Hi All
The attached patch adds security hardening compiler and linker flags.
These flags are only applied if --enable-secflags is on, and I've made
--enable-secflags on by default. I totally understand if the maintainers
may prefer for it to be off by default, at least initially.
Here is a brief explanation/justification of each of the flags added by
this patch.
Compiler flags:
-Wformat -Wformat-security -Werror=format-security: Protection against
format string vulnerabilities at compile time, no impact to the compiled
binaries.
-fPIE: Build position independent executable (PIE) binaries. Enables a
form of address space layout randomization (ASLR), which makes
exploitation of memory corruption vulnerabilities significantly more
difficult. This does incur a small performance cost, but this is minimal
and I believe an acceptable price to pay for the protection PIE
provides. For more details on the performance cost, see [0].
-fstack-protector-strong: Stack-smashing protection at runtime,
thwarting many buffer overflow exploits. This does incur a small
performance cost. -fstack-protector-strong is designed to incur a
minimal performance cost, compared to the more comprehensive
-fstack-protector-all.
-D_FORTIFY_SOURCE=2: Protection against static sized buffer overflows at
compile time, no impact to compiled binaries.
Linker flags:
-fPIE -pie: To enable PIE as noted above.
-Wl,-z,relro: Prevents some memory corruption exploits that overwrite
the global offset table (GOT). For more details see [1].
-Wl,-z,now: Part of GOT overwrite protection. Can incur an extremely
minimal performance hit at startup time as symbols are resolved.
-Wl,-z,noexecstack: Prevents some memory corruption exploits by marking
the stack as non-executable.
Not all of these flags are available on some architectures and
processors, but they should be automatically omitted from the configure
script if not supported.
Thanks
David
[0]
https://securityblog.redhat.com/2012/12/12/position-independent-executable-pie-performance/
[1] https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
>From 0d7c025bb68e59fb3ec2ec5e25d15fb3e0668ec2 Mon Sep 17 00:00:00 2001
From: David Jorm <[email protected]>
Date: Fri, 27 Feb 2015 13:35:01 +1000
Subject: [PATCH] Added security hardening compiler and linker flags
Signed-off-by: David Jorm <[email protected]>
---
configure.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/configure.in b/configure.in
index c81709e..f46ab8c 100644
--- a/configure.in
+++ b/configure.in
@@ -6,6 +6,7 @@ AC_REVISION($Id$)
AC_INIT(conf/confbase.Y)
AC_CONFIG_AUX_DIR(tools)
+AC_ARG_ENABLE(secflags, [ --enable-secflags enable compiler flags to improve security (default: enabled)],,enable_secflags=yes)
AC_ARG_ENABLE(debug, [ --enable-debug enable internal debugging routines (default: disabled)],,enable_debug=no)
AC_ARG_ENABLE(memcheck, [ --enable-memcheck check memory allocations when debugging (default: enabled)],,enable_memcheck=yes)
AC_ARG_ENABLE(client, [ --enable-client enable building of BIRD client (default: enabled)],,enable_client=yes)
@@ -119,6 +120,20 @@ if test "$bird_cflags_default" = yes ; then
BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing)
BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow)
fi
+
+if test "$enable_secflags" = yes ; then
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fpie, -fPIE)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_fpie, -fPIE)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2)
+
+ LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack"
+fi
+
AC_MSG_CHECKING([CFLAGS])
AC_MSG_RESULT($CFLAGS)
--
2.1.0
