing kernel must support text Address Space Layout Randomization (ASLR). =item B This indicates that there is evidence that the ELF was compiled with the L option B<-fstack-protector> (e.g. uses B<__stack_chk_fail>). The program will be resistant to having its stack overflowed. When an executable was built without any character arrays being allocated on the stack, this check will lead to false alarms (since there is no use of B<__stack_chk_fail>), even though it was compiled with the correct options. =item B This indicates that the executable was compiled with B<-D_FORTIFY_SOURCE=2> and B<-O1> or higher. This causes certain unsafe glibc functions with their safer counterparts (e.g. B instead of B), or replaces calls that are verifiable at runtime with the runtime-check version (e.g. B<__memcpy_chk> insteade of B). When an executable was built such that the fortified versions of the glibc functions are not useful (e.g. use is verified as safe at compile time, or use cannot be verified at runtime), this check will lead to false alarms. In an effort to mitigate this, the check will pass if any fortified function is found, and will fail if only unfortified functions are found. Uncheckable conditions also pass (e.g. no functions that could be fortified are found, or not linked against glibc). =item B This indicates that the executable was build with B<-Wl,-z,relro> to have ELF markings (RELRO) that ask the runtime linker to mark any regions of the relocation table as "read-only" if they were resolved before execution begins. This reduces the possible areas of memory in a program that can be used by an attacker that performs a successful memory corruption exploit. =item B This indicates that the executable was built with B<-Wl,-z,now> to have ELF markings (BIND_NOW) that ask the runtime linker to resolve all relocations before starting program execution. When combined with RELRO above, this further reduces the regions of memory available to memory corruption attacks. =back =head1 OPTIONS =over 8 =item B<--nopie>, B<-p> No not require that the checked binaries be built as PIE. =item B<--nostackprotector>, B<-s> No not require that the checked binaries be built with the stack protector. =item B<--nofortify>, B<-f> No not require that the checked binaries be built with Fority Source. =item B<--norelro>, B<-r> No not require that the checked binaries be built with RELRO. =item B<--nobindnow>, B<-b> No not require that the checked binaries be built with BIND_NOW. =item B<--quiet>, B<-q> Only report failures. =item B<--verbose>, B<-v> Report verbosely on failures. =item B<--report-functions>, B<-R> After the report, display all external functions needed by the ELF. =item B<--find-libc-functions>, B<-F> Instead of the regular report, locate the libc for the first ELF on the command line and report all the known "fortified" functions exported by libc. =item B<--color>, B<-c> Enable colorized status output. =item B<--lintian>, B<-l> Switch reporting to lintian-check-parsable output. =item B<--debug> Report some debugging during processing. =item B<--help>, B<-h>, B<-?> Print a brief help message and exit. =item B<--man>, B<-H> Print the manual page and exit. =back =head1 RETURN VALUE When all checked binaries have all checkable hardening features detected, this program will finish with an exit code of 0. If any check fails, the exit code with be 1. Individual checks can be disabled via command line options. =head1 AUTHOR Kees Cook =head1 COPYRIGHT AND LICENSE Copyright 2009-2013 Kees Cook . This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 or later. =head1 SEE ALSO L, L =cut hardening-wrapper-2.5ubuntu2/hardened-ld0000664000000000000000000000573512254304605015317 0ustar #! /usr/bin/perl use strict; use warnings; use File::Spec qw(rel2abs); use File::Basename; my @args = (); my $enabled = 0; my $debug = 0; my $debug_fd = *STDERR; # Set up defaults my %default; $default{'DEB_BUILD_HARDENING'}=0; $default{'DEB_BUILD_HARDENING_DEBUG'}=0; # Architecture settings # #OS# #ARCH# $default{'DEB_BUILD_HARDENING_RELRO'}=1; $default{'DEB_BUILD_HARDENING_BINDNOW'}=1; # System settings my $system_conf = '/etc/hardening-wrapper.conf'; if (-r $system_conf) { open(CONF,$system_conf) || warn "Cannot read $system_conf\n"; while (my $line = ) { if ($line =~ /^\s*(DEB_BUILD_HARDENING[_A-Z]*)\s*=\s*(\d)$/) { $default{$1}=$2+0; } } close(CONF); } # Environment settings $enabled = defined($ENV{'DEB_BUILD_HARDENING'}) ? $ENV{'DEB_BUILD_HARDENING'} : $default{'DEB_BUILD_HARDENING'}; $debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? $ENV{'DEB_BUILD_HARDENING_DEBUG'} : $default{'DEB_BUILD_HARDENING_DEBUG'}; my $force_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ? $ENV{'DEB_BUILD_HARDENING_RELRO'} : $default{'DEB_BUILD_HARDENING_RELRO'}; my $force_bindnow = defined($ENV{'DEB_BUILD_HARDENING_BINDNOW'}) ? $ENV{'DEB_BUILD_HARDENING_BINDNOW'} : $default{'DEB_BUILD_HARDENING_BINDNOW'}; if ($enabled) { # Scan arguments my $index = 0; foreach my $arg (@ARGV) { if ($arg eq "relro" && $index>0 && $ARGV[$index-1] eq "-z") { $force_relro = 0; } if ($arg eq "now" && $index>0 && $ARGV[$index-1] eq "-z") { $force_bindnow = 0; } $index++; } if ($force_relro) { push(@args,'-z','relro'); } if ($force_bindnow) { push(@args,'-z','now'); } } my $self = "hardened-ld"; my $link = ""; my $arg0 = File::Spec->rel2abs(basename($0),dirname($0)); my $tool = $arg0; if ($tool =~ /$self$/ || defined($ENV{'HARDENING_USE_USR_BIN'})) { $tool = "/usr/bin/ld"; } if (defined($ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'})) { $debug_fd = undef; if (!open($debug_fd, ">>$ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'}")) { die "Cannot open $ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'}: $!\n"; } } sub resolve_link($) { my $origin = $_[0]; my $link = readlink($origin); return File::Spec->rel2abs($link,dirname($origin)); } while (-l $tool && ($link = resolve_link($tool)) !~ /$self$/) { $tool = $link; } if (-x "$tool.real") { $tool = "$tool.real"; } # Abort if we ended up on a circular symlink resolution if ($tool eq $arg0) { my $short = $tool; $short =~ s/.*\///g; print STDERR "$tool: not found (maybe $short is not installed?)\n"; exit(127); } my @target = ($tool, @args, @ARGV); print $debug_fd join(" ",@target),"\n" if ($debug); exec @target or die "Unable to exec $target[0]: $!\n"; hardening-wrapper-2.5ubuntu2/tests/0000775000000000000000000000000011736342472014365 5ustar hardening-wrapper-2.5ubuntu2/tests/Makefile.wrapper0000775000000000000000000000152211604146475017506 0ustar #!/usr/bin/make -f WRAPPED_CC=$(BUILD_TREE)/hardened-cc WRAPPED_CXX=$(BUILD_TREE)/hardened-c++ WRAPPED_LD=$(BUILD_TREE)/hardened-ld # It seems that GCC_EXEC_PREFIX does not behave the same across all # architectures, so we need to pass the -B flag instead. CC=$(WRAPPED_CC) -B $(BUILD_TREE)/ WRAPPERS=$(WRAPPED_CC) $(WRAPPED_LD) $(WRAPPED_CXX) SYNTAX_STAMP=syntax.stamp SYMLINKED_LD=$(BUILD_TREE)/ld export HARDENING_USE_USR_BIN=1 export DEB_BUILD_HARDENING=1 export DEB_BUILD_HARDENING_DEBUG=1 NAME:=wrapper include Makefile.common $(SYNTAX_STAMP): $(WRAPPERS) # Test basic perl syntax for script in $(WRAPPERS); do perl -c $$script; done touch $@ $(SYMLINKED_LD): $(WRAPPED_LD) # Enable symlink for ld to trick gcc into doing wrapped linking (cd $(BUILD_TREE) && ln -s hardened-ld ld) (cd $(BUILD_TREE) && ln -s hardened-ld ld.gold) hardening-wrapper-2.5ubuntu2/tests/Makefile.includes0000775000000000000000000000355011735704434017637 0ustar #!/usr/bin/make -f NAME:=includes CFLAGS += $(HARDENING_CFLAGS) LDFLAGS += $(HARDENING_LDFLAGS) BUILD_EXTRA=$(BUILD_TREE)/$(NAME)-disabled include Makefile.common $(BUILD_TREE)/$(NAME)-disabled: $(TEST_REQS) ifeq (1,$(DEB_BUILD_HARDENING_PIE)) # Disable PIE $(CC) \ $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \ -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi endif ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) # Disable stack protector $(CC) $(CFLAGS) $(LDFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi endif ifeq (1,$(DEB_BUILD_HARDENING_FORTIFY)) # Disable fortify $(CC) $(CFLAGS) $(LDFLAGS) $(HARDENING_DISABLE_FORTIFY_CFLAGS) -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi endif ifeq (1,$(DEB_BUILD_HARDENING_RELRO)) # Disable relro $(CC) $(CFLAGS) $(LDFLAGS) $(HARDENING_DISABLE_RELRO_LDFLAGS) -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi endif ifeq (1,$(DEB_BUILD_HARDENING_BINDNOW)) # Disable bindnow $(CC) $(CFLAGS) $(LDFLAGS) $(HARDENING_DISABLE_BINDNOW_LDFLAGS) -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi endif # Disable everything $(CC) \ $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \ $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) \ $(HARDENING_DISABLE_FORTIFY_CFLAGS) \ $(HARDENING_DISABLE_FORMAT_CFLAGS) \ $(HARDENING_DISABLE_RELRO_LDFLAGS) \ $(HARDENING_DISABLE_BINDNOW_LDFLAGS) \ -o $@ $< if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi readelf -ldW $@ hardening-wrapper-2.5ubuntu2/tests/ssp-buffer-size-protect.c0000664000000000000000000000055711604146536021237 0ustar #include #include #include #include #include #include #include int announcement(char *prog) { char buf[4]; snprintf(buf,sizeof(buf),"%s",prog); return printf("%s: ok (%p)\n",buf,announcement); } int main(int argc, char * argv[]) { return !(announcement(argv[0]) > 0); } hardening-wrapper-2.5ubuntu2/tests/syntax.stamp0000664000000000000000000000000012254105015016731 0ustar hardening-wrapper-2.5ubuntu2/tests/hello.c0000664000000000000000000000056211604146430015625 0ustar #include #include #include #include #include #include #include int announcement(char *prog) { char buf[1024]; snprintf(buf,sizeof(buf),"%s",prog); return printf("%s: ok (%p)\n",buf,announcement); } int main(int argc, char * argv[]) { return !(announcement(argv[0]) > 0); } hardening-wrapper-2.5ubuntu2/tests/format.c0000664000000000000000000000033111604146536016013 0ustar #include #include #include #include #include #include #include int main(int argc, char * argv[]) { return fprintf(stderr, argv[0]); } hardening-wrapper-2.5ubuntu2/tests/Makefile0000775000000000000000000000116411735711462016030 0ustar #!/usr/bin/make -f BUILD_TREE:=../build-tree check: $(BUILD_TREE)/cc-test $(MAKE) -f Makefile.wrapper $@ $(MAKE) -f Makefile.includes $@ clean: rm -f $(BUILD_TREE)/cc-test $(MAKE) -f Makefile.wrapper $@ $(MAKE) -f Makefile.includes $@ $(BUILD_TREE)/cc-test: # Check the stack protector and PIE options directly, just to have # a historical record in the build logs. $(CC) -Wall -fstack-protector hello.c -o $(BUILD_TREE)/cc-test || true $(BUILD_TREE)/cc-test || true $(CC) -Wall -fPIE -pie hello.c -o $(BUILD_TREE)/cc-test || true $(BUILD_TREE)/cc-test || true $(BUILD_TREE)/cc-test || true .PHONY: check clean hardening-wrapper-2.5ubuntu2/tests/ssp-buffer-size-skip.c0000664000000000000000000000055711604146536020525 0ustar #include #include #include #include #include #include #include int announcement(char *prog) { char buf[2]; snprintf(buf,sizeof(buf),"%s",prog); return printf("%s: ok (%p)\n",buf,announcement); } int main(int argc, char * argv[]) { return !(announcement(argv[0]) > 0); } hardening-wrapper-2.5ubuntu2/tests/Makefile.common0000775000000000000000000001137611735713325017325 0ustar #!/usr/bin/make -f include ../hardening.make BUILD_TREE:=../build-tree SYMLINKED_LD?= WRAPPERS?= SYNTAX_STAMP?= BUILD_EXTRA?= CFLAGS += -O2 LDFLAGS?= HELLO=hello.c TEST_REQS=$(HELLO) $(WRAPPERS) $(SYMLINKED_LD) TESTS=\ $(SYNTAX_STAMP) \ $(BUILD_TREE)/$(NAME)-test-stock \ $(BUILD_TREE)/$(NAME)-test-compiled \ $(SYMLINKED_LD) \ $(BUILD_TREE)/$(NAME)-test-linked \ $(BUILD_TREE)/$(NAME)-test-fPIC-direct \ $(BUILD_TREE)/$(NAME)-test-fPIC \ $(BUILD_TREE)/$(NAME)-test-format-security \ $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect \ $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip \ $(BUILD_TREE)/$(NAME)-test-all.o \ $(BUILD_TREE)/$(NAME)-test-all.a \ $(BUILD_TREE)/$(NAME)-test-none.o \ $(BUILD_TREE)/$(NAME)-test-none.a \ $(BUILD_EXTRA) check: $(TESTS) clean: rm -f $(TESTS) ########## # Compilation and linking results tests $(BUILD_TREE)/$(NAME)-test-stock: $(HELLO) $(WRAPPERS) # Compiler and linker options disabled. DEB_BUILD_HARDENING=0 $(CC) -o $@ $< readelf -ldrsW $@ $@ $(BUILD_TREE)/$(NAME)-test-compiled: $(HELLO) $(WRAPPERS) # Compiler options enabled. (linker is not wrapper) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< readelf -ldrsW $@ # Run twice to show off PIE, if available in kernel $@ $@ # Figure out how to call "hardening-check" for this architecture HARDENING_CHECK_ARGS:= ifneq (1,$(DEB_BUILD_HARDENING_PIE)) HARDENING_CHECK_ARGS+=-p endif ifneq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) HARDENING_CHECK_ARGS+=-s endif ifneq (1,$(DEB_BUILD_HARDENING_FORTIFY)) HARDENING_CHECK_ARGS+=-f endif ifneq (1,$(DEB_BUILD_HARDENING_RELRO)) HARDENING_CHECK_ARGS+=-r endif $(BUILD_TREE)/$(NAME)-test-linked: $(TEST_REQS) # Compiler and linker options enabled. $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< readelf -ldrsW $@ # Run twice to show off PIE, if available in kernel $@ $@ # Check state of hardening features via check script perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@ # Manually check state of hardening features ifeq (1,$(DEB_BUILD_HARDENING_PIE)) # Test PIE readelf -lW $@ | grep '^Elf file type is DYN' else # Skipped PIE test endif ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) # Test Stack Protector nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' else # Skipped Stack Protector test endif ifeq (1,$(DEB_BUILD_HARDENING_FORTIFY)) # Test Fortify nm $@ | egrep '__(sn)?printf_chk($$|@@GLIBC)' else # Skipped Fortify test endif ifeq (1,$(DEB_BUILD_HARDENING_FORMAT)) # Test Format (no-op currently) else # Skipped Format test endif ifeq (1,$(DEB_BUILD_HARDENING_RELRO)) # Test for RELRO readelf -lW $@ | grep GNU_RELRO else # Skipping RELRO test endif ifeq (1,$(DEB_BUILD_HARDENING_BINDNOW)) # Test for BIND_NOW readelf -dW $@ | grep BIND_NOW else # Skipping BINDNOW test endif ########## # Compiler arg calling style tests # cmake likes to pass -fPIC to everything, which broke pre-1.10 wrappers $(BUILD_TREE)/$(NAME)-test-fPIC-direct: $(TEST_REQS) # Build directly with -fPIC already defined $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $< $@ $(BUILD_TREE)/$(NAME)-test-fPIC.o: $(TEST_REQS) # Build .o with -fPIC already defined $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ -c $< $(BUILD_TREE)/$(NAME)-test-fPIC: $(BUILD_TREE)/$(NAME)-test-fPIC.o $(TEST_REQS) # Link .o with -fPIC already defined $(CC) -fPIC $(CFLAGS) $(LDFLAGS) -o $@ $< $@ $(BUILD_TREE)/$(NAME)-test-format-security: format.c $(TEST_REQS) # Make sure build fails due to -Werror=format-security ! $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< # Make sure build succeeds with -Wno-format-security $(CC) $(CFLAGS) -Wno-format-security $(LDFLAGS) -o $@ $< $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-protect: ssp-buffer-size-protect.c $(TEST_REQS) ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) # Make sure build stack-protects a small ssp buffer $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< # Test Stack Protector nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' else # Skipped SSP buffer size test endif $(BUILD_TREE)/$(NAME)-test-ssp-buffer-size-skip: ssp-buffer-size-skip.c $(TEST_REQS) ifeq (1,$(DEB_BUILD_HARDENING_STACKPROTECTOR)) # Make sure build does not stack-protects a tiny ssp buffer $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< # Test Stack Protector is correctly skipped ! nm $@ | egrep '__stack_chk_fail($$|@@GLIBC)' else # Skipped SSP buffer size test endif $(BUILD_TREE)/$(NAME)-test-all.o: $(TEST_REQS) $(CC) $(CFLAGS) $(LDFLAGS) -c -o $@ $< $(BUILD_TREE)/$(NAME)-test-all.a: $(BUILD_TREE)/$(NAME)-test-all.o $(AR) r $@ $< readelf -ldrsW $@ perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@ $(BUILD_TREE)/$(NAME)-test-none.o: $(TEST_REQS) DEB_BUILD_HARDENING=0 $(CC) -c -o $@ $< $(BUILD_TREE)/$(NAME)-test-none.a: $(BUILD_TREE)/$(NAME)-test-none.o $(AR) r $@ $< readelf -ldrsW $@ if perl $(BUILD_TREE)/hardening-check $(HARDENING_CHECK_ARGS) $@; then exit 1; fi hardening-wrapper-2.5ubuntu2/hardening.make0000775000000000000000000001367212306322244016022 0ustar #!/usr/bin/make -f # # Copyright (C) 2009-2012 Kees Cook # License: GPLv2 or newer # # This file is intended to be included in a Debian rules file so that the # the calculated HARDENING_CFLAGS and HARDENING_LDFLAGS from this makefile # can by used in the package's CFLAGS (and/or CXXFLAGS) and LDFLAGS to # harden the security of a package's resulting binaries. For example: # # include /usr/share/hardening-includes/hardening.make # CFLAGS += $(HARDENING_CFLAGS) # LDFLAGS += $(HARDENING_LDFLAGS) # # and if you need it for C++ compilations: # # CXXFLAGS += $(HARDENING_CFLAGS) # # # By default, all hardening options that are valid for a given architecture # are enabled. The following can be set before or after including this # makefile: # To disable all hardening: DEB_BUILD_HARDENING:=0 # To disable PIE: DEB_BUILD_HARDENING_PIE:=0 # To disable stack protector: DEB_BUILD_HARDENING_STACKPROTECTOR:=0 # To disable Fortify Source: DEB_BUILD_HARDENING_FORTIFY:=0 # To disable format string checks: DEB_BUILD_HARDENING_FORMAT:=0 # To disable readonly relocations: DEB_BUILD_HARDENING_RELRO:=0 # To disable BIND_NOW: DEB_BUILD_HARDENING_BINDNOW:=0 # # For more details, see https://wiki.debian.org/Hardening # # Thanks to Ryan Niebur for help with the Makefile magicks. # # -- Kees Cook DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH 2>/dev/null) DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) DEB_BUILD_HARDENING ?= 1 ifneq (,$(filter $(DEB_HOST_ARCH_OS), linux knetbsd hurd )) # PIE enabled only on linux, knetbsd, and hurd (bugs 430455 and 586215) ifeq (,$(filter $(DEB_HOST_ARCH), hppa m68k mips mipsel avr32 )) # disabled on hppa (bug number needed) # disabled on m68k (bug 451192) # disabled on mips/mipsel (toolchain bug 532821) # disabled on avr32 (bug 574716) DEB_BUILD_HARDENING_PIE ?= 1 endif endif DEB_BUILD_HARDENING_PIE ?= 0 ifneq (,$(filter $(DEB_HOST_ARCH), ia64 alpha mips mipsel hppa arm)) # Stack protector disabled on ia64, alpha, mips, mipsel, hppa. # "warning: -fstack-protector not supported for this target" # Stack protector disabled on arm (ok on armel). # compiler supports it incorrectly (leads to SEGV) DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0 endif DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1 ifneq (,$(filter $(DEB_HOST_ARCH), ia64 hppa avr32 )) DEB_BUILD_HARDENING_RELRO ?= 0 endif DEB_BUILD_HARDENING_RELRO ?= 1 DEB_BUILD_HARDENING_FORTIFY ?= 1 DEB_BUILD_HARDENING_FORMAT ?= 1 DEB_BUILD_HARDENING_BINDNOW ?= 1 _HARDENED_PIE_CFLAGS := -fPIE _HARDENED_PIE_LDFLAGS := -fPIE -pie _HARDENED_STACKPROTECTOR_CFLAGS := -fstack-protector --param ssp-buffer-size=4 # Fortify Source requires that -O1 or higher is used, but that should be # handled outside of this include file. _HARDENED_FORTIFY_CFLAGS := -D_FORTIFY_SOURCE=2 _HARDENED_FORMAT_CFLAGS := -Wformat -Wformat-security -Werror=format-security _HARDENED_RELRO_LDFLAGS := -Wl,-z,relro _HARDENED_BINDNOW_LDFLAGS := -Wl,-z,now _hardening_enabled = $(if $(filter $(DEB_BUILD_HARDENING), yes 1 on true),\ $(if $(filter $(1), yes 1 on true),$(2),),) HARDENING_CFLAGS ?= \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_CFLAGS)) \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_STACKPROTECTOR),$(_HARDENED_STACKPROTECTOR_CFLAGS)) \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORTIFY),$(_HARDENED_FORTIFY_CFLAGS)) \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_FORMAT),$(_HARDENED_FORMAT_CFLAGS)) \ HARDENING_LDFLAGS ?= \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_PIE),$(_HARDENED_PIE_LDFLAGS)) \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_RELRO),$(_HARDENED_RELRO_LDFLAGS)) \ $(call _hardening_enabled,$(DEB_BUILD_HARDENING_BINDNOW),$(_HARDENED_BINDNOW_LDFLAGS)) \ # Utility macros designed to allow package maintainer to force a given # hardening feature off in certain areas of a build without disabling # the option for the entire build. For example: # CFLAGS += $(HARDENING_CFLAGS) # monkey.o: monkey.c # $(CC) $(CFLAGS) $(HARDENING_DISABLE_STACKPROTECTOR_CFLAGS) $< -o $@ HARDENING_DISABLE_STACKPROTECTOR_CFLAGS:=-fno-stack-protector HARDENING_DISABLE_FORTIFY_CFLAGS:=-U_FORTIFY_SOURCE HARDENING_DISABLE_FORMAT_CFLAGS:=-Wno-format-security HARDENING_DISABLE_RELRO_LDFLAGS:=-Wl,-z,norelro HARDENING_DISABLE_BINDNOW_LDFLAGS:=-Wl,-z,lazy # Note: GCC does not have a way to just turn off pie (there is no "-nopie") # so if PIE needs to be disabled for a specific target, the CFLAGS and LDFLAGS # need to be filtered. For example: # monkey: monkey.c # $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ # $(filter-out $(HARDENING_DISABLE_PIE_LDFLAGS_FILTER),$(LDFLAGS)) \ # $< -o $@ # # Note: when building shared libraries, or with some build frameworks (e.g. # cmake) that pass "-fPIC" to everything, the "-fPIE" option must be filtered # out to avoid building shared objects that need PIC but end up only with PIE. # This is usually indicated by errors at link time that look like this: # relocation R_X86_64_PC32 against symbol `foo' can not be used when making a shared object; recompile with -fPIC # In these cases, the CFLAGS can be filtered to exclude "-fPIE" until this # is fixed in gcc correctly. For example, on one target: # monkey.o: monkey.c # $(CC) $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(CFLAGS)) \ # $< -c -o $@ # In cases where mixed shared objects and executable objects are being built, # "-fPIC" needs to actually replace "-fPIE", since gcc won't distinguish # between them yet. For example: # export CFLAGS=$(shell dpkg-buildflags --get CFLAGS) # CFLAGS += $(HARDENING_CFLAGS_PIC) \ # $(filter-out $(HARDENING_DISABLE_PIE_CFLAGS_FILTER),$(HARDENING_CFLAGS)) # HARDENING_DISABLE_PIE_CFLAGS_FILTER:=$(_HARDENED_PIE_CFLAGS) HARDENING_DISABLE_PIE_LDFLAGS_FILTER:=$(_HARDENED_PIE_LDFLAGS) HARDENING_CFLAGS_PIC:=-fPIC hardening-wrapper-2.5ubuntu2/TODO0000664000000000000000000000002211604146426013700 0ustar - PODify manpages hardening-wrapper-2.5ubuntu2/hardened-ld.10000664000000000000000000000247311604146433015453 0ustar .TH HARDENED-LD 1 "2008-01-08" "Debian Project" "Debian GNU/Linux" .SH NAME hardened-ld \- linker wrapper to enforce hardening toolchain improvements .SH SYNOPSIS .BI "export DEB_BUILD_HARDENING=1" .br .B ld .I ... .SH "DESCRIPTION" The .B hardened-ld wrapper is normally used by calling .B ld as usual with .B DEB_BUILD_HARDENING set to 1. It will configure the necessary toolchain hardening features. By default, all features are enabled. If a given feature does not work correctly and needs to be disabled, the corresponding environment variables mentioned below can be set to 0. .SH ENVIRONMENT .IP DEB_BUILD_HARDENING=1 Enable hardening features. .IP DEB_BUILD_HARDENING_DEBUG=1 Print the full resulting gcc command line to STDERR before calling gcc. .IP DEB_BUILD_HARDENING_RELRO=0 Don't mark ELF sections read-only after start. See README.Debian for details. .IP DEB_BUILD_HARDENING_BINDNOW=0 Don't mark ELF loader for start-up dynamic resolution. See README.Debian for details. .SH NOTES System-wide settings can be added to .IR /etc/hardening-wrapper.conf , one per line. The real .B ld is renamed .BR ld.real , and a diversion is registered with .BR dpkg-divert (1). Thus .BR hardened-ld 's idea of the default .B ld is dictated by whatever package installed .IR /usr/bin/ld . .SH "SEE ALSO" .BR hardened-cc (1) .BR ld (1) hardening-wrapper-2.5ubuntu2/Makefile0000775000000000000000000000450511736345001014661 0ustar #!/usr/bin/make -f BUILD_TREE:=build-tree include hardening.make DEFAULT_PIE:=$(DEB_BUILD_HARDENING_PIE) DEFAULT_STACKPROT:=$(DEB_BUILD_HARDENING_STACKPROTECTOR) WRAPPERS=hardened-cc hardened-ld TOOLS=hardening.make hardening-check MANPAGES=hardened-cc.1 hardened-ld.1 $(BUILD_TREE)/stamp-build: $(WRAPPERS) $(TOOLS) $(MANPAGES) Makefile if [ -z "$(DEB_HOST_ARCH)" ]; then echo No DEB_HOST_ARCH; exit 1; fi if [ -z "$(DEB_HOST_ARCH_OS)" ]; then echo No DEB_HOST_ARCH_OS; exit 1; fi mkdir -p $(BUILD_TREE) # Construct wrappers. install $(WRAPPERS) $(BUILD_TREE)/ # Set defaults, based on OS and ARCH. perl -pi -e 's/ #OS#/ '"$(DEB_HOST_ARCH_OS)"'/; s/ #ARCH#/ '"$(DEB_HOST_ARCH)"'/;' $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld perl -pi -e "s/default{'DEB_BUILD_HARDENING_PIE'}=1;/default{'DEB_BUILD_HARDENING_PIE'}=$(DEFAULT_PIE);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld perl -pi -e "s/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=1;/default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=$(DEFAULT_STACKPROT);/;" $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-ld # Duplicate cc wrapper to c++. install $(BUILD_TREE)/hardened-cc $(BUILD_TREE)/hardened-c++ perl -pi -e 's/hardened-cc/hardened-c++/g; s|/usr/bin/cc|/usr/bin/c++|g;' $(BUILD_TREE)/hardened-c++ # Construct tools. install $(TOOLS) $(BUILD_TREE)/ # Do not use "shell" here because it eats newlines. We want those. perl -pi -e "s/^my %libc;/my %libc = (\n$$(perl hardening-check --find-libc-functions /bin/ls)\n);/;" $(BUILD_TREE)/hardening-check # Construct man pages. install $(MANPAGES) $(BUILD_TREE)/ pod2man hardening-check > $(BUILD_TREE)/hardening-check.1 # Duplicate cc man page to c++. install $(BUILD_TREE)/hardened-cc.1 $(BUILD_TREE)/hardened-c++.1 perl -pi -e 's/hardened-cc/hardened-c++/g; s/gcc/g++/g;' $(BUILD_TREE)/hardened-c++.1 touch $(BUILD_TREE)/stamp-build check: $(BUILD_TREE)/stamp-build make -C tests check clean: rm -rf $(BUILD_TREE) old-install: # programatically build links (change debian/h-w.{preinst,postrm} too) for ver in 4.2 4.3 4.4 4.5 4.6 4.7; do dh_link -phardening-wrapper \ usr/bin/hardened-cc usr/bin/gcc-$$ver \ usr/bin/hardened-c++ usr/bin/g++-$$ver \ ;\ done dh_link -phardening-wrapper usr/bin/hardened-ld usr/bin/ld.bfd dh_link -phardening-wrapper usr/bin/hardened-ld usr/bin/ld.gold .PHONY: check clean hardening-wrapper-2.5ubuntu2/AUTHORS0000664000000000000000000000010011604146431014251 0ustar Kees Cook Moritz Muehlenhoff hardening-wrapper-2.5ubuntu2/hardening-check.sh0000775000000000000000000001550611665743176016612 0ustar #!/bin/sh # Report the hardening characterists of a set of binaries. # Copyright (C) 2009-2011 Kees Cook # License: GPLv2 or newer skip_pie=no skip_stackprotector=no skip_fortify=no skip_relro=no skip_bindnow=no quiet=no while getopts psfrbq opt do case "$opt" in p) skip_pie=yes ;; s) skip_stackprotector=yes ;; f) skip_fortify=yes ;; r) skip_relro=yes ;; b) skip_bindnow=yes ;; q) quiet=yes ;; [?]) echo >&2 "Usage: $0 [-p] [-s] [-f] [-r] [-b] file ..." echo >&2 " -p Do not require PIE binary" echo >&2 " -s Do not require stack protector" echo >&2 " -f Do not require fortify source" echo >&2 " -r Do not require RELRO markings" echo >&2 " -b Do not require BIND_NOW markings" echo >&2 " -q Only report failures" exit 1 ;; esac done shift $(( $OPTIND-1 )) overall=0 rc=0 report="" good () { if [ "$quiet" != "yes" ]; then report="$report $1" fi } bad () { report="$report $1" rc=1 } for file in "$@" do rc=0 report="$file:" PROG_REPORT=$(LANG=C readelf -lW "$file") if [ -z "$PROG_REPORT" ]; then rc=1; continue; fi DYN_REPORT=$(LANG=C readelf -dW "$file" 2>/dev/null) RELOC_REPORT=$(LANG=C readelf -sW "$file" 2>/dev/null | \ egrep ' FUNC .* UND ' | \ sed -re 's/ \([0-9]+\)$//g; s/.* //g; s/@.*//g;') # PIE # First, verify this is an executable, not a library. This seems to be # best seen by checking for the PHDR program header. name=" Position Independent Executable" if echo "$PROG_REPORT" | awk '{print $1}' | grep -q '^PHDR$'; then if echo "$PROG_REPORT" | grep -q '^Elf file type is DYN '; then good "$name: yes" else msg="$name: no, normal executable!" if [ "$skip_pie" = "yes" ]; then good "$msg (ignored)" else bad "$msg" fi fi else if echo "$PROG_REPORT" | grep -q '^Elf file type is DYN '; then good "$name: no, regular shared library (ignored)" else bad "$name: not a known ELF type!?" fi fi # Stack-protected name=" Stack protected" if echo "$RELOC_REPORT" | grep -q '^__stack_chk_fail$'; then good "$name: yes" else msg="$name: no, not found!" if [ "$skip_stackprotector" = "yes" ]; then good "$msg (ignored)" else bad "$msg" fi fi # Fortified name=" Fortify Source functions" if echo "$RELOC_REPORT" | grep -q '^__.*_chk$'; then good "$name: yes" else msg="$name: no, not found!" if [ "$skip_fortify" = "yes" ]; then good "$msg (ignored)" else bad "$msg" fi fi # Format # unfortunately, I haven't thought of a way to test for this after # compilation. What it really needs is a lintian-like check that # reviews the build logs and looks for the warnings, or that the # argument is changed to use -Werror,format-security to stop the build. # RELRO name=" Read-only relocations" if echo "$PROG_REPORT" | awk '{print $1}' | grep -q '^GNU_RELRO$'; then good "$name: yes" else msg="$name: no, not found!" if [ "$skip_relro" = "yes" ]; then good "$msg (ignored)" else bad "$msg" fi fi # BIND_NOW name=" Immediate binding" if echo "$DYN_REPORT" | awk '{if ($2 == "(FLAGS)" || $2 == "(BIND_NOW)") { print }}' | grep -q '\bBIND_NOW\b'; then good "$name: yes" else msg="$name: no, not found!" if [ "$skip_bindnow" = "yes" ]; then good "$msg (ignored)" else bad "$msg" fi fi if [ "$quiet" != "yes" ] || [ $rc -ne 0 ]; then echo "$report" fi if [ $rc -ne 0 ]; then overall=$rc fi done exit $overall :<<=cut =pod =head1 NAME hardening-check - check binaries for security hardening features =head1 SYNOPSIS Examine a given set of ELF binaries and check for several security hardening features, failing if they are not all found. =head1 DESCRIPTION This utility checks a given list of ELF binaries for several security hardening features that can be compiled into an executable. These features are: =over 8 =item B This indicates that the executable was built in such a way (PIE) that the "text" section of the program can be relocated in memory. To take full advantage of this feature, the executing kernel must support text Address Space Layout Randomization (ASLR). =item B This indicates that the executable was compiled with the L option B<-fstack-protector>. The program will be resistant to have its stack overflowed. =item B This indicates that the executable was compiled with B<-D_FORTIFY_SOURCE=2> and B<-O1> or higher. This causes certain unsafe glibc functions with their safer counterparts (e.g. strncpy instead of strcpy). =item B This indicates that the executable was build with B<-Wl,-z,relro> to have ELF markings (RELRO) that ask the runtime linker to mark any regions of the relocation table as "read-only" if they were resolved before execution begins. This reduces the possible areas of memory in a program that can be used by an attacker that performs a successful memory corruption exploit. =item B This indicates that the executable was built with B<-Wl,-z,now> to have ELF markings (BIND_NOW) that ask the runtime linker to resolve all relocations before starting program execution. When combined with RELRO above, this further reduces the regions of memory available to memory corruption attacks. =back =head1 OPTIONS =over 8 =item B<-p> No not require that the checked binaries be built as PIE. =item B<-s> No not require that the checked binaries be built with the stack protector. =item B<-f> No not require that the checked binaries be built with Fority Source. =item B<-r> No not require that the checked binaries be built with RELRO. =item B<-b> No not require that the checked binaries be built with BIND_NOW. =item B<-q> Only report failures. =back =head1 RETURN VALUE When all checked binaries have all checkable hardening features detected, this program will finish with an exit code of 0. If any check fails, the exit code with be 1. Individual checks can be disabled via command line options. =head1 AUTHOR Kees Cook =head1 COPYRIGHT AND LICENSE Copyright 2009-2011 Kees Cook . This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 or later. =head1 SEE ALSO L, L =cut hardening-wrapper-2.5ubuntu2/hardened-cc0000664000000000000000000001303512214673042015275 0ustar #! /usr/bin/perl use strict; use warnings; use File::Spec qw(rel2abs); use File::Basename; my @args = (); my $enabled = 0; my $debug = 0; my $debug_symlinks = 0; my $debug_fd = *STDERR; # Set up defaults my %default; $default{'DEB_BUILD_HARDENING'}=0; $default{'DEB_BUILD_HARDENING_DEBUG'}=0; $default{'DEB_BUILD_HARDENING_DEBUG_SYMLINKS'}=0; # Architecture settings # #OS# #ARCH# $default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}=1; $default{'DEB_BUILD_HARDENING_FORTIFY'}=1; $default{'DEB_BUILD_HARDENING_FORMAT'}=1; $default{'DEB_BUILD_HARDENING_PIE'}=1; # System settings my $system_conf = '/etc/hardening-wrapper.conf'; if (-r $system_conf) { open(CONF,$system_conf) || warn "Cannot read $system_conf\n"; while (my $line = ) { if ($line =~ /^\s*(DEB_BUILD_HARDENING[_A-Z]*)\s*=\s*(\d)$/) { $default{$1}=$2+0; } } close(CONF); } # Environment settings $enabled = defined($ENV{'DEB_BUILD_HARDENING'}) ? $ENV{'DEB_BUILD_HARDENING'} : $default{'DEB_BUILD_HARDENING'}; $debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? $ENV{'DEB_BUILD_HARDENING_DEBUG'} : $default{'DEB_BUILD_HARDENING_DEBUG'}; $debug_symlinks = defined($ENV{'DEB_BUILD_HARDENING_DEBUG_SYMLINKS'}) ? $ENV{'DEB_BUILD_HARDENING_DEBUG_SYMLINKS'} : $default{'DEB_BUILD_HARDENING_DEBUG_SYMLINKS'}; my $force_stack = defined($ENV{'DEB_BUILD_HARDENING_STACKPROTECTOR'}) ? $ENV{'DEB_BUILD_HARDENING_STACKPROTECTOR'} : $default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}; my $force_fortify = defined($ENV{'DEB_BUILD_HARDENING_FORTIFY'}) ? $ENV{'DEB_BUILD_HARDENING_FORTIFY'} : $default{'DEB_BUILD_HARDENING_FORTIFY'}; my $force_format = defined($ENV{'DEB_BUILD_HARDENING_FORMAT'}) ? $ENV{'DEB_BUILD_HARDENING_FORMAT'} : $default{'DEB_BUILD_HARDENING_FORMAT'}; my $force_pie = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? $ENV{'DEB_BUILD_HARDENING_PIE'} : $default{'DEB_BUILD_HARDENING_PIE'}; my $force_fPIE = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? $ENV{'DEB_BUILD_HARDENING_PIE'} : $default{'DEB_BUILD_HARDENING_PIE'}; if ($enabled) { # Scan arguments my $linking = 1; foreach my $arg (@ARGV) { if ($arg eq "-fno-PIC" || $arg eq "-fno-pic" || $arg eq "-fno-PIE" || $arg eq "-fno-pie" || $arg eq "-nopie" || $arg eq "-static" || $arg eq "-shared" || $arg eq "-D__KERNEL__" || $arg eq "-nostdlib" || $arg eq "-nostartfiles") { # If any PIC or PIE things are explicitly disabled, # disable all our PIE flags. $force_fPIE = 0; $force_pie = 0; } if ($arg eq "-fPIC" || $arg eq "-fpic") { # fPIC is a stricter version of fPIE, so don't use fPIE when # we encounter fPIC. However, the inclusion of -fPIC does # not mean we need to block the use of "-pie", which is still # possible with fPIC. $force_fPIE = 0; } if ($arg eq "-c") { $linking = 0; } if ($arg =~ /^-D_FORTIFY_SOURCE(=|$)/) { $force_fortify = 0; } if ($arg eq "-nostdlib" || $arg eq "-ffreestanding") { $force_stack = 0; } } # Enable SSP by default if ($force_stack) { push(@args,'-fstack-protector','--param=ssp-buffer-size=4'); } # Enable -fPIE by default if ($force_fPIE) { push(@args, '-fPIE'); } if ($force_pie) { if ($linking) { # "-pie" is really only meaningful when calling the linker push(@args, '-pie'); } } # Enable glibc protections by default (-02 should already be defined...) # (disable with -D_FORTIFY_SOURCE=0) if ($force_fortify) { push(@args,'-D_FORTIFY_SOURCE=2'); } # Enable format string checking if ($force_format) { push(@args,'-Wformat','-Wformat-security','-Werror=format-security'); } } my $self = "\Qhardened-cc\E"; my $link = ""; my $arg0 = File::Spec->rel2abs(basename($0),dirname($0)); my $tool = $arg0; if ($tool =~ /$self$/) { $tool = "/usr/bin/cc"; } if (defined($ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'})) { $debug_fd = undef; if (!open($debug_fd, ">>$ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'}")) { die "Cannot open $ENV{'DEB_BUILD_HARDENING_DEBUG_OUTPUT'}: $!\n"; } } sub resolve_link($) { my $origin = $_[0]; my $link = readlink($origin); return File::Spec->rel2abs($link,dirname($origin)); } while (-l $tool && ($link = resolve_link($tool)) !~ /$self$/) { print $debug_fd "$tool -> $link\n" if ($debug_symlinks); $tool = $link; } if (-x "$tool.real") { print $debug_fd "$tool -real> $tool.real\n" if ($debug_symlinks); $tool = "$tool.real"; } # Abort if we ended up on a circular symlink resolution if ($tool eq $arg0) { my $short = $tool; $short =~ s/.*\///g; print STDERR "$tool: not found (maybe $short is not installed?)\n"; exit(127); } my @target = ($tool, @args, @ARGV); print $debug_fd join(" ",@target),"\n" if ($debug); exec @target or die "Unable to exec $target[0]: $!\n"; hardening-wrapper-2.5ubuntu2/debian/0000775000000000000000000000000012306322273014434 5ustar hardening-wrapper-2.5ubuntu2/debian/hardening-includes.manpages0000664000000000000000000000003511735671233021722 0ustar build-tree/hardening-check.1 hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.links0000775000000000000000000000065312254103366021124 0ustar #!/bin/sh # programatically build links (change debian/h-w.{preinst,postrm} too) for ver in 4.4 4.6 4.7 4.8 4.9 do echo usr/bin/hardened-cc usr/bin/gcc-$ver echo usr/bin/hardened-c++ usr/bin/g++-$ver done case "$(uname -m)" in aarch64) : ;; *) echo usr/bin/hardened-ld usr/bin/ld.gold esac cat < Copyright (C) 2009-2012 Kees Cook Available through Subversion at: http://svn.debian.org/wsvn/hardening Wrapper based on pentium-builder: Copyright (C) 2001, 2002 by Alex Pennace Copyright (C) 2001 by Adrian Bunk Copyright (C) 1998-2001 by Joey Hess This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian systems, the GPL may be found at /usr/share/common-licenses/GPL. hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.docs0000664000000000000000000000001511735675506020736 0ustar TODO AUTHORS hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.preinst0000664000000000000000000000067512254103672021471 0ustar #!/bin/sh -e dodiv() { dpkg-divert --package hardening-wrapper --add --rename \ --divert /usr/bin/"$1".real /usr/bin/"$1" } if [ "install" = "$1" ] || [ "upgrade" = "$1" ]; then # handle diversions (change debian/h-w.links, debian/h-w.postrm too) for ver in 4.4 4.6 4.7 4.8 4.9 do for i in gcc g++ do dodiv "$i-$ver" done done dodiv ld.bfd case "$(uname -m)" in aarch64) : ;; *) dodiv ld.gold esac fi #DEBHELPER# hardening-wrapper-2.5ubuntu2/debian/source/0000775000000000000000000000000011604150320015724 5ustar hardening-wrapper-2.5ubuntu2/debian/source/format0000664000000000000000000000001511604150320017133 0ustar 3.0 (native) hardening-wrapper-2.5ubuntu2/debian/changelog0000664000000000000000000003673212306322273016321 0ustar hardening-wrapper (2.5ubuntu2) trusty; urgency=medium * Allow -fstack-protector on arm64 now that GCC and glibc support it. -- Adam Conrad Fri, 07 Mar 2014 18:51:18 +0800 hardening-wrapper (2.5ubuntu1) trusty; urgency=medium * Merge with Debian; remaining changes: - Don't install a symlink for gold on architectures not having a gold port. - Stop installing links for GCC 4.2, 4.3, 4.5. -- Matthias Klose Wed, 18 Dec 2013 12:36:36 +0100 hardening-wrapper (2.5) unstable; urgency=low * hardened-ld: detect symlink loops, like done for hardened-cc already (Closes: 732403). * hardening.make: disable stack protector on arm64 (glibc support needed). * debian/control: bump standards, no changes needed. -- Kees Cook Tue, 17 Dec 2013 10:01:21 -0700 hardening-wrapper (2.4ubuntu1) trusty; urgency=medium * Merge with Debian; remaining changes: - SSP is not (yet) supported on Aarch64. * Don't install a symlink for gold on architectures not having a gold port. * Stop installing links for GCC 4.2, 4.3, 4.5. -- Matthias Klose Tue, 17 Dec 2013 17:47:27 +0100 hardening-wrapper (2.4) unstable; urgency=low * debian/hardening-wrapper.{links,preinst,postrm}: add gcc 4.9 to the diversion list. * improve "compiler not installed" message (Closes: 709582). * Added short option aliasas and stopped using $PAGER for man page spewing, thanks to Jari Aalto (Closes: 709105). Left option ordering how I prefer: grouped by function and long options first. * hardened-{cc,ld,cc.1}: add new DEB_BUILD_HARDENING_DEBUG_OUTPUT for redirecting STDERR debug output, if needed (Closes: 679773). * debian/control: bump standards, no changes needed. -- Kees Cook Fri, 13 Sep 2013 12:46:03 -0700 hardening-wrapper (2.3ubuntu1) saucy; urgency=low * SSP is not (yet) supported on Aarch64. -- Matthias Klose Sun, 21 Jul 2013 22:25:17 +0200 hardening-wrapper (2.3) unstable; urgency=low * debian/hardening-wrapper.{prerm,postinst,links}, debian/README.Debian: add gcc-4.8 to the diversion list, and sync list of compiler versions (Closes: 681799). * hardening-check: fix hash size check syntax (Closes: 682451). -- Kees Cook Sun, 16 Dec 2012 14:56:48 -0800 hardening-wrapper (2.2) unstable; urgency=low * debian/control: add missing Dep on binutils, thanks to Stéphane Graber. * hardened-cc: use "=" as argument separator for better interoperability with dpkg-buildflags. * hardening-check: reset tag list for each argument (Closes: 677530). -- Kees Cook Thu, 14 Jun 2012 09:40:03 -0700 hardening-wrapper (2.1) unstable; urgency=low * hardening-check: - handle _local suffix for non-ELF i386 objects (Closes: 666895). - add "-h" for "--help". - sort and indent libc function list for easier review. * Makefile: retain newlines when generating libc function list. -- Kees Cook Mon, 02 Apr 2012 08:18:52 -0700 hardening-wrapper (2.0) unstable; urgency=low * hardening-check: add color, based on a patch from Simon Ruderich. * hardening-check: fix lintian tag for non-PIE ELF to "no-pie". * debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.7 to the diversion list (Closes: 666520). * debian/control: - fix Vcs-Browser link for loggerhead (Closes: 664495). - add Multiarch tag to hardening-includes (Closes: 666471). * Makefile, debian/*: convert to dh(1). * hardening-check: generate list of libc functions at build time. * hardening-check, tests/Makefile.common: add support for scanning object archives for stack-protector and fortify (Closes: 664862). -- Kees Cook Sat, 31 Mar 2012 16:32:03 -0700 hardening-wrapper (1.36) unstable; urgency=low * hardening-check: fix function-finder to accept IFUNC too, improve reporting slightly, improve manpage to explain false alarms. -- Kees Cook Fri, 27 Jan 2012 12:07:45 -0800 hardening-wrapper (1.35) unstable; urgency=low * debian/control: switch to "optional" priority so lintian can depend on hardening-includes. * hardening-check: rewrite in Perl, add "--lintian" mode, to support fixing bug 650536. -- Kees Cook Thu, 01 Dec 2011 10:15:35 -0800 hardening-wrapper (1.34) unstable; urgency=low * debian/control: update VCS tags for bzr. * hardening{-check,.make}: correct documentation from -O2 to -O1. * hardened-{cc,ld}, hardening.make, debian/rules: use DEB_HOST_ARCH instead of of DEB_HOST_ARCH_CPU for behavioral defaults (Closes: 635642). -- Kees Cook Thu, 28 Jul 2011 12:55:17 -0700 hardening-wrapper (1.33) unstable; urgency=low * debian/control: - bump to standards 3.9.2; no changes needed - hardening-wrapper: mark as Multi-Arch: foreign for build sanity. * debian/source/format: mark as 3.0 native. -- Kees Cook Sun, 03 Jul 2011 11:28:00 -0700 hardening-wrapper (1.32) unstable; urgency=low * debian/rules, debian/hardening-wrapper.{prerm,preinst,postinst}: remove gcc-4.1 diversions since it has been removed from unstable. * hardened-cc, hardening.make: add "-Werror=format-security" by default (Closes: #587358). * tests/Makefile.common, tests/format.c: add test for newly added "-Werror=format-security" default option. * hardened-cc, hardening.make: add "--param ssp-buffer-size=4" by default to catch smaller character arrays. * tests/Makefile.common, tests/ssp-buffer-size-{protect,skip}.c: add tests for newly added "--param ssp-buffer-size=4" default. * debian/README.Debian: updated to include newly added options. * hardened-cc: disable -fstack-protector when -ffreestanding used. * hardening.make: provide examples for working around build-time collisions between "-fPIE" and "-fPIC" (Closes: #596150). -- Kees Cook Fri, 18 Feb 2011 10:57:52 -0800 hardening-wrapper (1.31) unstable; urgency=low * tests/Makefile.common: do not require @@GLIBC suffix for nm tests. * tests/Makefile.wrapper: include symlink for ld.gold testing. * hardening-check: improve hardening-check to parse BIND_NOW also from the FLAGS dynamic section. -- Kees Cook Fri, 14 Jan 2011 10:19:01 -0800 hardening-wrapper (1.30) unstable; urgency=low * debian/README.Debian: update for gcc versions, include minimal notes on hardening-includes (Closes: 592847, 592846). * debian/rules, debian/hardening-wrapper.{prerm,postinst}: add gcc-4.6 to the diversion list. * debian/control: remove binutils-multiarch conflict now that ld.bfd is no longer diverted. -- Kees Cook Tue, 11 Jan 2011 07:54:28 -0800 hardening-wrapper (1.29) unstable; urgency=low * debian/control: add Conflicts for binutils-multiarch (Closes: 579409, LP: #596136). * debian/hardening-wrapper.postrm: remove attempted diversions on installation failure. -- Kees Cook Fri, 09 Jul 2010 09:33:15 -0700 hardening-wrapper (1.28) unstable; urgency=low * hardening.make: enable PIE on hurd (Closes: 586215), thanks to Samuel Thibault. -- Kees Cook Sun, 20 Jun 2010 12:36:32 -0700 hardening-wrapper (1.27) unstable; urgency=low * hardening.make: - disable RELRO on avr32. - clarify use of CXXFLAGS. * hardening-check: fix regex to correctly call sed (Closes: 578488). -- Kees Cook Fri, 23 Apr 2010 16:16:25 -0700 hardening-wrapper (1.26) unstable; urgency=low * hardening.make: disable PIE on avr32 (Closes: 574716). -- Kees Cook Sun, 21 Mar 2010 09:45:52 -0700 hardening-wrapper (1.25) unstable; urgency=low * debian/control: - bump standards version: no changes needed. - should not be considered "experimental". * hardening-check: use readelf's "-s" instead of "-r" to avoid issues with archs that lack sane relocations. * tests/Makefile.common: - adjust tests to include -s output. - weaken nm symbol matching. -- Kees Cook Mon, 01 Mar 2010 14:54:34 -0800 hardening-wrapper (1.24) unstable; urgency=low * hardening-check: handle alternate names for relocation jump slots (Closes: 568622) * tests/Makefile.common: show relocations as well for future debugging. -- Kees Cook Tue, 09 Feb 2010 15:44:19 -0800 hardening-wrapper (1.23) unstable; urgency=low * hardening.make: correctly document how to disable PIE on a per-target basis (Closes: 567707). * tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests. -- Kees Cook Sat, 30 Jan 2010 13:32:14 -0800 hardening-wrapper (1.22) unstable; urgency=low * debian/hardening-wrapper.postrm: fix typo in diversion name (Closes: 564840). -- Kees Cook Tue, 12 Jan 2010 06:18:04 -0800 hardening-wrapper (1.21) unstable; urgency=low * debian/control: add ${misc:Depends} to control file entries to keep lintian happy. * hardening-check: add -q option to only report failures. * really handle gcc 4.5 diversion (Closes: 564596). * handle ld diversion when binutils-gold installed (Closes: 535037). -- Kees Cook Sun, 10 Jan 2010 12:35:38 -0800 hardening-wrapper (1.20) unstable; urgency=low * hardening.make: - switch to "filter" for easier to read logic. - allow PIE for arm/armel, since it's only the kernel that lacks ASLR. * tests/Makefile: perform test builds with -fstack-protector and -fPIE -pie on all architectures just to have a record of the success/failure in the build logs, even if we are manually selecting the defaults. -- Kees Cook Fri, 25 Dec 2009 16:34:24 -0800 hardening-wrapper (1.19) unstable; urgency=low * debian/rules: fix up arch/arch-indep rules to avoid rebuilding arch-indep bits repeatedly. * hardening-check, debian/{rules,hardening-includes.manpages}, tests/Makefile.common: add helper utility to allow users of hardening-includes to evaluate the state of a given binary's resulting hardening features. * debian/rules: add gcc-4.5 to the diversion list. -- Kees Cook Thu, 24 Dec 2009 00:02:02 -0800 hardening-wrapper (1.18) unstable; urgency=low * debian/{control,rules}: add "hardening-includes" for use in other Debian rules files. * debian/rules, hardening.make: relocate/enhance architecture logic to common makefile include file. * tests/*: update to test both wrapper and include style. -- Kees Cook Sat, 19 Dec 2009 18:00:22 -0800 hardening-wrapper (1.17) unstable; urgency=low * Add Conflicts on binutils-gold, which also uses diversions against gcc and friends (Closes: 535037, LP: #442636). -- Kees Cook Wed, 25 Nov 2009 11:40:43 -0800 hardening-wrapper (1.16) unstable; urgency=low * tests/Makefile: exclude relro test on hppa. -- Kees Cook Thu, 29 Oct 2009 21:21:55 -0700 hardening-wrapper (1.15) unstable; urgency=low * tests/Makefile: exclude tests based on architecture (ia64 w/o relro). * debian/rules: disable PIE on mips/mipsel until bug 532821 is solved (Closes: #548250). -- Kees Cook Thu, 24 Sep 2009 15:34:51 -0700 hardening-wrapper (1.14) unstable; urgency=low * hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings. * debian/control: moved to standards version 3.8.2, no changes needed. * tests/Makefile: add tests for RELRO and BIND_NOW. * hardening-{cc,ld}.1: document BINDNOW and RELRO, add on to See Also. -- Kees Cook Wed, 22 Jul 2009 19:52:00 -0700 hardening-wrapper (1.13) unstable; urgency=low * hardened-cc: add ...DEBUG_SYMLINKS to visualize symlink resolution. * hardened-cc: detect uninstalled targets and abort (Closes: #506066). * debian/{rules,postinst,postrm}: add links for gcc-4.4. * debian/control: moved to standards version 3.8.0, no changes needed. -- Kees Cook Thu, 20 Nov 2008 23:25:52 -0800 hardening-wrapper (1.12) unstable; urgency=low * hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1). * hardened-{cc,ld}: load system defaults from /etc/hardening-wrapper.conf * hardened-{cc,ld}.1: updated man pages to mention system-wide config. * hardened-{cc,ld}: handle relative symlinks correctly to address issues pointed out by Sedat Dilek. -- Kees Cook Mon, 28 Apr 2008 15:51:57 -0700 hardening-wrapper (1.11) unstable; urgency=low * hardened-ld: disable PIE logic -- gcc should be the only part of the toolchain requesting PIE. * tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not do the right thing on all architectures. -- Kees Cook Mon, 14 Apr 2008 16:06:00 -0700 hardening-wrapper (1.10) unstable; urgency=low * hardened-cc, hardened-ld: re-arranged logic for "-pie". Old logic was resulting in failed compiles under cmake. * tests/Makefile: moved debian/rules tests into separate directory, added -fPIC test cases, based on issues uncovered by cmake. * debian/rules: disabled stack protector on mips, hppa -- not supported. -- Kees Cook Mon, 14 Apr 2008 11:15:35 -0700 hardening-wrapper (1.9) unstable; urgency=low * debian/rules: - disable stack protector on arm, armel. - disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764). - show readelf output on test builds. - fully link by tricking gcc into running the ld test wrapper. * hello.c: re-arranged to exercise stack protector, report PIE. * hardened-ld: add env var way to force use of /usr/bin/ld during tests. -- Kees Cook Sun, 13 Apr 2008 18:01:38 -0700 hardening-wrapper (1.8) unstable; urgency=low * debian/rules: disable stack protector on ia64 and alpha. -- Kees Cook Sun, 23 Mar 2008 22:03:58 -0700 hardening-wrapper (1.7) unstable; urgency=low * debian/rules: corrected binary-arch target (Closes: 472324). -- Kees Cook Sun, 23 Mar 2008 08:13:47 -0700 hardening-wrapper (1.6) unstable; urgency=low * debian/rules: build hardened-c++ from hardened-cc. * debian/{rules,control}, hardened-cc: disable PIE by default on m68k, hppa (Closes: #465827). * hello.c: added test program to catch architecture-specific failures. -- Kees Cook Fri, 21 Mar 2008 11:20:53 -0700 hardening-wrapper (1.5) unstable; urgency=low * Fix typo in hardened-c++ self-check regex (Closes: #462682). -- Kees Cook Sun, 27 Jan 2008 12:14:59 -0800 hardening-wrapper (1.4) unstable; urgency=low * hardened-ld: fix relro argument passing (ld silently takes any -z arg). -- Kees Cook Wed, 23 Jan 2008 09:59:06 -0800 hardening-wrapper (1.3) unstable; urgency=low * hardened-{cc,c++}: fix -Wformat-security typo. * debian/postinst: only clean up old diversions on a versioned upgrade. * debian/postrm: do not require known arguments. -- Kees Cook Wed, 23 Jan 2008 02:56:57 -0800 hardening-wrapper (1.2) unstable; urgency=low * Move away from generic "builder" prefix to "hardened". * Provide links for gcc 4.1, 4.2, and 4.3 instead of top-level links. * Provide manpage link for package name. * Clean up previous diversions. * Move to "all" arch since arch-dep symlinks are no longer used. -- Kees Cook Tue, 22 Jan 2008 16:48:49 -0800 hardening-wrapper (1.1) unstable; urgency=low * Initial release. -- Kees Cook Tue, 08 Jan 2008 16:00:58 -0800 hardening-wrapper-2.5ubuntu2/debian/compat0000664000000000000000000000000211735666434015651 0ustar 9 hardening-wrapper-2.5ubuntu2/debian/hardening-includes.install0000664000000000000000000000013411735671701021575 0ustar build-tree/hardening-check /usr/bin build-tree/hardening.make /usr/share/hardening-includes hardening-wrapper-2.5ubuntu2/debian/rules0000775000000000000000000000003511735666427015533 0ustar #!/usr/bin/make -f %: dh $@ hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.postinst0000664000000000000000000000152112254101451021650 0ustar #!/bin/sh -e undiv() { dpkg-divert --package hardening-wrapper \ --rename --remove /usr/bin/"$1" || true } # Clean up old diversions if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "1.2"; then for i in gcc g++ do undiv "$i" done eval $(dpkg-architecture -a) for i in gcc g++ do undiv "${DEB_BUILD_GNU_TYPE}-$i" done fi if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "1.21"; then undiv ld fi if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "1.32"; then undiv gcc-4.1 undiv g++-4.1 fi if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.4ubuntu1"; then undiv gcc-4.2 undiv g++-4.2 undiv gcc-4.3 undiv g++-4.3 undiv gcc-4.5 undiv g++-4.5 case "$(uname -m)" in aarch64) undiv ld.gold esac fi #DEBHELPER# hardening-wrapper-2.5ubuntu2/debian/control0000664000000000000000000000265712306323330016044 0ustar Source: hardening-wrapper Section: devel Priority: optional Build-Depends: debhelper (>= 9), perl-base (>= 5.10) Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Package Hardening Uploaders: Kees Cook , Moritz Muehlenhoff Standards-Version: 3.9.5 Homepage: http://wiki.debian.org/Hardening Vcs-Bzr: http://anonscm.debian.org/bzr/hardening/master Vcs-Browser: http://anonscm.debian.org/loggerhead/hardening/master/files/head:/hardening-wrapper/ Package: hardening-wrapper Architecture: any Multi-Arch: foreign Depends: gcc | g++, ${perl:Depends}, ${misc:Depends} Description: Compiler wrapper to enable security hardening flags Replaces gcc, g++, and ld with wrapper scripts that set security hardening compilation flags, as an alternative to changing gcc specs. Enabled when DEB_BUILD_HARDENING=1 is set. Package: hardening-includes Architecture: all Multi-Arch: foreign Depends: ${perl:Depends}, ${misc:Depends}, make, binutils Description: Makefile for enabling compiler flags for security hardening Makefile to be included in Debian rules files. CFLAGS and LDFLAGS can be extended to include the respective HARDENING_* variables which contain architecture-validated security hardening compiler options. . Also includes the "hardening-check" script to help evaluate the hardening status of already compiled binaries. hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.postrm0000664000000000000000000000065612254101677021333 0ustar #!/bin/sh -e undiv() { dpkg-divert --package hardening-wrapper \ --rename --remove /usr/bin/"$1" || true } if [ "$1" = "remove" ] || [ "$1" = "abort-install" ]; then # handle diversions (change debian/h-w.links, debian/h-w.preinst too) for ver in 4.4 4.6 4.7 4.8 4.9 do for i in gcc g++ do undiv "$i-$ver" done done undiv ld.bfd case "$(uname -m)" in aarch64) : ;; *) undiv ld.gold esac fi #DEBHELPER# hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.install0000664000000000000000000000014111735672526021453 0ustar build-tree/hardened-cc /usr/bin build-tree/hardened-c++ /usr/bin build-tree/hardened-ld /usr/bin hardening-wrapper-2.5ubuntu2/debian/README.Debian0000664000000000000000000000560712063450772016513 0ustar The hardening-wrapper package works by diverting g{cc,++}-4.[2345678] and ld with perl scripts that enforce the use of several toolchain hardening features. Note that due to how diversions work, symlinks are created for versions of gcc that may not be installed. The following options are currently supported through the wrapper, when the DEB_BUILD_HARDENING environment variable is set to "1". They can be selectively disabled by exporting various environment variables. By default, all DEB_BUILD_HARDENING_* are enabled. To disable a specific feature, export "DEB_BUILD_HARDENING_[feature]=0". System-wide defaults can be set using /etc/hardening-wrapper.conf, one DEB_BUILD_HARDENING* variable per line. The hardening-includes package works by providing a Makefile include that prepopulates several CFLAG and LDFLAG environment variables. See that file for further details. Please also see http://wiki.debian.org/Hardening Features -------- -fstack-protector --param ssp-buffer-size=4 (DEB_BUILD_HARDENING_STACKPROTECTOR) This is a mainline GCC feature, which adds safety checks against stack overwrites. This renders many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application). http://en.wikipedia.org/wiki/Stack-smashing_protection -Wl,-z,relro (DEB_BUILD_HARDENING_RELRO) Several ELF sections need to be written to by the linker, but can be turned read-only after starting. Most notably this prevents GOT overwrites attacks. -Wl,-z,now (DEB_BUILD_HARDENING_BINDNOW) Perform all dynamic bindings at start-up instead of on-demand. This prevents PLT overwrite attacks. -pie, -fPIE (DEB_BUILD_HARDENING_PIE) Position Independent Executable are needed for effective Address Space Layout randomization. http://en.wikipedia.org/wiki/ASLR -D_FORTIFY_SOURCE=2, (DEB_BUILD_HARDENING_FORTIFY) During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Note that for this feature to be fully enabled, the source must also be compiled with -O2 or higher. -Wformat -Wformat-security -Werror=format-security (DEB_BUILD_HARDENING_FORMAT) Quoting the gcc man page: | If `-Wformat' is specified, also warn about uses of format | functions that represent possible security problems. At present, | this warns about calls to `printf' and `scanf' functions where the | format string is not a string literal and there are no format | arguments, as in `printf (foo);'. This may be a security hole if | the format string came from untrusted input and contains `%n'. http://en.wikipedia.org/wiki/Format_string_attack This package was based on "pentium-builder". It's a hack, but it works. We welcome a cleaner solution. hardening-wrapper-2.5ubuntu2/debian/hardening-wrapper.manpages0000664000000000000000000000011411735672327021577 0ustar build-tree/hardened-cc.1 build-tree/hardened-c++.1 build-tree/hardened-ld.1 hardening-wrapper-2.5ubuntu2/hardened-cc.10000664000000000000000000000344712214672654015452 0ustar .TH HARDENED-CC 1 "2008-01-08" "Debian Project" "Debian GNU/Linux" .SH NAME hardened-cc \- gcc wrapper to enforce hardening toolchain improvements .SH SYNOPSIS .BI "export DEB_BUILD_HARDENING=1" .br .B gcc .I ... .SH "DESCRIPTION" The .B hardened-cc wrapper is normally used by calling .B gcc as usual when .B DEB_BUILD_HARDENING is set to 1. It will configure the necessary toolchain hardening features. By default, all features are enabled. If a given feature does not work correctly and needs to be disabled, the corresponding environment variables mentioned below can be set to 0. .SH ENVIRONMENT .IP DEB_BUILD_HARDENING=1 Enable hardening features. .IP DEB_BUILD_HARDENING_DEBUG=1 Print the full resulting gcc command line to STDERR before calling gcc. .IP DEB_BUILD_HARDENING_OUTPUT=/some/path/debug.log Instead of using STDERR for debugging, redirect to the given path. Some builds are very sensitive to unexpected STDERR output. .IP DEB_BUILD_HARDENING_STACKPROTECTOR=0 Disable stack overflow protection. See README.Debian for details. .IP DEB_BUILD_HARDENING_RELRO=0 Disable read-only linker sections. See README.Debian for details. .IP DEB_BUILD_HARDENING_FORTIFY=0 Don't fortify several standard functions. See README.Debian for details. .IP DEB_BUILD_HARDENING_PIE=0 Don't build position independent executables. See README.Debian for details. .IP DEB_BUILD_HARDENING_FORMAT=0 Disable unsafe format string usage errors. See README.Debian for details. .SH NOTES System-wide settings can be added to .IR /etc/hardening-wrapper.conf , one per line. The real .B gcc symlinks are renamed .BR gcc.real , and a diversion is registered with .BR dpkg-divert (1). Thus .BR hardened-cc 's idea of the default .B gcc is dictated by whatever package installed .IR /usr/bin/gcc . .SH "SEE ALSO" .BR hardened-ld (1) .BR gcc (1)